Windows Firewall Security Policy preventing network connectivity in Hyper-V guests and Windows containers with Hyper-V "internal" virtual switches

[JustinChristensen]

I've been trying to track down why I can't establish network connectivity using the default NAT network when in Windows containers mode on my domain-joined corporate workstation for a while now. I think I've figured it out, and I was hoping that Microsoft may be able to provide some guidance on what the expected behavior should be for the interaction between Security Policy, Windows Firewall, the Host Networking Service, Internet Connection Sharing, and Hyper-V's virtual switches.

This impacts both Docker for Windows and Hyper-V generally.

Specifically what is happening is that when the Security Policy "Apply Local Firewall Rules" is set to "No" in the public profile, local firewall rules that Internet Connection Sharing and the Host Networking Service adds to permit DHCP and DNS for Hyper-V guests are no longer applied. This means that attempts to broadcast for DHCP and DNS queries in the guest Hyper-V VM (or container) are then blocked by Windows Firewall.

I've tested this in isolation on a Windows 10 Pro VM in Azure, with only this specific Security Policy configured through the Local Security Policy snap-in.

I've got a gist where I've been tracking my notes on this here. I've used netsh to capture the network events that prove that this is the case, and you can see what filters are making the allow/deny decisions with these files:

Apply Local Firewall Rules: Yes DHCP Broadcast Allow DNS Allow

Apply Local Firewall Rules: No DHCP Broadcast Deny DNS Deny

You can see from this that when this security policy is either not configured or set to Yes, that the local rules that the Host Networking Service and ICS add permit the traffic.

Now, in corporate environments administrators are typically wont to set this Security Policy to No, and then to configure and maintain a list of static inbound firewall rules that get distributed to workstations via policy updates. What I'm wondering from Microsoft is:

1. Are these local rules that ICS and the Host Networking Service adds to support Hyper-V networking supposed to be clobbered by this security policy? Or should they be a special case? That is, is it by design that that security policy prevents these Windows services from doing what they need to do to support Hyper-V networking?
2. If that is working as intended, what would be the right way to configure security policy to allow these services to apply their local firewall rules? From what I see, those rules are dependent on local system state like security identifiers and interface identifiers, (which allows them to be more narrowly scoped), and so maintaining another static firewall rule in the list wouldn't necessarily be an effective solution. Should there be another security policy callout somewhere that says something like "Disallow local firewall rules, except for those added by Windows Services X, Y, and Z"?
3. Is there documentation out there somewhere that details how this interaction between Hyper-V, Windows Firewall, HNS, ICS, and this Security policy is supposed to work that I just missed in my search?

[dcantah]

@microsoft/containernet-msft

[houha2]

1. Are these local rules that ICS and the Host Networking Service adds to support Hyper-V networking supposed to be clobbered by this security policy? Or should they be a special case? That is, is it by design that that security policy prevents these Windows services from doing what they need to do to support Hyper-V networking?

Yes, these local rules are getting clobbered by this security policy and is by design to allow Enterprise managed devices more security protections.

2. If that is working as intended, what would be the right way to configure security policy to allow these services to apply their local firewall rules? From what I see, those rules are dependent on local system state like security identifiers and interface identifiers, (which allows them to be more narrowly scoped), and so maintaining another static firewall rule in the list wouldn't necessarily be an effective solution. Should there be another security policy callout somewhere that says something like "Disallow local firewall rules, except for those added by Windows Services X, Y, and Z"?

The right way would be to set the security policy “Apply Local Firewall Rules” to “Yes” which is the default setting for the policy.

3. Is there documentation out there somewhere that details how this interaction between Hyper-V, Windows Firewall, HNS, ICS, and this Security policy is supposed to work that I just missed in my search?

We do have documentation on the security policy here, but it does not detail the interaction between Hyper-V, HNS, ICS, and Firewall. There are plans to get this documented as you are not the only person facing this issue.

[JustinChristensen]

Hey @houha2

I appreciate the reply!

It's encouraging to hear that this is all on your radar.

One slight clarification: Are there discussions of adding a security policy callout that allows those local firewall rules for just those Windows services to continue applying, even if the administrator continues to want to disable users from managing their own firewall rules locally?

I could see there being some administrators in certain kinds of environments having heartburn about allowing a workstation user blanket permission to administer their own firewall rules at the perimeter. It seems like this Hyper-V/Docker machinery is a special case that an administrator would want the capability to enable while still preventing the user from generally managing firewall rules locally.

Again, thanks for the response.

[cwilhit]

>Are there discussions of adding a security policy callout that allows... Spoke with @houha2 offline and it does not sound like there's anything in plan right now for this.

[JustinChristensen]

>Are there discussions of adding a security policy callout that allows... Spoke with @houha2 offline and it does not sound like there's anything in plan right now for this.

Ah. I'll be honest and say that I was hoping for a bit more insight into the considerations involved there, but I suppose beggars can't be choosers on forums such as these. That said, it sounds like the U.S. government has been sending out security advice that contradicts the recommendation that was given above, and so that leaves things a bit confusing.

I guess I'll just have to wait for the extra documentation @houha2 mentioned was forthcoming. Thanks again.

[cwilhit]

No problem, happy to help. Closing this issue.

[arencambre]

Did the documentation referenced in https://github.com/microsoft/Windows-Containers/issues/203#issuecomment-1057341968 get produced? I can't find it.

I am running into the same problem. While I got an exception to allow me to set exceptions for my public network profile, I am not sure what exceptions to set to permit my VMs to use the network.