Enhance security for MCR

MCR inherits many strengths from Docker Moby, while also sharing the vulnerabilities of that product. Securing MCR requires thoughtful configuration and operational rigor.

Runtime-Specific Security Features

Process Isolation

Use Windows Server process isolation for compatibility while ensuring system isolation:

docker run --isolation=process <container>

Hyper-V Isolation

Use Hyper-V isolation:or added security, especially when running untrusted workloads:

docker run --isolation=hyperv <container>

Immutable Infrastructure

Configure containers to run in read-only mode.

Image Security

Digitally Sign Images

Implement Docker Content Trust (DCT) to enforce signed images:

$env:DOCKER_CONTENT_TRUST=1

Scan Images for Vulnerabilities

Use scanning tools such as Trivy or native Mirantis tools to identify vulnerabilities:

trivy image <image>

Restrict Container Privileges

Drop Capabilities

Reduce the attack surface of the container by dropping unnecessary privileges:

docker run --cap-drop=ALL --cap-add=NET_ADMIN <container>

Note

The following applies for Windows server 2022:

docker run --cap-drop=ALL <container>
docker run --cap-add=ALL <container>

Limit Resource Consumption

Prevent resource starvation attacks by capping memory and CPU usage:

docker run --memory="512m" --cpus="1" <container>

Secure Docker Daemon Communication

Enable TLS

Configure the Docker daemon to require TLS for all communications by generating certificates and configuring the daemon.json file as follows:

{
  "tls": true,
  "tlsverify": true,
  "tlscacert": "C:\\DockerCers\\ca.pem",
  "tlscert": "C:\\DockerCerts\\server-cert.pem",
  "tlskey": "C:\\DockerCerts\\server-key.pem",
  "hosts": ["tcp://0.0.0.0:2376"]
}

Restrict Daemon Access

Use Access Control Lists (ACLs) to restrict access to the Docker named pipe (npipe://).