Safeguard the Windows host operating system

The security of the Windows host directly impacts the safety of the containers that run on it. Hardening the operating system is the first step to securing MCR.

Advanced Group Policy Configurations

Group Policy is a critical tool for enforcing security configurations across the host environment. Advanced settings for securing Windows are offered below:

Account policies

Set password policies to enforce complexity, expiration, and minimum length:

  1. From the Search bar, run gpedit.msc.

  2. Navigate to Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy.

  3. Set Minimum password length to 14 characters and enable Password must meet complexity requirements..

  4. Configure Account lockout threshold to 5 failed attempts.

Logon restrictions

Limit local and remote logon rights to specific administrative accounts:

  1. Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.

  2. Assign Deny log on locally to unauthorized groups, and restrict Allow log on through Remote Desktop Services.

Restrict Access to System Tools

Block access to registry editing tools and command-line interpreters for non-administrative users using Software Restriction Policies or AppLocker:

  1. Navigate to guilabel:Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker > Executable Rules > Create new rule.

  2. Input the following as a rule:

    - Deny
- Select users or groups
- Select "Path"
- Paths for registry editing tools:
  - %windir%\regedit.exe
  - %windir%\system32\regedt32.exe

  Paths for command-line interpreters:
  - %windir%\system32\cmd.exe
  - %windir%\system32\windowspowershell\v1.0\powershell.exe

Adjust Local Security Policy

The Local Security Policy tool provides granular controls over system security. Mirantis recommends that you disable NTLM authentication and secure anonymous access

Disable NTLM Authentication

To enforce the use of Kerberos for authentication to reduce susceptibility to pass-the-hash attacks:

Navigate to Local Policies > Security Options > Network security: Restrict NTLM: NTLM Authentication in this domain > Deny All > Apply.

Secure Anonymous Access

Navigate to Local Policies > Security Options and enable:

  • :guilabel:`Network access: Do not allow anonymous enumeration of SAM accounts

    and shares`.

  • :guilabel:`Network access: Restrict anonymous access to named pipes and

    shares`.

Harden File System and Registry Permissions

To prevent unauthorized tampering, restrict access to all critical system directories, for example C:WindowsSystem32:

  1. Open File Explorer and navigate to C:Windows.

  2. Right-click on the System32 folder and select Properties.

  3. Go to the Security tab and click on Advanced >Tab Auditing > Flag “Replace all child object auditing entries with inheritable auditing entries from this object.

  4. Click on Disable inheritance.

Use Access Control Lists (ACLs)) to secure sensitive registry keys:

icacls "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\docker" /deny "Users:(F)"

Use the Registry Editor, as it is forbidden to use icacls by way of the CLI.

Network Security Enhancements

Host-Based Firewall Rules

Configure Windows Defender Firewall to block all inbound traffic by default and to only allow explicitly defined traffic into container endpoints:

New-NetFirewallRule -DisplayName "Deny All Inbound" -Direction Inbound -Action Block

IPsec Policies

Implement IPsec rules to secure network traffic:

  1. Access the Windows Advanced Firewall MMC snap-in to configure IPsec for container-to-host communications.

  2. Open firewall settings by way of CLI wf.msc.

  3. Go to Connection Security Rules > New Rule..(Depending on the application and its traffic).

  4. For DNS Security, deploy DNSSEC to authenticate DNS responses and mitigate DNS spoofing. DNS server must be installed.

DNS Security

Deploy DNSSEC to authenticate DNS responses and to mitigate DNS spoofing.

Secure Boot and Credential Guard

  1. Enable Secure Boot, which ensures that only signed OS components load during startup, by running msinfo32.exe.

  2. Check Secure Boot State under System Summary.

  3. Enable Credential Guard, to isolate secrets using virtualization-based security, by way of Group Policy. #. Navigate to :guilabel:Computer Configuration > Administrative Templates > System > Device Guard. #. Click on Turn on Virtualization Based Security. #. Click on Enabled. #. Click Apply.