Windows Stemcell Hardening

This topic describes the security measures that Pivotal uses to harden the Windows 2016 stemcell.

Note: This document applies to Windows stemcell v1709.x.

Local Group Policy Settings

The Windows stemcell contains a version of Windows Server 2016 with a set of Local Group Policy settings optimized for security. These settings begin with the WS2016 Member Server Security Compliance v1.0 baseline, included in Microsoft Security Compliance Manager v4.0. For more information about this baseline, see Windows Security Baselines.

Pivotal has collaborated with Microsoft to further harden the stemcell by implementing Local Security Policies settings, according to the recommended security baseline defined in Microsoft Security Compliance Manager. The table below lists these overrides.

Note: Pivotal will continue to revise these settings as Microsoft releases updates.

Name Setting
Turn off Automatic Download and Install of updates Enabled
Allow Remote Shell Access Disabled
Windows Firewall: Private: Display a notification No
Windows Firewall: Domain: Display a notification No
Windows Firewall: Public: Display a notification No
Network access: Do not allow storage of passwords and credentials for network auth Enabled
Access this computer from the network Administrators
Deny log on as a batch job Guests
Deny log on as a service Guests
Deny log on through Remote Desktop Services Guests
Create a pull request or raise an issue on the source for this page in GitHub