Service provider takeaway: This section of the chapter excerpt titled "Microsoft Windows Server 2008: Server Core" is taken from the book Securing Windows Server 2008: Prevent Attacks from Outside and Inside Your Organization.
Download the .pdf of the "Securing Windows Server 2008: Prevent Attacks from Outside and Inside Your Organization" chapter here.
Server Core Features
For years, Microsoft engineers have been told that Windows would never stand up to Linux in terms of security simply because it was too darn "heavy" (too much) code, loaded too many modules (services, startup applications, and so on), and was generally too GUI-heavy. With Windows Server 2008, Microsoft engineers can stand tall, thanks to the introduction of Server Core.
The concept behind the design of Server Core is to truly provide a minimal server installation. The belief is that rather than installing all the application, components, services, and features by default, it is up to the implementer to determine what will be turned on or off.
The installation of Windows 2008 Server Core is fairly simple. During the installation process, you have the option of performing a standard installation or a Server Core installation. Once you have selected the hard drive configuration, license key activation, and end-user license agreement (EULA), you simply let the automatic installation continue to take place. When installation is done and the system has rebooted, you will be prompted with the traditional Windows challenge/response screen, and the Server Core console will appear.
When you install Windows Server 2008 without the extra overhead, it limits the number of roles and features that can be used by your server. So why should you install a Server Core in your organization? For the following benefits:
- Minimal attack vector opportunities
- Requires less software maintenance
- Uses less disk space for installation
Server Core Has Minimal Attack Vector Opportunities
Server Core is a bare installation of Windows Server 2008.A machine provisioned with Server Core has fewer binaries installed, which as a result have a reduced attack interface. With less binary available on the system, the change of vulnerable DLLs is decreased. This will force an attacker to expend more effort in finding a security flaw in one of the Windows DLLs.
If we look at the number of services installed by default on a Server Core machine and those on a regular Windows 2008 installation, we see a big difference. I did a comparison on two of my test machines. I executed the command sc query | find "SERVICE_NAME:" /c on the Server Core machine, as well as on my normal Windows 2008 machine. This command counts the number of services installed on a machine. The Server Core had 38 services installed, while the normal Windows 2008 installation had 49 services installed. I did this quick check directly after the initial installation. This means no additional roles were installed. Fewer services installed and running means greater security. By the way, this check was performed between Windows Server 2008 Enterprise (Server Core Installation) and Windows Server 2008 Enterprise (Full Installation).
Microsoft has also removed the most insecure programs like Internet Explorer, Windows Media Player, Windows Messenger, Outlook Express, and so on. Much deeper underlying dependencies are also removed -- for example, .NET Framework.
Because .NET Framework is missing, there is no PowerShell, Servermanagercmd.exe, or ASP.Net either. But Microsoft is working on a slimmed-down version of the .NET Framework for a future release. Because fewer applications and services are installed, we can say that the attack surface is far smaller than a regular Windows Server product.
Server Core Requires Less Software Maintenance
We all know the term Patch Tuesday, and we all know that some admins don't like rebooting their most important servers to take care of the companies' core business on those occasions. Well, for those admins, there is hope. Microsoft believes that because of the slim version of Server Core, the number of patches required for this Windows version will be reduced by 60 percent, compared with a regular Windows Server 2008 machine. This will dramatically decrease the patch management cycle.
The Server Core machine only does what it has to do. Why should you install a combined DHCP/DNS server on a full Windows installation (which has a lot of additional services and components installed that aren't be used) just to fulfill these two roles? You can better install it on Server Core because this only provides the key network infrastructure roles without all the superfluous DLLs and services.
Last year, I attended a live demo session from Marcus Murray at Tech-Ed Orlando. The session title was Why I Can Hack Your Network in a Day. According to Marcus, 95 percent of the software running within a company isn't properly patched, and most of the security flaws are caused by this un-patched software. If we look at Server Core, not much software will be installed besides the antivirus and backup software. And maybe you want to keep it this way. Server Core isn't designed to serve as an application platform.
Server Core Uses Less Disk Space for Installation
A Server Core installation requires about 1 gigabyte (GB) of disk space, and for paging, another 512 (MB) is needed. In total, approximately 2GB is required for operations. If we take a look at the official installation requirements, Microsoft minimum installation needs 10GB of disk space; however; 40GB or greater is recommended. Servers with more than 16GB of internal memory require more disk space for paging and dump files.
The advantage of the reduced disk footprint expresses itself in quicker unattended installs and faster booting. Disk costs aren't that expensive anymore. Nevertheless the reduced disk footprint can be a big pro for large datacenters. Imagine having a big datacenter with hundreds of Web-farm front-end servers installed on Server Core, and you are responsible of provisioning them. Imaging these servers with a small cloned image or an unattended installation would be a piece of cake.
Securing Windows Server 2008: Prevent Attacks from Outside and Inside Your Organization
Securing Windows Server 2008: Server Core features
Securing Windows Server 2008: Server Core best practices
Securing Windows Server 2008: Implementing Server Core
About the book
"Securing Windows Server 2008: Prevent Attack from Outside and Inside Your Organization" will teach you how to configure Windows Server 2008 to secure your network, how to use Windows Server 2008 hand-in-hand with Active Directory and Vista and how to understand Server Core. This book also focuses on public key infrastructure management, virtualization, terminal services, Active Directory Domain security changes and certificate management.
Printed with permission from Syngress, a division of Elsevier. Copyright 2008. "Securing Windows Server 2008" by Aaron Tiensivu. For more information about this title and other similar books, please visit Elsevier.
This was first published in September 2008