This topic provides information about the security hardening of Microsoft Windows stemcells.
A stemcell is a versioned OS image that is customized based on IaaS. A typical stemcell contains the OS image with common utilities, a BOSH agent, and configuration files to securely configure the OS.
Stemcell hardening is the process of securing a stemcell by reducing its surface of vulnerability. The surface of vulnerability for a stemcell is smaller when a system performs fewer functions. For example, a single-function system is more secure than a multipurpose one.
Microsoft baseline security standard
Windows Stemcells for both Tanzu Platform for Cloud Foundry and VMware Tanzu Kubernetes Grid Integrated Edition (TKGI) follow the Microsoft Baseline Security Standard.
Windows stemcells do not yet align completely with the Microsoft Baseline Security Standard. For details about the ways in which Windows stemcell hardening differs from the Microsoft Baseline Security Standard, contact Tanzu Support.
For more information about Microsoft Baseline Security Standard and to download security configuration baselines for Windows, see Microsoft Security Compliance Toolkit on the Microsoft website.
Audit policies
Audit policies for Windows Server 2019 stemcells are based on Microsoft Baseline Security Standard. Audit policies allow you to better audit security vulnerabilities in your environment.
The following list includes some of the key audit policies applied to Windows Server 2019 stemcells:
Log success and failure audit events of user logins and logouts for Windows VMs
Log audit events related to object access on Windows VMs
Log audit events related to policy changes on Windows VMs
Firewall settings
Windows Server 2019 stemcells align with the firewall behavior recommended by the Microsoft Baseline Security Standard. However, they are not fully compliant with the Microsoft Baseline Security Standard.
The Windows stemcells block all inbound requests and permit all outbound requests. Specific ports are open for communication between Tanzu Operations Manager components and the Windows VM.
For more information about the firewall rules for the Windows Server 2019 stemcells, contact Tanzu Support.
Content feedback and comments