MicrosoftGreetings,
my company started to deploy Windows Sandbox (Windows 11 Enterprise) for several users and instructing how to test safely different features.
I received a notification from the Security Team that it is mandatory to have internet access, but access to any Files Share / DFS should be restricted / denied.
I've checked all the possible configurations for Windows Sandbox but I am unable to find anything to achieve this goal.
There are not enough information regarding the "protected client" mode. In MS-Docs all I could find is:
"
When Protected Client mode is enabled, Sandbox adds a new layer of security boundary by running inside an AppContainer Isolation execution environment.
AppContainer Isolation provides Credential, Device, File, Network, Process, and Window isolation."
The link regarding the AppContainer Isolation does not seem to provide what I'm looking for. I am aware with a full Hyper-v Server and a classic VM there are possible ways to achieve it, but it must be achieved with Windows Sandbox.
E.g.: A user starts Windows Sandbox, then it decided to connect to a Share (\\Myfileserver.contoso.com\Files) and enter the AD Credentials.
Since the Windows Sandbox User is Administrator I cannot find a way to prevent it (I could use a Logon Script to disable the SMB Service), but the user can simply re-enable and start the service again inside the Sandbox.
I tried to create on the Client an advanced FW rule to block all traffic for WIndowsSandbox.exe on port 445 but it was really a blind shoot and it didn't work. I suppose this should be done on the vEtherner Virtual Adaoter vSwitch, but even here I don't see the possibility to block the traffic.
Can anyone confirm that Windows Sandbox does not support Network Isolation in the way intended? From my understanding the only possible choice is enable or disable networking, but it cannot be configured in a granular way to block access to Intranet or specific services and still providing internet access.
Best Regards,
