Event banner

What's new in Windows Server 2025

Event Ended
Tuesday, Mar 26, 2024, 09:00 AM PDT
Online

Event details

Get a closer look at Windows Server 2025. Explore improvements, enhancements, and new capabilities. We'll walk you through the big picture and offer a guide to which Windows Server Summit sessions wi...
Char_Cheesman
Updated Dec 27, 2024
jweisz's avatar
jweisz
Copper Contributor
Mar 26, 2024

How does the inclusion of winget on Windows Server 2025, where installing one of nine other less vetted results for "sticky notes" is one incorrect copy/paste of a randomly generated ID away square with a "security-first" posture? As far as I know, all of the security and moderation concerns for winget have been completely dismissed by Microsoft and not addressed entirely. (Also, please tell me 2025 is fixing "Edge will load malicious ads on first load by default", the loss of IE ESC is a shocking security downgrade if you are just trying to jump over to a local URL.)

Artem Pronichkin's avatar
Artem Pronichkin
Icon for Microsoft rankMicrosoft
Mar 26, 2024

Windows Server takes security very seriously. But like any other product on the market, we have to balance security with usability and value that certain features can deliver.

you don't have to use winget, as well as Edge or any other feature. If you have concerns about the security or usefulness of those components, you're welcome to block them by application control policies or simply disregard and never launch the said feature.

that said, if you have specific concerns about security about one or more OS components, please share links to that information. There's a high chance those concerns are either already addressed by the respective feature owners, or in the process of being addressed.

  • jweisz's avatar
    jweisz
    Copper Contributor
    Mar 26, 2024
    It's also worth noting that the readme states right on the official repo: https://github.com/microsoft/winget-pkgs : 38% of the packages are out of date, and 8% of them have security vulnerabilities. I understand I have the option to not use this feature and I do not use it, but I am confused why it is regularly promoted in demonstrations where a "security by default" posture is being advertised.
    • Demitrius_Nelon's avatar
      Demitrius_Nelon
      Icon for Microsoft rankMicrosoft
      Mar 26, 2024
      The Repology (https://repology.org) report referenced over at the community repository shows packages in more than one category. This report (from a third party) is a recent addition to repository, and it was added for the sake of transparency. Some packages will show up both in the "Newest" and "Outdated" categories. The community is actively engaged in discussions regarding the reported CVE reports associated with versions of packages available. WinGet has support for Group Policies to manage access to sources. If there are any concerns, feel free to block/remove the community source. It is also possible to host a private REST source to offer only currated/approved packages. The reference implementation is available at https://github.com/microsoft/winget-cli-restsource.
      • jweisz's avatar
        jweisz
        Copper Contributor
        Mar 26, 2024
        This would be a satisfactory answer if winget was not shipped and enabled by default in Windows. I should have to jump through hoops to make my environment less secure, not jump through hoops to secure it. There really isn't any reason Microsoft needs to be or should be shipping Server with the ability to one-line install a mod tool for World of Warships, and a current behavior of installing a vulnerable version of Cygwin on a server without any sort of idea you are doing so is a recipe for disaster.
  • jweisz's avatar
    jweisz
    Copper Contributor
    Mar 26, 2024
    1. winget is community-moderated by volunteers, and for over four years has failed to implement even rudimentary security protections, like the ability to lock packages to the actual developers who built and release them: https://github.com/microsoft/winget-pkgs/issues/100 (This issue is closed, but the "business process" to actually do it does not exist.) There is no approval or validation or assurance that a package you install from winget came from who you think it did, and winget has no standards for what software is noteworthy enough for inclusion into winget's library. 2. I do not know of a link for the lack of ESC in Edge, but I consider it a critical issue. Unless you have both installed Edge's group policy templates, and manually changed the start page policy, Edge will happily open Microsoft Start's ad-laden home page, even on a domain controller. This is not security-by-default. In fact, you can go from launching Edge to a Microsoft support scammer in *one click* if you hit one of the ads on that Start screen. In our case, we had a group policy applied to Edge on most of our servers, but we had never found it necessary to apply it to the Domain Controllers OU until 2022 removed ESC. Both of these are not code flaws, they are business flaws: Products that are not Windows Server have been stuffed into Windows Server without considering the security implications, or how quickly they can be used to compromise an environment.
Date and Time
Mar 26, 20249:00 AM - 9:30 AM PDT