wix3 VS ts_block

We also need to install WiX Toolset v3.11.2, you can download the latest version from here

For those like me (I never used Windows) who do not know WiX; https://wixtoolset.org/.

I don't do Windows installers myself, but I hear WiX is popular: https://wixtoolset.org/

I actually like WiX[1] — it has a bit of a learning curve, but, so long as I'm building on Windows and don't stray far from the default UI flows, I haven't found an easier tool for creating Windows installers as part of a product build process, especially those that require Windows-specific bits like COM component registration, Windows service management, setting restrictive ACLs on installed components, etc.

And while I'm not aware of any way to sandbox Windows Installer itself, I'm curious if AppContainer isolation can be applied to applications and services installed via MSI, which would still be quite useful even if the installation process itself is unrestricted.

Alternatively, now that MSIX supports service installation[2], I wonder whether an MSIX including a Windows service and a collection of client applications can be configured so everything runs within one AppContainer, isolated from the rest of the system, and whether permission to access specific external directories chosen by users in a configuration GUI can be transparently (to the user) delegated to the related service.

Alas, none of this is useful to me until it's compatible with at least the most recent version of Windows 10, as very few of my customers are running Windows 11, and I suspect many won't upgrade until Windows 10 is no longer supported (optimistically; as of last year, I was still getting occasional support requests from customers running older versions of our software on Windows Server 2003 R2).

[1] https://wixtoolset.org

[2] https://learn.microsoft.com/en-us/windows/msix/supported-pla...

For Windows, in the past, I’ve used the WiX toolset to create installers (https://wixtoolset.org/).

https://wixtoolset.org/ should be able to help you out there.

Wix toolset to extract .exe to get the driver or .msi https://github.com/wixtoolset/wix3/releases

For windows - store: https://developer.microsoft.com/en-us/microsoft-store/register/ - requirements: https://learn.microsoft.com/en-us/windows/apps/publish/publish-your-app/app-package-requirements?pivots=store-installer-msix - alternatively you can make MSIs and distribute them through your own website or another service. https://wixtoolset.org/ - publishing with chocolatey isn't a terrible option to help users with upgrade/installation automation. https://community.chocolatey.org/packages

> Is there something inherently insecure about remote desktops, or is MS software here known to be particularly insecure...

Exposing RDP to the Internet directly has been frowned-upon because of the attack surface being presented, there's no two factor "story" out-of-the-box, and you're opened up to brute force attempts on cruddy user passwords.

Older versions of the Microsoft Remote Desktop Protocol had a much larger attack surface than current versions. The current versions with Network Level Authentication (starting in Windows Vista/Server 2008) present a smaller attacks surface. Older versions used "homegrown" Microsoft crypto, whereas current versions use TLS.

Disclosure: I made a FLOSS fail2ban-like tool for RDP many years ago[0]. I had a situation where I was forced to expose RDP to the Internet and I didn't like having it open w/o some protection against brute force attacks. This tool happens to still works in Server 2022 and will slow the velocity of brute force attacks. I still highly recommend not exposing RDP directly to the Internet anyway.

(The ts_block tool is missing some fairly essential functionality that I never got around to implementing. It works fine and is really easy to install but some things are sub-optimal.)

[0] https://github.com/EvanAnderson/ts_block

My old ts_block[0] project does something similar to yours, albeit for RDP only and with much less sophisticated customization.

I opted to go with a WMI Event Sink rather than polling the Event Log. I've never done a benchmark to see which architecture would use less CPU, but I can say the WMI event sink causes nearly instantaneous reaction.

As an aside: I'd love to hear if somebody tries ts_block on Windows Server 2022. It works fine on 2012 R2 thru 2019 but I've never tried it on 2022.

[0] https://github.com/EvanAnderson/ts_block

The perspectives in the comments on this article re: WiX XML source and Windows Installer being difficult are interesting to me. Like I said elsewhere, I overcame that learning curve so long ago that I can't put myself in a position where it seems daunting now.

To be fair, though, an MSI to install a 10 files in "C:\Program Files\AppName", register a couple .NET assemblies, create a couple of shortcuts, and throw a few values into the registry would amount to <100 lines of XML.

Here's a years-old WiX 2.0 syntax source file to install 4 files in "C:\Program Files\appname" and run an EXE embedded in the MSI to install a service: https://github.com/EvanAnderson/ts_block/blob/master/MSI/ts_...

I've only seen "thousands of lines" of WiX source when dealing programs that install a ton of files, or put scads of entries in the registry.

Most of the MSIs with WiX are based on a simple skeleton generated from a template, and using "includes" generated by the "candle" tool.

Understanding the Windows Installer and the WiX source feels analogous to what I see in "modern" web development-- a bunch of tools that developers use, seemingly without understanding what they do, to create a massive pile of edifice into which original code is finally placed.