Are the Hyper-V Containers in Windows Server 2016 Really Secure?

By | January 7, 2016

hyper-v container-1

With the recent announcement of Windows Server 2016 Technical Preview-4, Microsoft has no doubt proven that it’s enhancing the server capabilities, on-premises as well as on cloud-based platforms. Windows Server 2016 was the outcome of collaboration of Microsoft with Docker that completely embraced the container technology with both Hyper-V and Docker. Features of containers like faster deployment, lightweight resource demands and vast scalability have been alluring the IT industry. But unfortunately a popular container engine from Docker based on Linux is struggling to resolve major security issues.

Lack of isolation between container instances has led to Docker security problem. To make it simple, similar host OS kernel, binaries and libraries are shared by each container. Suppose there’s a malware attack or other security issue that’s abolishing container and gets an access to root OS, it will surely reach the underlying OS and affect every container running on it. Since a container while running can communicate with the host kernel, Linux won’t namespace major kernel devices or subsystems to protect or detach them. This indicates as you can communicate with devices or kernel, compromising the whole system is quite easily possible.

Though Docker is working on security improvements in future, you need to learn certain tricks to protect Hyper-V as follows –

  • Testing and applying Linux patches and security updates meticulously is a must. Trustworthy support like that of Red Hat Enterprise Linux might help to search and fix liabilities.
  • Containers can be restricted to workloads that you are known to and trust from trusted parties. Avoiding random workloads, for instance, interesting tools or other “internet stuff” would be the best.
  • Whenever possible, try running containers as non-root and drop root privileges as shortly as you can. Never consider root privileges in a container to be different than root privileges outside the container whatever might be situation.

The first and foremost Hyper-V containers in Windows Server 2016 use Hyper-V to create a VM for isolation. Installing Linux as the OS and Docker as an engine to support the containers would be easy after the availability of VM. If now the container as well as the underlying Linux OS is being broken, the complete security event shouldn’t get affected as it remains contained within the Hyper-V VM.

The container technology has been present since years, but Docker engine has re-created a new interest in this technology. Microsoft is hoping that with its Windows Server 2016 platform, containers on Linux deployments will move to Windows environments by assisting native containers and nested virtualization.

With Windows Server 2016, streamlined management and enhanced container instances’ isolation would be possible which will help businesses to get grip and magnify container deployment. It would be possible for the IT staff to test Hyper-V containers in the Technology Preview versions of OS and plan for container adoption under Docker and Windows.