Application Guard runs Microsoft Edge in virtual machine on Windows 10
Microsoft plans to integrate a new security feature called Application Guard in the next feature release of Windows 10 which will be out in 2017.
The main idea behind the first iteration of the feature is to run the web browser Microsoft Edge in a lightweight virtual machine for improved security and protection against attacks.
Attackers who plan on attacking Microsoft Edge on Windows 10 would not only have to find a viable exploit for the browser to work with, but also a way to get through the browser's sandboxing and the new layer by Application Guard.
There are two downsides that need to be mentioned. First, Microsoft plans to make it available in the Enterprise version of Windows 10 only. Second, only Microsoft Edge will benefit from the feature at first.
Application Guard for Windows 10
Microsoft won't make available an API or provide access to other products, at least not at first.
Ars Technica reports that Microsoft is aware that the feature would be welcome by Home users, small businesses and software companies alike as it would improve overall security.
Other web browsers, Firefox or Chrome, and high profile applications such as Microsoft Office would benefit from the added security just like Edge does.
Bringing Application Guard, or a subset of the feature to Home and Pro versions of Windows 10 may not be as easy as it sounds. Virtual environments persist across sessions only which means that mundane things such as cookies won't be available the next time a browser is booted.
This may be acceptable in Enterprise environments, but might confuse Home users who would expect their login to work across sessions according to Microsoft.
Windows 10's Virtualization Based Security (VBS) has technical demands on top of that. Since it requires Hyper-V hypervisor, it requires a cpu that supports hardware virtualization and I/O virtualization.
Additionally, if the solution is enabled on a machine running Windows 10, other virtualization environments may not be used at the same time.
Last but not least, virtualization comes with performance costs. Microsoft did not reveal details about those though. Considering that we are talking about lightweight virtualization, it seems likely that the cost won't be as high as if other virtualization environments are installed on a machine.
The company plans to add a set of policies to Windows 10 Enterprise that allows system administrators to mark sites as trusted or untrusted, and to allow certain operations for untrusted sites such as copying to the clipboard or printing.
Closing Words
The idea to use a lightweight virtualization environment to run high profile applications makes sense. You may do something similarly already using solutions such as Oracle's VM Virtualbox or VMWare Workstation.
It remains to be seen how well the feature works once it gets released. It will be launched for Windows 10 Insider Builds first later in 2016.
Now You: Do you use virtual environments?
Easier for IT admins to secure PC. Nice addon.
Overengineered feature that few will use. It has a performance impact, it disables use of software which uses VT-x, it is in enterprise only edition.
Very insightful comments from another website:
“Rosyna Ars Praefectus
Sep 26, 2016 7:22 PM
Sigh, yet another key security feature limited to the Enterprise SKU.
I also find it a bit bothersome that Microsoft is using virtualization has a hack to implement sandboxing rather than actually add arbitrary resource sandboxing directly in the OS, including sandboxing for processes running as SYSTEM.
As Peter mentions, virtualization has many downsides and adding true, arbitrary sandboxing to Windows would evaporate many of those limitations.
(Other articles indicated the performance and battery hit of this new feature is huge, as features like hardware accelerated drawing and video decoding are disabled in tabs that use virtualization)”
Rosyna has never made an insightful comment in ArsTechnica commenting history. Once again, he shows a complete lack of understanding of something that MS is doing.
Sounds like a sandbox approach, I agree. In which case what’s wrong with Sandboxie? I’ll answer my own question – the fact that I’ve never been able to make Sandboxie work in x64 Win10. So I suppose any new approach might help (though possibly not as much as Sandboxie being made to work again.)
I’ve been using Sandboxie on three Windows 10 Pro 64-bit machines since Windows 10 came out last year. Updates to Windows 10 can break Sandboxie. In that case there is usually a new beta out within a few days that works again, in most cases. The 5.13 betas were finalized recently after making it compatible again with Windows 10 64-bit. The current version 5.14 works just fine with Firefox, IE, Chrome, and Opera. I haven’t tested it with other browsers. Of course. Edge is incompatible with Sandboxie.
“Additionally, if the solution is enabled on a machine running Windows 10, other virtualization environments may not be used at the same time” – this is the most important stuff … i use an Android Emulator and also use Hyper V to test stuff…and i find it so annoying, if i boot with hypervisor active – Andy (android emulator) works in “software mode” and this means 95-100% CPU usage all the time … even if the VM is in taskbar or active playing something ( my compture: I7 4790k-32Gb RAM-SSD) , if i boot with hypervisor off the VM is taking 5-10% cpu usage :(
if i test stuff in a VMware machine ( Andy is using VMware) the programs i want, i get a less satisfying experience compared with the free Hyper V :(
bad thing is Andy developers dont want to support Hyper V and creating a machine there based on android is so far impossible …tried a lot and failed as much ( if it works …wont connect to internet, and so on ) , if somebody has some step by step idea i am here :)
Only in enterprise, however sandboxie could be used as a viable alternative to this feature.
Sandboxie is not even close to this. It does not spin up a full VM instance.
Menlo Security offers full isolation across most browsers without a dip in performance.
I’m a little unsure what Application Guard does, but it sounds an awful lot like a sandbox and not a virtual machine. If that’s the case, the Sandboxie comparison is very good (or Firejail for you Linux users). If, on the other hand, Microsoft proposes to build a true virtual machine around every instance of Edge, this is something else entirely.
Either way, it’s a welcome move. Browsers (and ideally ALL software) should not be able to get direct access to the kernel.
Edge is already sandboxed. IE has been Sandboxed for years now and Edge (as well as EVERY UWP app) is sandboxed by default by using Windows’ integrity levels.
This is a true VM abstraction by using the Hyper-V hypervisor.
@Jason, i could be wrong but i didn’t think any software did have direct access to the kernel, didn’t Windows change many moons ago to run all drivers and software in user space?
It seems this, along with all other sandbox type approaches are little more than sticking plasters for inherent flaws in either the way the user interacts with the OS (user privileges), or the OS itself.
You are right, Sandboxie is a great alternative. See this review for details: https://www.ghacks.net/2013/12/11/sandboxie-review/