logo

Windows Server 2016 Containers

You can improve the security of your application development infrastructure by reducing the size and scope of application and compute resources. One way to do this is to containerize workloads. Windows Server and Microsoft Hyper-V containers enable you to isolate workloads from each other and the OS. Even if a container is compromised by an attacker, it will be difficult for the attacker to access the host OS. Containers also provide a standardized environment for development, test and production teams.

Containers

Containers provide an isolated and portable operating environment for apps. From the app’s perspective, a container appears to be a complete, isolated Windows OS with its own file system, devices and configuration. Therefore, in many respects, containers are like VMs because they run an OS, they support a file system, and you can access them across a network similar to any other physical machine or VM.

Containers are virtual environments that share the kernel of the host OS but provide user space isolation, so they provides an ideal environment in which an app can run without affecting the rest of the user mode components of the OS and without the other user mode components affecting the app. Using containers, developers can create and test apps quickly in an isolated environment while using only a few OS resources. This means that containers do not need all of the processes and services that an OS on a VM might use.

Windows Server 2016 supports two types of containers:

  • Windows Server containers. These containers provide app isolation through the process and namespace isolation technology. Windows Server containers share the OS kernel with the container host and with all other containers that run on the host.
  • Hyper-V containers. These containers expand on the isolation that Windows Server containers provide by running each container in a highly optimized VM.

Using containers has multiple benefits. The reduced OS size means that you must maintain fewer operating-system components, which in turn results in fewer potential security risks. The reduced OS size also helps improves scalability.

Docker

To run an application workload in a container, you must use Docker. Docker is a collection of open-source tools and cloud-based services that provide a common model for packaging (containerizing) app code into a standardized unit for software development. This standardized unit, or Docker container, is software that is wrapped in a complete file system that includes everything it needs to run, including code, runtime, system tools, system libraries, and anything else you can install on a server. You must download Docker separately; it is not part of the Windows Server 2016 installation media.

Nano Server

Microsoft Nano Server is a fairly new installation option for Windows Server 2016. It is a lightweight operating system tailored for use with virtualized container instances. There is no UI; you must manage Nano Server remotely using PowerShell, but this PowerShell differs from the standard one. As of Windows Server version 1803, Nano Server is available only as a container-based OS image, and you must run it as a container in a container host, such as Docker. You can troubleshoot these new Nano containers using Docker and run them in IoT Core.

A Nano Server instance cannot function as an Active Directory domain controller. In particular, it does not support the following features:

  • Group Policy
  • Network interface card teaming
  • Virtual host bus adapters
  • Proxy server access to the internet
  • System Center Configuration Manager
  • System Center Data Protection Manager

Nano Server supports the following roles:

  • File Services
  • Hyper-V
  • IIS
  • DNS Server

Which containers do you use in your IT environment?

Loading ... Loading ...

FAQ

How do you secure Windows Server 2016 containers against privilege escalation?

Securing Windows containers starts with identity – because data security that starts with identity means controlling who can access what at the container level. Windows Server 2016 containers run with process isolation by default, which provides some protection, but you need layered security controls to prevent privilege escalation attacks.

First, implement least privilege principles by running containers with non-administrator user accounts whenever possible. Use the USER directive in your Dockerfile to specify a low-privilege account, and avoid running containers as Local System or Administrator unless absolutely necessary. Configure container resource limits to prevent resource exhaustion attacks that could lead to privilege escalation.

Implement group-managed service accounts (gMSAs) for containers that need domain authentication – this provides automatic password management and reduces credential exposure. Set up Windows Defender Application Control policies to restrict which applications can run within your containers, creating an additional barrier against malicious code execution.

For enhanced isolation, use Hyper-V containers instead of Windows Server containers when handling sensitive data. Hyper-V containers provide hardware-level isolation that makes lateral movement much harder for attackers. Monitor container access and authentication events continuously – you can’t manage what you can’t see, and spotting risky behavior before it turns into a breach requires real-time visibility into container activity.

Enable Windows Event Forwarding to centralize container security logs, and configure Security Event Log monitoring for authentication failures, privilege escalation attempts, and suspicious process creation within containers. Regular security scanning of container images before deployment helps prevent known vulnerabilities from reaching production environments.

What are the identity management implications of Windows containers?

Windows containers inherit the security context of the host, which creates unique identity management challenges that directly impact your data security posture. Unlike traditional VMs, containers share the host OS kernel, so compromised container credentials can potentially affect the entire host system.

