Service provider takeaway: This section of the chapter excerpt titled "Microsoft Windows Server 2008: Server Core" is taken from the book Securing Windows Server 2008: Prevent Attacks from Outside and Inside Your Organization. Learn tricks for implementing Server Core including creating batch menus, changing command prompts and administrating Server Core with RDP.
Download the .pdf of the "Securing Windows Server 2008: Prevent Attacks from Outside and Inside Your Organization" chapter here.
If you walked through the preceding steps, you just administered Server Core with remoteAPPS. Why should you open the full screen RDP version with mstsc if you only need the command prompt window? This is an excellent way to administer your Server Core machines. After opening the RDP file, you'll see a normal DOS box like any other DOS box on your local machine. Keep in mind, however, that every command you're executing will be executed on the remote machine, not the local. Especially when connecting to multiple remote Server Core machines, you probably don't remember anymore which DOS box is for which server. To help with this, the next paragraph offers a solution to this dilemma.
Changing the Command Prompt
Maybe you didn't notice it, but there is no time indication on a Server Core machine. After you execute the command prompt [$t]$s$s$p$g, your command prompt will let you know exactly when it's lunchtime.
If we analyze the command, we see that [$t] is the variable that shows the time, $s is a space, $p shows the current drive and path, and $g shows the greater than sign >. If you perform remote administration on more than one machine, it's a best practice to change the default prompt in such a way as to distinguish the command prompts from each other. The variable %computername% can help you with this. After executing the command prompt [$t]$s[%computername%]$s$p$g, your prompt will look like the following:
[16:46:42.65] [CORE] C:UsersAdministrator>
where Core is the computer name of the Server Core machine. Unfortunately, when you log off, your settings are lost. If you wish to save your changes permanently, use the Registry. Type Regedit at the command prompt. Locate the key HKLMSystem CurrentControlSetControlSession ManagerEnvironment. Create an expandable string value with the name prompt. The value of the string can be the same as the prompt commands we used earlier -- for example, [$t]$s[%computername%]$s$p$g. Type prompt /? to see what methods are available to change the command prompt.
Prompt can be made up of normal characters and the following special codes:
$A & (Ampersand)
$B | (Pipe)
$C ( (Left parenthesis)
$D Current date
$E Escape code (ASCII code 27)
$F ) (Right parenthesis)
$G > (Greater-than sign)
$H Backspace (erases previous character)
$L < (less-than sign)
$N Current drive
$P Current drive and path
$Q = (Equal sign)
$T Current time
$V Windows version number
$_ Carriage return and linefeed
$$ $ (Dollar sign)
If Command Extensions are enabled, the PROMPT command supports the following additional formatting characters:
$+ zero or more plus sign (+) characters depending upon the depth of the PUSHD directory stack, one character for each level pushed.
$M Displays the remote name associated with the current drive letter or the empty string if current drive is not a network drive.
Administrating Server Core with RDP
Every system administrator knows the command mstsc /v servername /console. With this command, we start a Remote Desktop session to another machine. If we want to connect to a Server Core machine, we must first enable Remote Desktop on this particular server. With the GUI versions of Windows, we right-clicked Computer to open Properties, afterwards selected the tab Remote, and then marked the checkbox Enable Remote Desktop on this Computer. In Server Core, we can't do this anymore. But don't worry...we can execute the command cscript c:windowssystem32 scregedit.wsf /ar 0 to enable Remote Desktop. This command will also create an exception rule in Windows Firewall. With the command cscript c:windowssystem32scregedit. wsf /ar 1, we can disable it again. If we want to see the current settings, we use the command cscript c:windowssystem32scregedit.wsf /ar /v. If you have problems connecting to Server Core with Windows XP, execute the command cscript c:windowssystem32 scregedit.wsf /cs 0. This disables some enhanced security settings that are implemented by Server 2008 and Vista.
Creating Batch Menus
Maybe you remember the good old choice.exe from the Windows NT and Windows 2000 resource kits. Choice.exe allows users to select one item from a list of choices and returns the index of the selected choice. The resource kit tool is so often used that it became a built-in command in Windows 2003. Unfortunately, the Server Core version of Windows 2008 doesn't have a choice.exe or a replacement command. Instead of typing long commands -- for example, to disable or enable the Windows firewall -- you can use choice.exe to create a batch file menu that represents the shortcuts of the long commands. You can download choice.exe from the following location. ftp://ftp.microsoft.com/Services/TechNet/samples/PS/Win98/Reskit/SCRPTING/CHOICE.EXE . Look at the batch file that follows. This simple batch file gives you an idea how choice. exe can be used. Download choice.exe from the location just mentioned and place it somewhere in the Path -- for instance, %systemroot%system32. Copy and paste the following text in a text file and save it with the extension .bat.
REM - Script written by Remco Wisselink
ECHO Press (1) To Change the date/time or timezone
ECHO Press (2) To Change the regional settings
ECHO Press (3) To enable the firewall
ECHO Press (4) To disable the firewall
CHOICE /N /C:1234 PICK A NUMBER (1, 2, 3 or 4)%1
IF ERRORLEVEL ==4 GOTO Four
IF ERRORLEVEL ==3 GOTO THREE
IF ERRORLEVEL ==2 GOTO TWO
IF ERRORLEVEL ==1 GOTO ONE
ECHO You pressed (4)
netsh firewall set opmode mode=disable
ECHO You Pressed (3)
netsh firewall set opmode mode=enable
ECHO You Pressed (2)
ECHO You Pressed (1)
Combining Server Core, Read-Only Domain Controller, and BitLocker
Branch offices are often badly secured. If a branch office's domain controller gets stolen, it's wise to reset all your passwords. Not only must the user account passwords be reset but also the passwords from administrative and service accounts. Why? Because the passwords are locally cached on the domain controller. You don't have to be a rocket scientist to crack all the domain passwords with password cracking tools like lovecrack. Windows 2008 has a new infrastructure solution called Read-Only Domain Controller (RODC).The advantage of an RODC is that you can define which passwords should be cached on the server. For this reason, the RODC is a perfect solution for Branch Offices. If you implement this solution, it's a good thing to only replicate and cache the passwords from normal user accounts that have low level privileges. And it's obvious that you replicate and cache only passwords from accounts that actually reside at the branch office. In the event of a stolen RODC, you only have to reset the accounts whose passwords are cached on the domain controller.
Another security measure we can take is to encrypt the disk with Windows Server 2008's BitLocker. BitLocker is a security feature that protects the operating systems disks by doing a full drive encryption. If you have to design a solution for branch offices, think about the perfect combination: Server Core, RODC, and BitLocker.
Securing Windows Server 2008: Prevent Attacks from Outside and Inside Your Organization
Securing Windows Server 2008: Server Core features
Securing Windows Server 2008: Server Core best practices
Securing Windows Server 2008: Implementing Server Core
About the book
"Securing Windows Server 2008: Prevent Attack from Outside and Inside Your Organization" will teach you how to configure Windows Server 2008 to secure your network, how to use Windows Server 2008 hand-in-hand with Active Directory and Vista and how to understand Server Core. This book also focuses on public key infrastructure management, virtualization, terminal services, Active Directory Domain security changes and certificate management.
Printed with permission from Syngress, a division of Elsevier. Copyright 2008. "Securing Windows Server 2008" by Aaron Tiensivu. For more information about this title and other similar books, please visit Elsevier.
This was first published in September 2008