LATEST VERSION: 1.10 - CHANGELOG
Pivotal Cloud Foundry v1.10

Understanding Stemcell Security

This topic provides a description of the security measures that Pivotal uses to harden the Windows stemcell.

Local Group Policy Settings

The Windows stemcell contains a version of Windows Server 2012 R2 with a set of Local Group Policy settings optimized for security. These settings begin with the WS2012R2 Member Server Security Compliance v1.0 baseline, included in Microsoft Security Compliance Manager v4.0. For more information about this baseline, see the Microsoft Security Guidance blog.

Pivotal has collaborated with Microsoft to further harden the stemcell by implementing Local Security Policies settings, according to the recommended security baseline defined in Microsoft Security Compliance Manager. The table below lists these overrides.

Note: Pivotal will continue to revise these settings as Microsoft releases updates.

Name Setting
Turn off Automatic Download and Install of updates Enabled
Allow Remote Shell Access Disabled
Windows Firewall: Private: Display a notification No
Windows Firewall: Domain: Display a notification No
Windows Firewall: Public: Display a notification No
Network access: Do not allow storage of passwords and credentials for network auth Enabled
Access this computer from the network Administrators
Deny log on as a batch job Guests
Deny log on as a service Guests
Deny log on through Remote Desktop Services Guests
Create a pull request or raise an issue on the source for this page in GitHub