Is there exists a way to run an untrusted code (C or C++) under a sandbox in Windows. Something that would prevent the program from opening files, or network connections, or forking, exec, etc?
It would be a small program, that gets uploaded to a server where it'll be compiled and executed, the program would be short lived.
When this question was asked, Windows did not have as many isolation options available to it. However there is been some improvement.
The now goto answer for this is to either use use Docker or Hyper V containers/VM.
But in the pre-Windows 10 era, answer was to manipulate the process isolation that came around windows vista/7 and use a separate user/application account.
Process Abilities:
You could manipulate the programs Integrate level and run with a restricted/unique user so reach is limited (group policy can further limit user).
Network access:
Limit using a firewall that blocks outbound connections.
File access:
The NTFS file system has one of the most configurable file systems around,if you are running the process as a distinct user, you can craft an ACL policy to significantly limits the process's file access.
Source:
Finally if you have access to the source-code, you can likely remove or modify problem parts.
Windows 10 and Windows 11 now include a built-in isolation environment called Windows Sandbox.
Description (from here):
Windows Sandbox provides a lightweight desktop environment to safely
run applications in isolation. Software installed inside the Windows
Sandbox environment remains "sandboxed" and runs separately from the
host machine.
...
Software and applications installed on the host aren't directly
available in the sandbox. If you need specific applications available
inside the Windows Sandbox environment, they must be explicitly
installed within the environment.
Windows Sandbox has the following properties:
Part of Windows: Everything required for this feature is included in Windows 10 Pro and Enterprise. There's no need to download a
VHD.
...
Secure: Uses hardware-based virtualization for kernel isolation. It relies on the Microsoft hypervisor to run a separate kernel that
isolates Windows Sandbox from the host.
Assuming your version of Windows supports it, Windows Sandbox can be installed just by going to "Turn Windows features on and off" from the Start menu.
The following Windows versions are required: Windows 10 Pro, Enterprise or Education build 18305 or Windows 11.
Related
I am working on an installer of a windows application. Due to its dependencies, to make it work, multiple applications need to be installed and also some changes to the windows features (turning on some windows features) are required.
My installer is supposed to be used by companies. In companies, it can be the case that someone has the rights to install software (in program files folder) but is still restricted (for example updates are regulated by the IT department). A typical explanation for this is that someone is a local admin but not necessarily a global admin.
Can it be the case that someone is allowed to install software in the program files folder but restricted in enabling windows features? I need to know this because this would simply mean that my installer should not automatically/automated enable such windows features. It may work on my VM, but it can fail on the customer employee desktop which would cause the installation to fail due to missing rights for one specific action: enabling some windows features.
Can enabling Windows Features be blocked for local admins?
According to this answer there's no group policies to control Windows features. Therefore we could assume that you're safe for now.
I have a puzzling situation with the Inno Setup FileExists function.
Here's the situation. I have three networked computers with like WORKGROUP names.
1) Windows 7 32-bit
2) Windows 7 64-bit
3) Window XP Service Pack 3
1) and 3) have been setup as servers with read-write shares, ex. ShareExe and ShareData
The problematic Inno Setup creates shortcuts to the executable in the ShareExe folder. It asks the user for the ComputerName of the server and then uses FileExists to verify correct input.
Running this setup on the XP (3) machine and specifying 1)'s computername works just fine, however when running the setup on the Win7 64-bit PC and specifying the same ComputerName as with XP, causes the FileExtsts test to fail.
Strangely, I can go to Network Places and open the ShareExe folder and successfully run the executable. My question is, "why does Inno FileExists fail only on the Win 7 64-bit machine?" I cannot find anything in the reference materials that suggest any version differences with FileExists. (I also tried FileSearch with the same results).
TIA
In Windows 7 (and Vista) with UAC enabled, by default network credentials and drive mappings are not shared between admin and non-admin contexts, even for the same user.
By default, Inno elevates to admin permissions (via PrivilegesRequired=admin), since most installations must (and should) be performed per-machine by an admin user. However this means that any credentials prompted for or saved by Explorer when browsing for the desktop are not available to it.
When files are accessed directly by APIs (as with FileExists), Windows will typically try to silently connect to the server using the same username/password as was used to log into the PC; if this fails then it just reports an error since it has no way to prompt for alternate credentials at that point. So if you can ensure that the login details on both PCs are the same, then it should work. (You usually get this for free on computers connected to a domain, but not a workgroup.)
If that isn't possible, then something else you could try would be to force the access via a shell dialog -- if the FileExists fails, then use GetOpenFileName to prompt the user to find a specific file in that folder, using the same initial path. I haven't tested this, but I think this should result in Windows displaying a credential prompt and then you should be ok after that.
(If this is for an internal app, then another option is to disable the separation of credentials [via a security policy setting] or UAC entirely, though the latter isn't really a good idea. Of course this isn't tolerable for a general-release app, and it's cleaner if you solve it one of the other ways anyway.)
