Improve security documentation with warning around windows containers (#21929)

## Description

Some background dialog between security, desktop, moby teams and some
security researchers. At the present time, this is an accepted risk in
Docker Desktop installations for Windows and should be clarified in
better detail.

## Related issues or tickets

PSEC-1839

## Reviews

<!-- Notes for reviewers here -->
<!-- List applicable reviews (optionally @tag reviewers) -->

- [ ] Technical review @gabriellavengeo 
- [ ] Editorial review
- [ ] Product review

---------

Co-authored-by: Allie Sadler <102604716+aevesdocker@users.noreply.github.com>
This commit is contained in:
twelsh-aw 2025-01-30 08:54:14 -05:00 committed by GitHub
parent 1fe65be5b5
commit 04d0957128
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 6 additions and 2 deletions

View File

@ -210,7 +210,7 @@ By default, Docker Desktop is installed at `C:\Program Files\Docker\Docker`.
The `install` command accepts the following flags:
- `--quiet`: Suppresses information output when running the installer
- `--accept-license`: Accepts the [Docker Subscription Service Agreement](https://www.docker.com/legal/docker-subscription-service-agreement) now, rather than requiring it to be accepted when the application is first run
- `--no-windows-containers`: Disables the Windows containers integration
- `--no-windows-containers`: Disables the Windows containers integration. This can improve security. For more information, see [Windows containers](/manuals/desktop/setup/install/windows-permission-requirements.md#windows-containers).
- `--allowed-org=<org name>`: Requires the user to sign in and be part of the specified Docker Hub organization when running the application
- `--backend=<backend name>`: Selects the default backend to use for Docker Desktop, `hyper-v`, `windows` or `wsl-2` (default)
- `--installation-dir=<path>`: Changes the default installation location (`C:\Program Files\Docker\Docker`)

View File

@ -67,7 +67,11 @@ isolated from the Docker daemon and other services running inside the VM.
## Windows Containers
Unlike the Linux Docker engine and containers which run in a VM, Windows containers are an operating system feature, and run directly on the Windows host with `Administrator` privileges. For organizations who don't want their developers to run Windows containers, a `no-windows-containers` installer flag is available from version 4.11 to disable their use.
> [!WARNING]
>
> Enabling Windows containers has important security implications.
Unlike the Linux Docker Engine and containers which run in a VM, Windows containers are implemented using operating system features, and run directly on the Windows host. If you enable Windows containers during installation, the `ContainerAdministrator` user used for administration inside the container is a local administrator on the host machine. Enabling Windows containers during installation makes it so that members of the `docker-users` group are able to elevate to administrators on the host. For organizations who don't want their developers to run Windows containers, a `-no-windows-containers` installer flag is available to disable their use.
## Networking