From 04d0957128f2cc3bf78790872de62328c959382a Mon Sep 17 00:00:00 2001 From: twelsh-aw <84401379+twelsh-aw@users.noreply.github.com> Date: Thu, 30 Jan 2025 08:54:14 -0500 Subject: [PATCH] Improve security documentation with warning around windows containers (#21929) ## Description Some background dialog between security, desktop, moby teams and some security researchers. At the present time, this is an accepted risk in Docker Desktop installations for Windows and should be clarified in better detail. ## Related issues or tickets PSEC-1839 ## Reviews - [ ] Technical review @gabriellavengeo - [ ] Editorial review - [ ] Product review --------- Co-authored-by: Allie Sadler <102604716+aevesdocker@users.noreply.github.com> --- content/manuals/desktop/setup/install/windows-install.md | 2 +- .../setup/install/windows-permission-requirements.md | 6 +++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/content/manuals/desktop/setup/install/windows-install.md b/content/manuals/desktop/setup/install/windows-install.md index 21f4e77111..2e416eecbf 100644 --- a/content/manuals/desktop/setup/install/windows-install.md +++ b/content/manuals/desktop/setup/install/windows-install.md @@ -210,7 +210,7 @@ By default, Docker Desktop is installed at `C:\Program Files\Docker\Docker`. The `install` command accepts the following flags: - `--quiet`: Suppresses information output when running the installer - `--accept-license`: Accepts the [Docker Subscription Service Agreement](https://www.docker.com/legal/docker-subscription-service-agreement) now, rather than requiring it to be accepted when the application is first run -- `--no-windows-containers`: Disables the Windows containers integration +- `--no-windows-containers`: Disables the Windows containers integration. This can improve security. For more information, see [Windows containers](/manuals/desktop/setup/install/windows-permission-requirements.md#windows-containers). - `--allowed-org=`: Requires the user to sign in and be part of the specified Docker Hub organization when running the application - `--backend=`: Selects the default backend to use for Docker Desktop, `hyper-v`, `windows` or `wsl-2` (default) - `--installation-dir=`: Changes the default installation location (`C:\Program Files\Docker\Docker`) diff --git a/content/manuals/desktop/setup/install/windows-permission-requirements.md b/content/manuals/desktop/setup/install/windows-permission-requirements.md index aded11b07d..32917e4210 100644 --- a/content/manuals/desktop/setup/install/windows-permission-requirements.md +++ b/content/manuals/desktop/setup/install/windows-permission-requirements.md @@ -67,7 +67,11 @@ isolated from the Docker daemon and other services running inside the VM. ## Windows Containers -Unlike the Linux Docker engine and containers which run in a VM, Windows containers are an operating system feature, and run directly on the Windows host with `Administrator` privileges. For organizations who don't want their developers to run Windows containers, a `–no-windows-containers` installer flag is available from version 4.11 to disable their use. +> [!WARNING] +> +> Enabling Windows containers has important security implications. + +Unlike the Linux Docker Engine and containers which run in a VM, Windows containers are implemented using operating system features, and run directly on the Windows host. If you enable Windows containers during installation, the `ContainerAdministrator` user used for administration inside the container is a local administrator on the host machine. Enabling Windows containers during installation makes it so that members of the `docker-users` group are able to elevate to administrators on the host. For organizations who don't want their developers to run Windows containers, a `-–no-windows-containers` installer flag is available to disable their use. ## Networking