In this Ask a Admin, I’ll explain since we should use focus control to shorten that Windows Store apps users can run.
Most confidence experts determine that curated focus stores are profitable in assisting strengthen handling systems from malware. Windows Store brought with it a guarantee of some-more secure personal computing. And it can lead to a some-more secure environment. But there are several ways developers can use a store to concede a PC.
As reported by Ed Bott on ZDNet final year, an app he downloaded from a Windows Store called Torrenty contained a hyperlink that seemed to yield an refurbish to a app. When a user clicks on a refurbish link, it opens a default browser and downloads a record called setup.exe. To a gullible user, it competence seem like a genuine refurbish for a Windows Store app. But a record installs a win32 BitTorrent client. As Bott points out, it could have been many worse. Setup.exe competence have commissioned a keylogger or ransomware. Torrenty is no longer accessible in a Windows Store.
Torrenty was a Universal Windows Platform (UWP) app and would have indispensable to pass Microsoft’s capitulation routine before it was published in a store. The inclusion of a hyperlink that duped users into downloading a apart app should have been flagged as an emanate though Microsoft’s capitulation routine for apps during a time was clearly flawed. The ability to launch hyperlinks from UWP apps provides an easy approach for developers to mangle out of a app enclosure sandbox and pretence users into installing additional program or launch other kinds of attacks.
Hosted and Progressive Web Apps
The story doesn’t finish there. Legacy win32 apps ported to a store regulating Microsoft’s Desktop Bridge and UWP apps are a dual many common kinds of app in a store. Hosted Web Apps (HWAs), that are run from a developer’s server, were introduced in Windows 10 as an choice to finished web apps. Because developers can make changes to a formula of HWAs on their possess server, there is no need for a store acquiescence for each app update. These apps can also make use of Universal Windows Platform features, such as a ability to run offline, pull notifications, and live tiles.
HWAs give developers a accessible approach to get their apps into a store and keep them updated. But since HWAs don’t need to be authorized each time developers creates changes, there is always a probability that an refurbish could deliver unattractive functionality or that a server hosting a app could be compromised.
Microsoft is also formulation to deliver support for Progressive Web Apps (PWAs) in a Windows Store in a destiny chronicle of Windows 10. PWAs are identical to HWAs though support a set of HTML5 standards that fuzz a lines between web apps and locally commissioned software. Unlike how Google Chrome allows users to run PWAs, Microsoft will need users implement PWAs from a Windows Store.
The emanate of either developers will contention their PWAs to a Windows Store is a adhering point, so Microsoft skeleton to automatically trawl a Internet for suitable PWAs and package them automatically for store submission. PWAs could poise confidence identical threats as HWAs.
For some-more information on Progressive Web Apps in Windows 10, see Microsoft Adding Support for Progressive Web Apps in Windows 10 on Petri.
Block Untrusted Windows Store Apps
Application stores are a good thought and we can even emanate your possess private store regulating Windows Store for Business. If we wish to be certain that Windows stays secure in your organization, it is best to use focus whitelisting to shorten that Windows Store apps users can run or retard entrance to a open store completely.
See Windows Store for Business on Petri for some-more information on how to configure your possess organizational store.
Microsoft private a ability to retard entrance to a Windows Store regulating a Group Policy environment in Windows 10 Professional chronicle 1511. The store app can still be blocked in Windows 10 Enterprise and Education SKUs regulating AppLocker or by enabling a Turn off a Store application Group Policy environment underneath Computer Configuration Administrative Templates Windows Components Store.
If we do not wish to retard entrance to Windows Store though would like to control that apps users can run, emanate an AppLocker whitelist of authorized applications. Don’t forget that Windows 10 includes some default Windows Store apps, like Settings and Microsoft Edge, so we will need to inspect that apps are commissioned on your systems by default and embody them in your whitelist.
The risks compared with Windows Store apps can also be reduced by enabling AppLocker or Device Guard to make a whitelist of devoted win32 apps, scripts, and Windows Installer files. AppLocker and Device Guard are usually accessible in a Enterprise and Education SKUs of Windows 10.
The Windows 10 Creators Update includes a environment that restricts users to implement usually apps from a Windows Store. You can spin on this environment by enabling Configure App implement Control in Group Policy underneath Computer Configuration Administrative Templates Windows Components Windows Defender SmartScreen Explorer. The environment can also be managed by users with executive privileges if it hasn’t been configured regulating Group Policy, in a Settings app underneath Apps and features. Windows 10 S is also singular to Edge and Windows Store apps.
In this Ask a Admin, we talked about since we should control that Windows Store apps users can implement and discussed some controls that can be used to shorten entrance to a store.
Follow Russell on Twitter @smithrussell.