Attack Surface Reduction, Home and Away

Winget (aka Windows Package Manager) was announced at Microsoft Build 2020. It’s fundamentally a command line interface like Linux’s apt-get, yum and so on.

Many years ago, a Danish company called Secunia produced a freeware product to manage software installed on endpoints (Windows) called Personal Software Inspector (PSI) which was later discontinued as it became Corporate Software Inspector (CSI) which was a service sold to corporate customers. Secunia and CSI were acquired by Flexera to become Software Vulnerability Management).

PSI (and CSI) was rather good at identifying outdated software that was installed on a Windows endpoint which is a significant portion of the challenge in managing deployed software; without tooling, it’s very resource-intensive and prone to failure. This first allowed home users and then corporate customers to reduce their attack surface at the endpoint by having the insight into outdated components and delivering updates.

In 2021, a Github project delivered WingetUI which is basically an enhanced skin for Winget with some additional functionality. WingetUI is a front-end that leverages the winget command line to install, manage and monitor software packages on a Windows endpoint.

The Winget repository “knows” of over 4500 packages, all of which WingetUI has access to. Additionally, WingetUI can also hook into Chocolatey which also has a considerable repository of packages and sources.

WingetUI bridges the gap between the complexity of Winget and the command line with a UI layer that allows normal people to at least be able to see when software on their computer is outdated and address those issues. The tool sits in the system tray and alerts with a notification when such packages are found.

Given the complexity of software in a corporate environment, a blend of Winget and WingetUI can assist workstation build teams understand when components are out of date:

  1. Reference build model: install all software on a reference endpoint and let WingetUI alert when newer components come out This avoids notifications from security advisories (that can be missed) and works like a push notification; it’s also the case that scanning endpoints with Qualys and similar tools is difficult, needing an agent, local admin rights and potentially assets to be present on the network when the scan takes place.
  2. Wide deployment model: some enterprises do need their personnel to install software to do their work; by leveraging a user-driven approach and/or a reporting approach to ensure software is updated, software flaws within the enterprise can be reduced.

Clearly, for a home user on a self-managed machine, this removes most of the heavy lifting of checking software for updates – which is usually too complicated for them anyway. The downside of course is that the home users most at risk are the ones least likely to use WingetUI to reduce that risk – it’s a chicken-and-egg situation.

(Re-)Build Fast and Easily

Winget and WingetUI also make building and rebuilding an endpoint quite simple.

From the command prompt, it’s possible to daisy-chain the software installs together; below is my core pack of Apps:

winget install --id=SomePythonThings.WingetUIStore -e  && winget install --id=Microsoft.Office -e  && winget install --id=tailscale.tailscale -e  && winget install --id=RealVNC.VNCViewer -e  && winget install --id=REALiX.HWiNFO -e  && winget install --id=7zip.7zip -e  && winget install --id=VideoLAN.VLC -e  && winget install --id=Microsoft.PowerToys -e  && winget install --id=Termius.Termius -e  && winget install --id=SumatraPDF.SumatraPDF -e  && winget install --id=Microsoft.Sysinternals.BGInfo -e  && winget install --id=Cyanfish.NAPS2 -e  && winget install --id=Citrix.Workspace -e

WingetUI has the possibility to export installed packages to a JSON file. Naturally, you can delve into the file and reduce the packages but that JSON can be imported into the Discover tab and drive the installation of software in a simple and quick way.

Discovery Made Easy

If you know the name of the software you are looking for, you can use the Search box in WingetUI to find and install that software. For those who are not quite so well-informed about software that might be useful, Winstall.App has a brilliant list from the repository that can be searched and ordered in different ways (alphabetical, latest updates, etc). An example search is for “pdf” which results in around 80 matching packages.

NB: Some of the packages are not freeware so will come with a need to licence; this is purely software and package management made easy.