Does running a Linux container on Windows compromise the existing antivirus/firewall/overall security of the system?

Hi forum,

I would like to start using Docker for Windows on our Windows 2012 servers. However, our IT guys run a Windows-only shop and are nervous about the idea of running Linux containers on Windows servers. Our IT section do not support Linux systems and are concerned about whether Linux virtualisation would compromise the existing anti-virus, firewall, or general security settings of the system. This is quite important as we’re based in a hospital, so there’s lots of confidential data that needs protecting.

Would running a Linux Docker container or Windows require its own anti-virus, or additional steps to ensure its security? Or is the security of the Windows host totally unaffected by the use of Docker containers?

Any advice appreciated! Thanks.

I started writing my reply, and then realized this post has become quite old. I hope it’ll be useful to someone anyway.

The answer is unfortunately: It depends. Basically, the containers will still sit behind the firewall (in most configurations), and only explicitly opened ports will be available externally. Furthermore, containerization provides some extra security, because even if a container is compromised, the base system won’t usually be compromised immediately. Containers are highly disposable, so a compromised container can be killed quickly and a new, uncompromised container can be spun up from an image. Good logging practices (remember, logs should be stored outside of the container!) can then help identify how and why the container was compromised, and it can be prevented in the future.

As for viruses, Linux doesn’t usually require AV itself, but if it shares files with Windows machines regularly, you may want to install something like CalmAV.

Overall, running your web applications in containers is significantly more secure than running them directly on your Windows servers, because containerization provides some containment of threats. If a Windows box in compromised you have to set it up new, whereas a container can just be switched out and won’t have access to the host beyond allowances made in setup.

All that said: You can certainly configure a container badly; opening a bunch of ports, saving secret keys within it, and so on, which all constitute terrible security practices. I suggest more research and matching to your requirements.

Good luck!