In August 2018, Microsoft briefly rolled out a Windows 10 Insider Feedback quest -- requests to gather feedback...
about changes and updates -- relating to an unreleased Windows 10 feature called InPrivate Desktop.
The quest is no longer available, and Microsoft hasn't explicitly confirmed the details. However, what we know from when the quest was available is that this feature would provide a disposable sandbox virtual environment within Windows 10 Enterprise.
With this feature, administrators could run applications inside an ephemeral sandbox, thereby testing for potentially nefarious application behavior in software that might be untrusted or semi-trusted.
Because the sandbox is torn down when the operation is complete, this testing strips away the software's ability to leave a lasting footprint on the device. Even if the application turns out to be malware or something else that causes damage, the damage it causes won't be permanent because the sandbox will disappear when the operation is complete.
System administrators savvy in virtualized environments will probably recognize this technique immediately. Often, virtual environments such as an IaaS or a virtual data center (VDC) use teardown virtual images in a similar way for the same purpose: testing untrusted software and testing patches or application updates to aid developers during unit testing.
An administrator might use the hypervisor to take a snapshot or clone of a running host, test a new application on that snapshot or clone, and then either roll back the snapshot or discard the clone once the test is complete. But while the techniques admins employ are similar to what's described in the InPrivate Desktop feature, there are a few reasons why having the feature built directly into the OS can offer advantages.
Understanding those advantages can provide insight into how to potentially incorporate this as part of an enterprise's security efforts and perhaps influence a security strategy in the long term.
How InPrivate Desktop is different from virtualization
The first thing someone might ask is how this approach differs from virtualization. It's similar, but not exactly the same.
Unlike a hypervisor, users won't be able to run multiple different operating systems or parallel versions of the same OS to do different tasks in parallel. A hypervisor is designed around the idea of parallel operation and the segmentation of guest OS environments. From what we know, InPrivate Desktop appears to be conceptually more like a reset button: admins can create an ephemeral environment for testing, but at the end of the day, there's still only one instance of the OS running.
It may be possible to accomplish this same task using a hypervisor, but not every managed desktop in an environment runs on a hypervisor, although a subset of the machines in your VDC obviously do, as do workloads that run in the cloud.
Managed desktops, however, are probably almost exclusively bare metal. The same applies to legacy application servers, specialized equipment or anything else that cannot be virtualized. A sandbox feature set that natively runs as part of the operating system means that any device that runs Windows 10 Enterprise can use the sandbox without having to already live inside a hypervisor environment.
Some of this is speculative, as the details of the feature are currently unconfirmed. However, if InPrivate Desktop does turn out to operate this way, it would make testing software that much more extensible.
While snapshots/clones may currently be used to test software on a configuration that is similar to where it will ultimately run -- such as a test image with the same software installed -- InPrivate Desktop instead enables the security team to test in an environment that is close to a near-perfect copy of the likely target. For instance, the disposable sandbox could have an identical software, hardware and OS configuration. The time savings of this and the additional extensibility it offers can enable the use of this approach in situations where it either wasn't possible or wasn't practical before.
When to prepare
With this in mind, the next logical questions are when and how it makes sense for security practitioners to start preparing for this feature. Because the feature itself is yet to even be confirmed by Microsoft -- let alone released -- it's too early to directly factor it into security planning. But knowing that it is coming does have some advantages and may influence decisions regardless.
For example, it appears that InPrivate Desktop will be limited to Windows 10 Enterprise. If an organization is not using Enterprise -- or still has devices on Windows 7 extended support -- this feature may help support a business case or justification to move to Enterprise.
The choice between Windows Enterprise and Windows Pro isn't a decision the security team can make in isolation, but it can certainly be an additional proof-point if the company is considering that transition anyway. Organizations should also weigh the time their staff currently spends on pretesting untrusted software against the potential value that the InPrivate Desktop could bring to the process.
Another thing to consider is how InPrivate Desktop will impact the work of incident response analysts. Time will tell the degree to which the feature allows detailed information and reporting about actions taken by software running in the sandbox, but if reporting is detailed enough, the feature on its own could be a very valuable tool to someone engaged in malware analysis.
For example, if an organization is thinking about investing in tools to help advance malware analysis efforts -- such as building out custom malware analysis environments -- finding out how much information from InPrivate Desktop might be available to you could be a good idea before you pull the trigger on a purchase or invest too much time.
At the end of the day, keeping an eye on any feature or update that impacts enterprises is a prudent measure, even if it ultimately isn't right for the organization. Even just knowing that InPrivate Desktop is coming and being aware of that can be valuable in its own right.