1 00:00:02,590 --> 00:00:05,079 ‫Is there any additional security recommendations specific 2 00:00:05,080 --> 00:00:06,319 ‫for Windows, containers? Windows containers, unfortunately, 3 00:00:08,500 --> 00:00:10,180 ‫is a whole, totally different thing. 4 00:00:10,840 --> 00:00:13,861 ‫Because Windows containers don't have SELinux, or AppArmor, 5 00:00:14,380 --> 00:00:16,046 ‫or Seccomp, or Linux capabilities. 6 00:00:16,259 --> 00:00:18,489 ‫They're Windows specific. 7 00:00:18,790 --> 00:00:22,179 ‫So, it would honestly end up being largely a different 8 00:00:22,180 --> 00:00:23,180 ‫list. 9 00:00:23,358 --> 00:00:26,229 ‫Things that aren't related are things like 10 00:00:27,190 --> 00:00:29,248 ‫scanning your images. Things like scanning 11 00:00:30,190 --> 00:00:32,960 ‫your code, right. Just using Docker would be 12 00:00:33,670 --> 00:00:34,670 ‫on that list. 13 00:00:34,970 --> 00:00:37,140 ‫Look at the first one there. Scanning your host. 14 00:00:37,360 --> 00:00:40,449 ‫Well, there is...as far as I know, there is no Docker Bench 15 00:00:40,450 --> 00:00:42,219 ‫for Windows. So, you couldn't do that. 16 00:00:43,600 --> 00:00:45,280 ‫Running your apps in containers as root. 17 00:00:45,530 --> 00:00:46,743 ‫Same thing in Windows. 18 00:00:47,140 --> 00:00:49,689 ‫Run your apps as not the Administrator user. 19 00:00:50,050 --> 00:00:51,489 ‫You would do that on Windows. 20 00:00:52,690 --> 00:00:54,860 ‫User namespaces I do not believe is a thing on Windows. 21 00:00:55,840 --> 00:00:59,080 ‫Windows has, for about every single one of these kernel 22 00:00:59,170 --> 00:01:00,660 ‫features, they don't have the same name. 23 00:01:00,661 --> 00:01:02,260 ‫They have something else that's similar. 24 00:01:02,680 --> 00:01:04,533 ‫It wouldn't be called user namespaces. 25 00:01:05,470 --> 00:01:08,116 ‫You could definitely do number five, code scanning for 26 00:01:08,170 --> 00:01:11,182 ‫Windows. You could scan Windows images, but a 27 00:01:12,780 --> 00:01:14,163 ‫lot of scanners don't support Windows. 28 00:01:14,820 --> 00:01:17,459 ‫You're going to have to find a very specific image scanner 29 00:01:17,940 --> 00:01:20,787 ‫that is designed for Windows dependencies, you know, 30 00:01:21,900 --> 00:01:25,099 ‫like .net 3.5 vulnerabilities, or 31 00:01:25,450 --> 00:01:27,350 ‫you know, a .net core 2.0 vulnerabilities. 32 00:01:27,780 --> 00:01:28,780 ‫Stuff like that. 33 00:01:29,700 --> 00:01:31,319 ‫The next one, running bad behavior. 34 00:01:31,470 --> 00:01:33,840 ‫This is only, as far as I know, this is only for Linux. 35 00:01:34,200 --> 00:01:35,606 ‫I do not believe Falco works on Windows. 36 00:01:36,470 --> 00:01:39,390 ‫Content trust is a general industry 37 00:01:39,420 --> 00:01:42,560 ‫practice. It's not so specific for production containers. 38 00:01:42,630 --> 00:01:45,689 ‫So, you can definitely sign images and sign code on 39 00:01:45,690 --> 00:01:46,690 ‫the Windows side. 40 00:01:47,040 --> 00:01:48,720 ‫Then, you would enable Docker. 41 00:01:48,780 --> 00:01:51,279 ‫I'm not sure if the Docker Engine has this feature, 42 00:01:51,990 --> 00:01:54,989 ‫so you can click this link essentially and read 43 00:01:54,990 --> 00:01:57,959 ‫about content trust and find out if Docker supports the 44 00:01:57,960 --> 00:01:59,353 ‫Engine features for that on Windows. 45 00:02:00,840 --> 00:02:03,029 ‫These obviously would not apply because these are Linux 46 00:02:03,030 --> 00:02:04,030 ‫specific. 47 00:02:04,290 --> 00:02:06,980 ‫Then, Docker Rootless does not run on Windows, 48 00:02:07,320 --> 00:02:08,540 ‫as far as I know. You can't do that on Windows. 49 00:02:09,720 --> 00:02:12,270 ‫That's a really quick way to get through the Windows list 50 00:02:12,300 --> 00:02:13,319 ‫and that's a great question. 51 00:02:13,620 --> 00:02:15,889 ‫I'm glad you asked about that one.