Container processes run under specific Windows user accounts, and these identities determine what data and system resources each container can access. When you deploy containers at scale, you’re essentially multiplying your identity attack surface – each container becomes a potential entry point for credential theft or lateral movement attacks.

The practical impact is that your container identity strategy needs to integrate with your broader identity governance program. Use group-managed service accounts (gMSAs) for container processes that need domain authentication – gMSAs provide automatic password management and eliminate the need to store credentials in container images. Implement identity-based access controls that treat container identities like any other privileged account in your environment, with proper rotation, monitoring, and least privilege enforcement.

Consider container-specific identity challenges like credential persistence across container restarts, secure credential injection methods, and managing service account lifecycles in dynamic container environments. Your identity management solution should provide visibility into which containers are using which identities and what resources they’re accessing.

How do you audit Windows container access and permissions?

Effective container auditing requires visibility into both host-level and container-level activities – because attackers are logging in, not just breaking in. Windows containers generate security events through the standard Windows event logging system, but you need to configure additional logging to capture container-specific activities.

Enable container runtime logging to track container creation, modification, and deletion events. Configure Windows Event Logging to capture authentication events, privilege escalation attempts, and resource access patterns within containers. Focus on monitoring unusual access patterns, such as containers accessing files outside their expected data volumes or making unexpected network connections.

The key is correlating container activity with your broader security monitoring strategy. Container access events should feed into your identity and access governance program alongside traditional user account monitoring. Set up automated alerts for high-risk container behaviors like attempts to access sensitive data repositories or escalate privileges beyond the container’s intended scope. This proactive approach helps you spot risky behavior before it turns into a breach.

Implement file system auditing for sensitive directories that containers shouldn’t access, and monitor process creation events within containers to detect unauthorized executable launches. Use PowerShell logging to capture administrative activities within containers, particularly for containers that run automation scripts or administrative tools.

What Windows container security monitoring best practices should you follow?

Container security monitoring requires a different approach than traditional server monitoring because containers are ephemeral and create dynamic attack surfaces. Start with baseline monitoring of container lifecycle events – creation, start, stop, and deletion – to establish normal operational patterns.

Monitor network traffic at both the host and container level to detect unusual communication patterns that might indicate lateral movement or data exfiltration attempts. Track resource consumption metrics like CPU, memory, and disk usage to identify potential denial-of-service attacks or cryptomining activities within containers.

Implement real-time monitoring of container file system changes, especially for containers that shouldn’t be writing to disk. Use Windows Performance Toolkit and container-specific monitoring tools to track process execution within containers, watching for unauthorized processes or unexpected privilege escalation attempts. The goal is enhanced visibility and control – you need to see what’s happening across your container environment to take effective security action.

Configure monitoring for container-specific security events like image pulls from unauthorized registries, containers running with excessive privileges, or containers attempting to access host system resources. Set up alerting for containers that deviate from their expected behavior patterns, such as making network connections to unusual destinations or consuming resources beyond normal baselines.

How do you troubleshoot Windows container authentication issues?

Container authentication problems often stem from misconfigured service accounts or improper credential management between the host and container environments. Start by verifying that your container is using the correct Windows identity – check the security context under which container processes are running using tools like Process Monitor or Windows Event Viewer.

Common authentication failures occur when containers can’t access domain resources due to credential delegation issues. If your container needs to authenticate to Active Directory or other domain services, ensure you’re using group-managed service accounts (gMSAs) rather than traditional service accounts. gMSAs provide automatic password management and are designed specifically for container scenarios.

Check Windows Event Logs on both the container host and domain controllers for authentication-related errors. Look for Event IDs related to logon failures, Kerberos authentication issues, or NTLM authentication problems. Use tools like Network Monitor or Wireshark to capture authentication traffic and identify where the authentication chain is breaking. Remember that container authentication issues often indicate broader identity management problems that could affect your overall security posture.

Verify that your container host is properly joined to the domain and that the required Windows features (like Active Directory module for PowerShell) are installed. Check DNS resolution within containers to ensure they can reach domain controllers. If using credential delegation, confirm that the container host account has the necessary delegation permissions in Active Directory.

Product Evangelist at Netwrix Corporation, writer, and presenter. Ryan specializes in evangelizing cybersecurity and promoting the importance of visibility into IT changes and data access. As an author, Ryan focuses on IT security trends, surveys, and industry insights.