Essential Guide

The essential guide to Microsoft Windows Server 2016

A comprehensive collection of articles, videos and more, hand-picked by our editors
Q
Get started Bring yourself up to speed with our introductory content.

How secure are Hyper-V containers in Windows Server 2016?

Container engines like Docker can compromise an entire root OS because of a lack of isolation. What steps can admins take to secure Hyper-V containers in Windows Server 2016?

The benefits of container technology -- lightweight resource demands, faster deployment, vast scalability -- have...

attracted significant attention from the IT industry. But the most popular container engine, a Linux-based platform from Docker, struggles to address important security issues.

The problem with Docker security stems from a lack of isolation between container instances. In the simplest terms, every container shares the same host OS kernel, libraries and binaries. If a malware attack or other security event is able to break out of a container and access the root OS, it is possible to compromise the underlying OS and affect every container running on it. A container can already talk to the host kernel when it runs, and Linux doesn't namespace major kernel subsystems or devices to separate or protect them. This means if you can communicate with the kernel or devices, it's possible to compromise the whole system.

While Docker promises future security improvements, there are some tactics that protect Hyper-V container.

1. Restrict containers to workloads that you know and trust from trusted parties -- avoid random workloads, such as interesting tools or other "stuff" you find on the Internet.

2. Test and apply Linux patches and security updates diligently. Trusted OS support like the kind supported by Red Hat Enterprise Linux can help to find and fix vulnerabilities.

3. Run containers as non-root whenever possible, and drop root privileges as soon as you can. No matter what, always consider root privileges in a container to be the same as root privileges outside of the container.

Hyper-V containers in Windows Server 2016 use Hyper-V to first create a VM for isolation. Once a VM is available, Linux can be installed as the OS and an engine such as Docker can run to support containers. This is a form of nested virtualization. If the container and underlying Linux OS is compromised, the entire security event should remain contained within the Hyper-V VM.

While the concept of containers has existed for years, the Docker engine spawned a renewed interest in this technology. Microsoft hopes its Windows Server 2016 will move containers from Linux deployments to Windows environments by supporting native containers and nested virtualization.

Windows Server 2016 also promises streamlined management and improved isolation for container instances, helping organizations embrace and expand container deployment. IT staff should soon be able to experiment with Hyper-V containers in Technology Preview versions of the OS and make plans for container adoption under Windows and Docker.

Next Steps

How do Windows Server containers affect applications?

Following the evolution of Hyper-V

What's missing from Windows Server 2016 preview?

This was last published in June 2015

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Will you use Hyper-V containers? Why or why not?
Cancel

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close