Understanding Stemcell Security
This topic provides a description of the security measures that Pivotal uses to harden the Windows stemcell.
The Windows stemcell contains a version of Windows Server 2012 R2 with a set of Local Group Policy settings optimized for security. These settings begin with the WS2012R2 Member Server Security Compliance v1.0 baseline, included in Microsoft Security Compliance Manager v4.0. For more information about this baseline, see the Microsoft Security Guidance blog.
Pivotal has collaborated with Microsoft to further harden the stemcell by implementing Local Security Policies settings, according to the recommended security baseline defined in Microsoft Security Compliance Manager. The table below lists these overrides.
Note: Pivotal will continue to revise these settings as Microsoft releases updates.
|Turn off Automatic Download and Install of updates||Enabled|
|Allow Remote Shell Access||Disabled|
|Windows Firewall: Private: Display a notification||No|
|Windows Firewall: Domain: Display a notification||No|
|Windows Firewall: Public: Display a notification||No|
|Network access: Do not allow storage of passwords and credentials for network auth||Enabled|
|Access this computer from the network||Administrators|
|Deny log on as a batch job||Guests, Vcap|
|Deny log on as a service||Guests, Vcap|
|Deny log on through Remote Desktop Services||Guests|