I'm looking to determine if our application is running on a XenDesktop session rather than locally. Here is what I have found so far:
We currently have code to detect a Citrix XenApp session similar to the solution mentioned by Helge Klein in "API for Determining if App is Running on Citrix or Terminal Services".
Sadly that solution in a XenDesktop environment is returning back a WTSClientProtocolType of 0 which signifies a local console session.
In response to the same question Josh Weatherly mentioned checking the sessionname environment variable.
However a quick console check with echo %sessionname% on the XenDesktop environment returns back 'Console'.
From "Detect citrix “application mode”?" John Sibly suggested a solution for detecting a remote session (not Citrix in particular):
GetSystemMetrics(SM_REMOTESESSION) however returns 0 which also means that it is a local session.
Does anyone know of a way to detect that it is a XenDesktop session? So far as you can see all my attempts are returning that the session is a local console session.
I'm using XenDesktop Express 5.5, accessing the desktop using the Citrix Receiver Web Plug-In.
If you are using XenDesktop for VDI, then as far as the application is concerned, the application is executing locally. VDI, or virtual desktop infrastructure, consists of delivering the GUI from a full featured desktop operating system to a remote device. Typically, the desktop O/S executes in a virtual machine on a hypervisor in a data center, and the GUI is transmitted to the remote device using Citrix' ICA stack. For example, this happens in the pooled desktops scenario.
XenApp offers virtual desktops, which is a slightly different concept. Again, the desktop is delivered to a remote device using the ICA stack. However, the desktop is no longer running on a dedicated O/S. Rather, it is one of a number of user sessions on a single Windows Server. There may be any number of users logged on to that server. This places limits on the applications that can be run, which is why applications might want to know that they are on a multi-user O/S.
What you might try to do is determine whether the GUI is being delivered remotely using the ICA stack. A simple check would involve looking for the "ProticaService", which is responsible for implementing the ICA stack.
Alternatively, you may be trying to determine if your machine is running in a VM or native to a machine. Besides the pooled scenario described in the first paragraph, XenDesktop can deliver desktop running native. This overcomes limits on virtualision I/O devices such as graphics cards used by CAD applications. In this case, you need to rule out the presence of a VMM, or hypervisor.
I have updated my answer linked to in the question with a description of how to determine the remoting protocol type in XenDesktop sessions.
You need the (not really well documented) function WFGetActiveProtocol from Citrix' WFAPI SDK. Proceed as follows:
Download the SDK (link)
Install WFApiSDK64-65.msi
In your C++ project include wfapi.h and link to wfapi[64].lib
Use the undocumented function WFGetActiveProtocol
More detail and sample code here.
is it possible to execute a command (ex: launching a .bat file located on the remote machine) on a Windows Remote Machine, using a UNIX or Linux Machine ?
Is there something like a scp/ssh mechanism or at least a way to connect to a Windows Machine passing through the network ?
Thanks for your help.
By default, recent Windows versions only support the Remote Desktop protocol. As far as I know, client versions only allow a single user, while server versions with installed Terminal Services allow for multiple simultaneous users.
Windows Server versions also support the Telnet protocol, but the server is disabled by default - it may not even be installed. Therefore you will have to enable it manually. Do you really want to use Telnet of all things, though? Just the security concerns are enough to make it mostly useless.
There is also a version of OpenSSH for Windows, that uses the Cygwin DLL. I have not tried it, but using an SSH implementation from the Unix world does have its appeal (and probably a few disadvantages). See also this.
EDIT:
Recent Windows versions also support the Windows Remote Management system, which allows you to launch an interactive session throuh a bit of trickery.
You may want to try Vandyke VShell.
I have an application for Windows XP. This application is deployed with the hardware. The application is the only application that ever runs on these machines. These machines are never connected to the internet. I'm interested in instant-on (or quick-on) options that bypass the Windows XP startup for these machines.
This is similar to Windows XP "hibernation", but not exactly. With hibernation, the memory state is only read from disk once - the very next time the system is turned on. I want a memory state permanently stored to disk, so the system always starts from that same spot every time, regardless of how it was shut down. How can I achieve this?
Sounds like you're looking for the Hibernate Once, Resume Many feature of Windows Embedded.
If you like "hibernation", you may use VMWare.
Install a ArchLinux and VMWare on the host machines.
Prepare your Windows XP as the guest OS.
Customize startup process of the host, let it run VMWare and restore Windows to the snapshot.
Hmmm, the short answer is "not easily!", but one way could be to try playing around with replacing the windows shell with your own application / script that launches your own custom interface / state instead of Explorer as the default. Basically it's done using this reg key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell
Info on this actually seems to be reasonably scarce after doing a quick Google search, but this link below provides a little more detail:
http://www.trap17.com/index.php/how-change-windows-xp-shell_t20367.html
I think if you do a Google Groups search on "Windows XP shell replacement" you might get some more informative results.
You could try installing TweakUI on them, and having them autologin. Once you do that, just add your application to the Start Up menu (or in the registry, under:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Jeff Atwood has a post on this very thing.