Security Considerations when Selecting Containers for Windows

Containers are not a new concept in the IT world, at least not for Unix and Linux users. It is available with them in one form or another for quite a long time, chroot was made available to Unix somewhere in 80s, offering basic functionality to segregate filesystem for processes. However, Containers for Windows is definitely a new kid in the block, kind of, 2016 is not very distant past.

At least two use cases were responsible for advent of containerisation in OS territories namely:

  • Security, and
  • Portability, build once run anywhere, well mostly

Security was primary driver, in my view, which explain why early implementations were chroot and Linux Jail features i.e. attempts to isolate and segregate file and processes. Portability i.e. having self-contained environment is second most important driver allowing to configure and run applications segregated giving them illusion of as if they are the only applications available. Later, with the wider adoption of Lean methodology, rushing to market with MVP (minimum viable product) and then updating applications frequently with features and/or fixing bugs), along with popularity of architecture like Microservice gave containers much impetus and spurred widespread adoption of the technology.

Note, its intuitive with the name containers that it contains something in it, isolating it from others and allow to ship it to other locations

Windows Containers Type

As Windows operating system is differnt from Linux, mentioning as it was not obvious 😏. Anywas, Windows has much tightly coupled monolithic architecutre where application’s isolation from system services is not possible, at least not now yet.

Thanks to Windows Internals inter-dependencies and architecture many past attempts to containerize or isolation/segregate it couldn’t achieve the desired goals, if not outright unsuccessful. Look at Project Silos or “Drawbrige” to name a few (https://www.microsoft.com/en-us/research/project/drawbridge/)

However, Microsoft either much fascinated by Containers or simply was fearing to miss the hype and enthusiasm around containers and dockers offered two flavours, you heard it right :

  1. Windows Server Containers - It offers application level isolation using somewhat tradiotional means like Process and name spaces Isolation. One needs to keep in view that Windows doest not support Linux like cgroup. In these containers though different applications can co-exist whereas enjoying isolation between their libraries and registeries etc. However, kernel is shared among containers
  2. Hyper-V Containers- These containers are in fact, highly optimized VMs running under Hyper-V engine providing much needed kernel level isolation i.e kernel is not shared among containers.

To better undersand why Microsoft Windows has offered the two flavours lets quickly have a look at two important process modes i.e. Kernel Mode and User Mode. Processors runs two type of codes one most trusted hence having higer access i.e. code running core operating system components referred as Kernel mode and secondly less trusted user application code running as user mode. User mode application’s can’t access kernel mode code for stability, integrity and security reasons. However, owing to tight integration of Microsoft Windows it is not possible enitreley , at least currently, to ensure that user mode application sharing the kernel can not effect each other beyond doubt.

When to run with Container Type ?

While selection of container type may not be much significant from the develops point of view but it is more of IT Security and operations issues. They keyword is the Same Trust boundary or not?

Owing to vulnerabilites applicable to shared kernal an ideal use case of Windows Server containers may be where they are from same Trust boundary i.e. same organisation running containers or running trusted code accessing information with similar level of protection or security labels. In other words where you can trust both host server and all containers running on that hosts

Hyper_v Containers offer almost all the benefits of Windows-containers with added protection of of offering better and optimized version of Virtual machine. Hyper-V containers are better suited for multi-tenanted environments or with applications with different trust level .

Nice thing about containers in Windows is that one can change from one type to other with the aid of PowerShell commands. So effectively if you need to deploy an applications with different trust boundary on already running Windows Server Contianers you can change the mode by using PowerShell Set-Container cmdlet

Sources:

  1. https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/containerd
  2. https://docs.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/user-mode-and-kernel-mode
  3. https://xebia.com/blog/windows-containers-care/
  4. https://medium.com/jettech/a-short-introduction-to-windows-containers-db5adc0db536
  5. https://www.youtube.com/watch?v=85nCF5S8Qok
  6. https://msdn.microsoft.com/en-us/magazine/mt797649.aspx