The containerization of Windows Watch Now

Unless you've been living under a rock in the IT space, you probably have heard the word "containers" used a lot in the last several years. Maybe you've heard references to Docker or Rocket or even management/orchestration solutions like Puppet or Kubernetes.

As a refresher, a container is a form of lightweight virtualization. An application or process running in a container uses the operating system kernel and system resources, but each container is isolated from the operating system and from other containers, behaving as if it's running in a separate instance of the operating system.

To prevent malicious actions, any outside communication from a containerized app has to be brokered by the operating system, which enforces strict rules that constitute a security boundary.

Because of their modular nature and how they are packaged, they can be easily deployed and migrated.

An example of how this is used in a public cloud like Azure might be a web farm, database as a service, or a big data application like Hadoop. For each tenant (an organization with a cloud subscription), Azure runs these virtual servers and apps in their own containers, which are isolated from other containers for security reasons.

You might not actually see the containerization at work, but you consume it as a service when those containers are rapidly provisioned.

When it comes to data centers and enterprise applications, containerization is the prevailing technology that will make applications scale and bring about the disruption needed to swing the balance away from on-premises infrastructure to the public cloud.

For many of us watching this space, containers are the wonder medicine for increasing density, for providing the economics at a scale that enables us to end the argument of "Do I really need to own my own server equipment?" once and for all.

But to someone who uses a PC running a desktop OS like Windows 10 Pro, all that talk of containerization might as well be written in Klingon. Application scale? Server density? What?

PC users care about a few things. They care that their desktop applications run, that they can get to their data, that they have connectivity, and that their security doesn't get compromised.

Unfortunately, people who use PCs often opt for convenience over security, when given a choice. Any security mechanism that feels annoying or restrictive is rejected or worked around or disabled. Decades of research into user behavior have proven this.

You can have the best security mechanisms in the world, but if you don't enforce those mechanisms, they might as well not even exist. And things might seem just fine with security features disabled or downgraded until it is too late.

(Image: ZDNet)

Microsoft's long-term strategy for securing Windows apps is to build security into the fundamental architecture of how those applications run on the desktop. And that way is through containerization.

Depending on how you run applications, different methods of containerization will be used. Some are already built into Windows 10 today. Others will be ready in a few years and will show up first in Azure.

In essence, this is enterprise-grade cloud security technology being distilled for the masses, through a trickle-down approach -- in roughly the same way the U.S. space program was used as a way to research advanced materials like carbon fiber and Velcro, which eventually made their way into consumer products.

At Microsoft, these containerization technologies have distinct code names, and as Windows Internals co-author Alex Ionescu explains, they are the 'noble gases' of Windows 10: Helium, Argon, Krypton, and Xenon.

Helium, or application siloing, exists in Windows 10 today as part of the Creators Update, and especially Windows 10 S. This technology enables legacy Win32 applications to be ported to the Windows Store, using the Desktop Bridge (formerly code-named Project Centennial) to package apps.

Application silos allow legacy Windows apps to install and update like native Modern Windows 10 apps. These converted desktop apps have full access to system resources, but use a virtual file system and virtualized registry entries like those associated with User Account Control (UAC) virtualization.

A Helium-based container isn't a security boundary in the way that a Hyper-V virtual machine is. It lives on top of the existing registry and file system. You can think of it as the next generation of UAC but applied at an application level rather than a machine level.

The next two technologies, Argon and Krypton containerization, are used today in Docker on Windows Server and within Azure itself.

These technologies don't exist in desktop versions of Windows 10 yet. A complex set of changes is required to the Windows kernel to allow full isolation, redirection, and virtualization. It potentially breaks application compatibility, and the apps may need to be re-architected to take advantage of it.

To deploy Argon containers, you need a modified base Windows OS image with additional "layers" sitting on top. It effectively makes the OS highly modularized, which brings about many improvements in terms of how easy it is to patch and secure the environment.

Right now, the Windows 10 client and desktop applications aren't optimized for this type of containerization but read on.

The remaining two technologies, Krypton and Xenon, add a special, trimmed-down version of Hyper-V -- referred to as a Microvisor -- to the mix, which provides a new security scenario referred to as Hostile Multitenant.

Right now, this type of virtualization is in use in Azure itself.

Hostile Multitenant (Hyper-V containers) when used on the desktop, has a number of advantages. Each application, instead of being in a container and sharing a kernel with other containers, literally runs in its own tiny virtual machine, or Micro-VM.

This is full, enterprise-grade isolation -- containers on top of virtualization.

A Micro-VM puts the application on a "need-to-know" basis and only provisions out exactly what it needs in order to function. For example, it doesn't have access to every library on the system; only the ones that it needs to run.

This is similar to the Just Enough OS (JeOS) approach used when designing IoT devices and other efficient embedded systems. Along with the isolation, this reduces the attack vector significantly.

The only product that uses this type of virtualization on the market right now is Bromium vSentry. It has hardware dependencies -- your chip needs to support specific 64-bit virtualization features -- and, yes, you need changes to the OS and apps to support it.

Bromium has a special version of Chrome that it runs in order to provide its isolation, for example.

In the Fall Creators Update, when enabled on supported hardware in Windows 10 Enterprise, the Microsoft Edge browser will take full advantage of Krypton using a feature known as Windows Defender Application Guard.

None of the other Windows applications do yet, but they are coming. Expect to see this technology in wider use when Office becomes a full-blown Modern Windows 10 app.

Xenon takes this a step even further by running the entire operating system within a virtual machine by placing a Windows Argon (Docker) container on top of Hyper-V.

All of these technologies, taken together, will eventually form the basis of the complete Windows security toolbox.

In three years, all of Windows becomes Dockerized. Welcome to the Matrix. Talk Back and Let Me Know.

Related stories: