Trending:
Cybersecurity

Why Docker Windows containers expose unprotected VNC access by default

The popular dockurr/windows image (1M+ pulls) ships with noVNC exposed on port 8006 without authentication. Anyone reaching that port sees your Windows desktop until login. Here's what enterprise teams need to know about the security gap.

The Biggish Editorial ·
Why Docker Windows containers expose unprotected VNC access by default

The Problem

The dockurr/windows Docker image makes it trivial to run Windows VMs in containers, complete with a noVNC web interface on port 8006. Over 1 million pulls later, it's become a go-to for dev and test environments.

The catch: that web interface has no frontend authentication. Expose port 8006, and anyone can access your Windows desktop pre-login. The project maintainers won't add VNC-level auth because the protocol itself is weak and bruteforceable.

The Workaround

The standard fix is an Nginx reverse proxy with HTTP basic auth. Bind noVNC to localhost only (127.0.0.1:8006:8006), then proxy through Nginx on a different port with password protection. You'll need:

  • An htpasswd file for credentials
  • Nginx config with auth_basic and WebSocket support
  • Both containers on the same Docker network

This adds HTTP authentication before the VNC stream starts. It's basic protection, not enterprise-grade, but better than nothing.

What This Means in Practice

This setup is common in dev environments where RDP isn't an option or teams want browser-based access. The security model assumes you're behind a firewall or VPN already.

For production or sensitive workloads, the project documentation explicitly recommends RDP (ports 3389) over noVNC. RDP has native authentication and encryption. Alternatively, use a proper hypervisor like Proxmox or native QEMU/KVM instead of Docker-in-Docker.

Three things to watch:

  1. Default credentials are Docker/admin for the Windows user, customizable via environment variables
  2. Multi-container setups create lateral movement risk if one container is compromised
  3. HTTP basic auth over Nginx doesn't secure the VNC protocol itself

The Trade-offs

Docker-based Windows VMs trade proper isolation for convenience. You get instant setup and noVNC access, but inherit VNC's security limitations and Docker's overhead. For quick testing, that's often fine. For anything customer-facing or regulated, use proper tooling.

The project hasn't seen major updates since October 2024 when VNC auth was added via environment variables. The core noVNC exposure remains by design. Worth noting: no enterprise support or funding model exists for this open-source tool.

Tags:
security containers devops docker vnc

Related Articles