Site icon d3v.one

Safe Browsing with the Windows Sandbox

A safe browsing environment with firefox portable in the Windows sandbox

The Windows May 2019 update brought the new Sandbox feature which can be used to safely run applications in isolation. Whenever the Sandbox window is opened, it offers a new clean virtualized Windows installation starting from scratch. It uses hardware-based virtualization to run a separate kernel, isolating the Sandbox from the host. You can use it to test software without affecting the host installation in any way. When the Sandbox window is closed, all of its content is discarded.

The main prerequisites for this feature are a computer with AMD64 architecture, virtualization capabilities enabled in BIOS and a Professional or Enterprise version of Windows 10 with the May 2019 update. To fix some of the early software problems of this feature, the optional cumulative update KB4512941 may be necessary.

And now?

One of the first ideas may be to use the Sandbox feature as a safe browsing environment without the risk of affecting the base Windows installation with malware of any kind. The virtualized Windows offers Edge and Internet Explorer 11 as Web browsers, which should be sufficient for an occasional quick test. But as mentioned above, after closing the Sandbox window every change or configuration is lost. So if you want a more sophisticated and — especially — persistent setup, another solution has to be found.

The idea of this blog post is to create a host installation of a Web browser with a persistent configuration, which is mirrored into the virtualized and isolated environment of the Sandbox whenever needed. To achieve this, we can use three concepts: an installation-free Web browser, mapping folders and executing logon scripts.

Web browser without installation

This is, of course, the easiest part because a software solution already exists and we just have to install it: the Mozilla Firefox Portable Edition from the PortableApps website. This version of Firefox can be run independently of any installation by just copying its directory to any compatible host system, maybe using a USB drive or just moving it into your Dropbox or NextCloud. Why you have to use an installer to use portable and installation-free software is beyond me, but that seems to be the only official way to get it on your host system.

Of course, you already have installed the newest portable Firefox on your system, have you? If so, just skip this step.

Configuring a Sandbox session

Microsoft offers a way to configure Sandbox sessions and to create as many different configurations as you want; every session can be controlled by an XML configuration file. After creating and saving such a file with the extension wsb, you can double-click on it to start a new Sandbox session using that configuration.

A thorough description of all the possibilities of this configuration file is beyond the scope of this post, but you can read all about it in this official Microsoft documentation. As stated in the documentation, the functionality is still in development and will be amended in the future as the Sandbox feature evolves. For our use case, we will just use the config file to map a folder and start a script.

Mapping folders

In this example, I will assume that Firefox Portable is installed in the directory

C:\Users\Public\Downloads\FirefoxPortable

We can map this directory into the virtualization environment with the following configuration:

<Configuration>
<MappedFolders>
<MappedFolder>
<HostFolder>C:\Users\Public\Downloads\FirefoxPortable</HostFolder>
<ReadOnly>true</ReadOnly>
</MappedFolder>
</MappedFolders>
</Configuration>

It’s important to set ReadOnly to true, so that the Sandbox cannot change any files on the host system.

The configured directory FirefoxPortable is mirrored into the Sandbox and can be accessed as a directory of the same name on the Desktop of the Sandbox. So at this point, if you save the above configuration to a file called, say, FirefoxPortable.wsb and double-click it, you can access and start Firefox in the Sandbox by opening this directory. Firefox will then complain that it cannot be run from a read-only location and offer to copy all files to a local destination.

But we can save some work using a logon script.

Using a script

The Sandbox standard user is named WDAGUtilityAccount. The path to zhe mapped Firefox directory inside the Sandbox is therefore

C:\Users\WDAGUtilityAccount\Desktop\FirefoxPortable

In the Sandbox configuration we can configure a so-called LogonCommand, which is executed when the Sandbox starts. In our use case we can create a batch file and start it by amending the configuration file in the following way:

<Configuration>
<MappedFolders>
<MappedFolder>
<HostFolder>C:\Users\Public\Downloads\FirefoxPortable</HostFolder>
<ReadOnly>true</ReadOnly>
</MappedFolder>
</MappedFolders>
<LogonCommand>
<Command>%C:\Users\WDAGUtilityAccount\Desktop\FirefoxPortable\FirefoxSandbox.cmd</Command>
</LogonCommand>
</Configuration>

A possible content of the batch file to create a local copy of Firefox and start the application is

@echo off
xcopy /s /i /q /y "%~dp0*.*" "%TEMP%\FirefoxPortable"
start /max %TEMP%\FirefoxPortable\FirefoxPortable.exe
exit

Save this using the filename FirefoxSandbox.cmd in the installation directory of Firefox Portable.

What we have achieved now is: by double-clicking on the configuration file FirefoxSandbox.wsb the directory of Firefox Portable is mapped into the virtualization environment, a local copy of that directory is created and the Firefox Web browser is started.

If you want to change the Firefox configuration, add bookmarks or install add-ons, you can do so by running Firefox in your host environment. All changes are then mirrored into the Sandbox.

Where to go from here

The method described here should work with every portable installation of a Web browser. I’ve successfully tested Google Chrome Portable and SeaMonkey Portable. All relevant files can be downloaded from this download directory.

Microsoft: Windows Sandbox

Windows Update KB4512941

Windows Sandbox – Config Files

Mozilla Firefox Portable Edition

Google Chrome Portable Edition

SeaMonkey Portable Edition

Exit mobile version