This content is part of the Essential Guide: A guide to Microsoft Windows Server 2016

Essential Guide

Browse Sections

How secure are Hyper-V containers in Windows Server 2016?

Container engines like Docker can compromise an entire root OS because of a lack of isolation. What steps can admins take to secure Hyper-V containers in Windows Server 2016?

The benefits of container technology -- lightweight resource demands, faster deployment, vast scalability -- have attracted significant attention from the IT industry. But the most popular container engine, a Linux-based platform from Docker, struggles to address important security issues.

The problem with Docker security stems from a lack of isolation between container instances. In the simplest terms, every container shares the same host OS kernel, libraries and binaries. If a malware attack or other security event is able to break out of a container and access the root OS, it is possible to compromise the underlying OS and affect every container running on it. A container can already talk to the host kernel when it runs, and Linux doesn't namespace major kernel subsystems or devices to separate or protect them. This means if you can communicate with the kernel or devices, it's possible to compromise the whole system.

While Docker promises future security improvements, there are some tactics that protect Hyper-V container.

1. Restrict containers to workloads that you know and trust from trusted parties -- avoid random workloads, such as interesting tools or other "stuff" you find on the Internet.

2. Test and apply Linux patches and security updates diligently. Trusted OS support like the kind supported by Red Hat Enterprise Linux can help to find and fix vulnerabilities.

3. Run containers as non-root whenever possible, and drop root privileges as soon as you can. No matter what, always consider root privileges in a container to be the same as root privileges outside of the container.

Hyper-V containers in Windows Server 2016 use Hyper-V to first create a VM for isolation. Once a VM is available, Linux can be installed as the OS and an engine such as Docker can run to support containers. This is a form of nested virtualization. If the container and underlying Linux OS is compromised, the entire security event should remain contained within the Hyper-V VM.

While the concept of containers has existed for years, the Docker engine spawned a renewed interest in this technology. Microsoft hopes its Windows Server 2016 will move containers from Linux deployments to Windows environments by supporting native containers and nested virtualization.

Windows Server 2016 also promises streamlined management and improved isolation for container instances, helping organizations embrace and expand container deployment. IT staff should soon be able to experiment with Hyper-V containers in Technology Preview versions of the OS and make plans for container adoption under Windows and Docker.

Next Steps

How do Windows Server containers affect applications?

Following the evolution of Hyper-V

What's missing from Windows Server 2016 preview?

Dig Deeper on Microsoft Hyper-V management