Windows Stemcell Hardening
This topic describes the security measures that Pivotal uses to harden the Windows 2016 stemcell.
Note: This document applies to Windows stemcell v1709.x.
The Windows stemcell contains a version of Windows Server 2016 with a set of Local Group Policy settings optimized for security. These settings begin with the WS2016 Member Server Security Compliance v1.0 baseline, included in Microsoft Security Compliance Manager v4.0. For more information about this baseline, see Windows Security Baselines.
Pivotal has collaborated with Microsoft to further harden the stemcell by implementing Local Security Policies settings, according to the recommended security baseline defined in Microsoft Security Compliance Manager. The table below lists these overrides.
Note: Pivotal will continue to revise these settings as Microsoft releases updates.
|Turn off Automatic Download and Install of updates||Enabled|
|Allow Remote Shell Access||Disabled|
|Windows Firewall: Private: Display a notification||No|
|Windows Firewall: Domain: Display a notification||No|
|Windows Firewall: Public: Display a notification||No|
|Network access: Do not allow storage of passwords and credentials for network auth||Enabled|
|Access this computer from the network||Administrators|
|Deny log on as a batch job||Guests|
|Deny log on as a service||Guests|
|Deny log on through Remote Desktop Services||Guests|