Event banner
Event details
MicrosoftWindows Server takes security very seriously. But like any other product on the market, we have to balance security with usability and value that certain features can deliver.
you don't have to use winget, as well as Edge or any other feature. If you have concerns about the security or usefulness of those components, you're welcome to block them by application control policies or simply disregard and never launch the said feature.
that said, if you have specific concerns about security about one or more OS components, please share links to that information. There's a high chance those concerns are either already addressed by the respective feature owners, or in the process of being addressed.
- Demitrius_NelonThe Repology (https://repology.org) report referenced over at the community repository shows packages in more than one category. This report (from a third party) is a recent addition to repository, and it was added for the sake of transparency. Some packages will show up both in the "Newest" and "Outdated" categories. The community is actively engaged in discussions regarding the reported CVE reports associated with versions of packages available. WinGet has support for Group Policies to manage access to sources. If there are any concerns, feel free to block/remove the community source. It is also possible to host a private REST source to offer only currated/approved packages. The reference implementation is available at https://github.com/microsoft/winget-cli-restsource.
- This would be a satisfactory answer if winget was not shipped and enabled by default in Windows. I should have to jump through hoops to make my environment less secure, not jump through hoops to secure it. There really isn't any reason Microsoft needs to be or should be shipping Server with the ability to one-line install a mod tool for World of Warships, and a current behavior of installing a vulnerable version of Cygwin on a server without any sort of idea you are doing so is a recipe for disaster.
- Artem Pronichkin
Windows Server is, and has always been, a "Swiss army knife." There's incredible amount of things you can do with it, it is immersively flexible and versatile, but not all of those things are necessarily safe and secure by default. While we do try to bring more security features over time, sometimes they require additional configuration because we cannot break compatibility or prevent people from legitimately doing their job in certain less-than-ideal circumstances.
We also try to introduce more tools over time, with the intent to empower customers with a choice. People can take advantage of those tools if they want to or can disregard or even block those tools if they don't appreciate them. The most important criteria are that no tool or feature should do anything impactful unless explicitly told so by an administrator. But an administrator can always shoot themselves in the foot if they're up to that.
Imagine winget was not there by default, and neither was Edge. Anyone could still download a piece of malware and run it. There's no protection built-in against a clueless or malicious person in front of keyboard. Winget is just another mechanism someone can download software from the Internet, and the Internet, by definition, is untrustworthy.
If you are concerned about this kind of scenario (and perhaps rightfully so), you should not accept things in the default configuration. This is why we provide policies that can control what people can download, access and run. It's up to the administrator to set these policies and make the right tradeoff between security and usability which works best for their organization.
Microsoft cannot and should not make those decisions on behalf of the customers as it would severely impact what people can do with their computers by default.
