I'm working with the docker image mcr.microsoft.com/dotnet/framework/aspnet:4.8-windowsservercore-ltsc2019. I've noticed that the default user for windowsservercore is ContainerAdministrator.
If I try to run the image with the user ContainerUserdocker run -u ContainerUser mcr.microsoft.com/dotnet/framework/aspnet:4.8-windowsservercore-ltsc2019 I get the following error:
ERROR: Failed to stop or query status of service 'w3svc' error [80070005
]. I think that the error is related to the permissions that the user needs to run ServiceMonitor. So, first of all, is it correct to assume that windowsservercore images must run with ContainerAdministrator and cannot run with ContainerUser?
If the assumption above is correct I would like to confirm if running the container with ContainerAdministratorcan expose the container to a security issue. As far as I understand even if the ServiceMonitor.exe is started with ContainerAdministrator the external-facing process is the IIS Windows service, which runs under a local account in IIS_IUSRS group. So even if an attacker could compromise the application it will not have administrator access to the container. Can anyone confirm if this is correct?
Dockerfile:
# escape=`
FROM mcr.microsoft.com/dotnet/framework/aspnet:4.8-windowsservercore-ltsc2019
ENV website-name=WebApp
WORKDIR /
RUN mkdir C:\WebApp
COPY WebApp/ /WebApp
RUN powershell -Command `
New-Website -Name 'WebApp' -IPAddress '*' -Port 443 -PhysicalPath C:\WebApp -ApplicationPool 'DefaultAppPool' -Ssl -SslFlags 0; `
USER ContainerUser
ENTRYPOINT ["C:\ServiceMonitor.exe", "w3svc"]
I'm working with the docker image
mcr.microsoft.com/dotnet/framework/aspnet:4.8-windowsservercore-ltsc2019
. I've noticed that the default user for windowsservercore isContainerAdministrator
.If I try to run the image with the user
ContainerUser
docker run -u ContainerUser mcr.microsoft.com/dotnet/framework/aspnet:4.8-windowsservercore-ltsc2019
I get the following error:]. I think that the error is related to the permissions that the user needs to run ServiceMonitor. So, first of all, is it correct to assume that windowsservercore images must run with
ContainerAdministrator
and cannot run withContainerUser
?If the assumption above is correct I would like to confirm if running the container with
ContainerAdministrator
can expose the container to a security issue. As far as I understand even if theServiceMonitor.exe
is started withContainerAdministrator
the external-facing process is the IIS Windows service, which runs under a local account inIIS_IUSRS
group. So even if an attacker could compromise the application it will not have administrator access to the container. Can anyone confirm if this is correct?Dockerfile: