Windows Server 2008's Server Core installation option, for those not familiar with it, is intended to be an easier-to-maintain, "fewer moving parts" server platform offering a limited number of services, or roles. Primary roles include streaming media, DNS, DHCP, domain controller, file server and a limited IIS server (serving static pages, classic ASP pages, PHP pages and the like; not ASP.NET).
With practically no graphical user interface GUI (Server Core offers only a Cmd.exe shell as its primary user interface), it's a bit more difficult to properly secure, since there's no helpful GUI to guide you through the process. Fortunately, Server Core is about as secure as it can be out of the box – you just have to make sure you don't diminish that security in your configuration.
A first step is to get some form of anti-malware software running on Server Core. Most organizations have standardized on antivirus and other anti-malware utilities and, in many cases, anything intended to run on Windows Server 2008 will run on Server Core, too.
Unfortunately, many vendors are taking some time to formally add Windows Server 2008 support. As of August 2008, for example, Symantec's Endpoint Protection product lists Windows Server 2003 editions as the latest ones supported. Microsoft's own Forefront antivirus works fine, as do solutions from McAfee, Kaspersky and many others.
A key to maintaining a secure system is keeping it properly patched and configured. While Windows has built-in software update tools to help make this happen, many organizations prefer to use alternate management tools – which typically require agents to be installed on servers. In most cases, these agents don't require any kind of GUI (they're intended to run in the background, after all), so they install and work fine on Server Core. I've seen IBM's Tivoli agents running well on Server Core, for example.
Remember that however you get your servers patched, it's important to make Server Core part of the game. While it does have a smaller footprint – and therefore is in theory subject to fewer patches – those patches that apply to Server Core absolutely must be installed in a timely fashion.
Incidentally, Server Core's smaller footprint has resulted in it needing fewer patches. As of June 2008, 23 total security patches had been released by Microsoft; nine applied to Windows Server 2008, but only three to Server Core. Microsoft service bulletins now include a * notation for Windows 2008 patches that apply to Server Core.
Third: Minimize roles
Like any other server, reducing your attack surface is an excellent way to make and keep Server Core more secure. Server Core's attack surface comes primarily from roles that you've installed on it. It easily follows, then, that fewer roles equals smaller attack surface, which equals more security.
Server Core doesn't have a Server Manager GUI to review and add or remove roles. Instead, you use a set of command-line tools. Oclist.exe will list the available roles; Ocsetup.exe is used to add and remove roles. For example, adding the DHCP role is accomplished by running start /w
ocsetup DHCPServerCore. Add /uninstall to the same command line to remove the role.
Keep in mind that management technologies also extend your attack surface. For example, Server Core runs Windows Management Instrumentation (WMI), can run Windows Remote Management (WinRM) and offers Remote Desktop connectivity. All of these are potential attack vectors, just as they are on any server. If you don't need or aren't using one of them, disable the service and uninstall the feature, if possible. For instance, a Server Core acting as a domain controller can be best managed by using the Active Directory consoles on your workstation – they won't even run on Server Core itself, since they require a GUI. In that case, you might not really need Remote Desktop once the server is up and running, so consider disabling it.
Yes, Server Core has Windows Firewall. The problem is you have to configure it from the command line, which practically nobody seems to know how to do (not that Microsoft makes it terribly easy). It's done through the Netsh.exe command's Advfirewall option. For example, to enable remote management, run Netsh advfirewall currentprofile settings remotemanagement enable. I know – totally intuitive, right? If you are interested, check out this great article from the Petri IT Knowledgebase on managing various firewall settings.
Finally: You're secure
Windows Server 2008 Server Core offers a stripped-down environment with a limited number of services. This results in a reduced footprint, less installed software and fewer patches over time. You can configure Server Core with the same security options and features as the full Windows Server 2008 install, although the means for doing so can sometimes be different and a bit more complex. Still, it's worth the time to make this valuable installation option as secure as possible within your environment.
ABOUT THE AUTHOR
Don Jonesis a co-founder of Concentrated Technology LLC, the author of more than 30 IT books and a speaker at technical conferences worldwide. Contact him through his website at www.ConcentratedTech.com.
This was first published in September 2008