Are the Hyper-V Containers in Windows Server 2016 Really Secure?

January 7, 2016 / General Discussion

With the recent announcement of Windows Server 2016 Technical Preview-4. Microsoft has no doubt proven that it’s enhancing the server capabilities, on-premises as well as on cloud-based platforms. Windows Server 2016 was the outcome of the collaboration of Microsoft with Docker which completely embraced the container technology with both Hyper-V and Docker.

Features of containers like faster deployment, lightweight resource demands, and vast scalability have been alluding to the IT industry. But unfortunately, a popular container engine from Docker based on Linux is struggling to resolve major security issues.

Lack of isolation between container instances has led to Docker security problems. To make it simple, similar host OS kernels, binaries, and libraries shared by each container. Suppose there’s a malware attack or other security issue that’s abolishing the container and gets access to the root OS.

It will surely reach the underlying OS and affect every container running on it. Since a container, while running can communicate with the host kernel. Linux won’t namespace major kernel devices or subsystems to protect or detach them.

This indicates as you can communicate with devices or kernels, compromising the whole system is quite easily possible.

Though Docker is working on security improvements in the future, you need to learn certain tricks to protect Hyper-V as follows –

  • Testing and applying Linux patches and security updates meticulously is a must. Trustworthy support like that of Red Hat Enterprise Linux might help to search for and fix liabilities.
  • Containers restricted to workloads that you know and trust from trusted parties. Avoiding random workloads, for instance, interesting tools or other “internet stuff” would be the best.
  • Whenever possible, try running containers as non-root and drop root privileges as shortly as you can. Never consider root privileges in a container to be different than root privileges outside the container whatever the might be situation.

The first and foremost Hyper-V containers in Windows Server 2016 use Hyper-V to create a VM for isolation. Installing Linux as the OS and Docker as an engine to support. The containers would be easy after the availability of the VM.

If now the container as well as the underlying Linux OS being broken. The complete security event shouldn’t get affected as it remains contained within the Hyper-V VM.

Container technology has been present for years, but the Docker engine has re-created a new interest in this technology. Microsoft is hoping that with its Windows Server 2016 platform, containers on Linux deployments will move to Windows environments by assisting native containers and nested virtualization.

With Windows Server 2016, streamlined management and enhanced container instances’ isolation would be possible which will help businesses to get a grip and magnify container deployment.

It would be possible for the IT staff to test Hyper-V containers in the Technology Preview versions of OS and plan for container adoption under Docker and Windows.