But you can install any app from Sourceforge/<OtherMalwareRiddenSite>, it's just that MS has chosen not to offer their App Store in the Win10 Long Term Support Branch, which most enterprises use. So they've actually locked you out of the walled garden, which is a bit funny.
One main paramount of security is to reduce your attack surface. One of the first steps to that is to uninstall/remove things that don't belong or that you will not use. An ad-riddled(with ads likely served by a relatively insecure ad network) game is not something that belongs in a corporate network.
Try removing CandyCrushSaga and Facebook, and XBoxIdentityProvider(among many others)...they come right back after the next round of updates.
If you're going allow Windows Store with all of its junk(that you have very little control over), might as well allow Bonzai Buddy, Ask Toolbar, and Super PC Cleaner 2017 Premium Edition Recommended Microsoft!
And the argument that Windows Store apps are more secure so even if a ad or application is malicious the damage is limited doesn't hold water. A quick google will bring up tons of examples of code escaping sandboxes, even entire virtual machines. Any environment, no matter how secure, will always benefit from a reduction in attack surface area.
Well, if your policy allows installing random apps from the Internet but forbids installing sandboxed and vetted apps, then you're not making any sense, regardless of whether the latter type of apps may still be a risk.
I didn't catch the angle in one of the parent posts that everything BUT windows store was allowed, but re-reading the chain I can see that now. Yes, blocking sandboxed and vetted apps but allowing anything else is indeed nonsense.
The biggest issue with the Windows Store is the forced installation of several apps that do not belong in an enterprise environment, unnecessarily increasing attack surface.
Yes, and the person I was replying to works in a place that seems to allow users to install random software from the internet. Thats 99.99% of your attack surface, why not restrict that?
I'm not going to get into the details of sandboxing here, but needless to say managed applications running in a sandbox are a big improvement over unmanaged, unsigned applications running with admin rights.
Sadly even now I run into large software companies that require users to have local admin privileges(and disable UAC) for their software to function correctly. And that's in the finance sector.
I've been dealing mostly in the healthcare sector now and it's even worse. Particularly with imaging software vendors. I deal with some that still only support Windows XP.
I've seen companies still distributing software updates on floppies, for that $25k spin-a-ma-thingy in the corner with the proprietary interface to the Win98 PC, that keeps on working and delivering useful results.
A famous example from the car industry is McLaren having a stack of 25-year-old Compaq LTE 5280 laptops, running DOS, because that's the only machine that will run the proprietary CA card module for the diagnostic software for the McLaren F1 (106 cars produced '92-'98, 100 left today, each valued north of $10 million).
No, IT department says "You guys are sensible, you can install whatever you like. But we'll keep you on Win10 LTSB, where MS promises to do less spying and break stuff less often." But Win10 LTSB doesn't have the MS App Store, so any app store exclusive software (mainly MS stuff) cannot be installed.
