Tip

Microsoft Longhorn Server Core: Security implications

Microsoft Longhorn Server is expected to bring many exciting features to the table, among them a modular approach to server architecture that will greatly ease hardening and increase security.

Requires Free Membership to View

More on Longhorn
Microsoft Longhorn features worth watching
Expert Gary Olsen offers observations on some of the more notable features in Longhorn that will make a difference in Windows administration.

Got a question about Longhorn? Click here to pose it to one of our experts.

In a nutshell, the current plans for Server Core edition of Longhorn will allow administrators to deploy role-based servers on a barebones Windows operating system using command-line prompts but no GUI. As needs change, administrators can lay additional services (remote access service, terminal services, file and print capabilities, Active Directory servers, Web servers, etc.) on top of a base server core installation.

These are the significant benefits of this modular approach from a security standpoint:

  • Server Core, by definition has a reduced attack surface.
    The fact that these Server Core machines only run the most basic elements of the Windows Server operating system makes them less susceptible to attack. The fewer moving parts there are, the less the likelihood there is that a vulnerability exists or an exploit can occur. These machines are more appropriate for placement in environments where you might not have considered putting a Windows machine.
  • The modular architecture of Server Core means less to patch and less to manage.
    You only need to worry about patching the services you're using, whereas with previous versions of Windows on the server, certain vulnerabilities meant you had to patch the whole machine. Additionally, you only manage what you use, so there's less administrative burden.
  • Server Core machines further enable role-based deployment.
    In previous versions of Windows Server -- namely Windows Server 2003 -- roles were a part of the "Configure Your Server" wizard. While this did a good job of ensuring that appropriate components for a specific role were installed, it didn't necessarily remove components that weren't required. Consequently, the machine was still running an entire, full-fledged installation of the fundamental operating system. With Server Core, role-based deployment is truly role-based: You use only what you need, and none of the inessential extras.
  • Server Core availability means appliance-like machines are as functional as they are hardened.
    The IT appliance industry is growing each year, mainly because of the unique traits of such a product. You plug it in, configure it initially through a very simple process and then let it do its job. Generally, appliances are as close to set-and-forget as you will get in information technology. Core OS brings the power of Windows, Active Directory and Group Policy manageability -- among other things -- to the closed, hardened, specialized nature of an appliance.
  • Manageability is better than a farm of Linux machines that performed the functions Server Core boxes are destined to run.
    Distributed groups of Linux machines can't participate in Active Directory or Group Policy in a meaningful way without third-party software, despite the fact that Linux and Unix appliance-like machines are often placed in front-line environments or in areas with other, threatening conditions. Server Core brings all the advantages of Windows to areas in which alternative operating systems have thrived.

About the author: Jonathan Hassell is the author of "Hardening Windows" (Apress LP) and is a SearchWindowsSecurity.com site expert. Hassell is a systems administrator and IT consultant residing in Raleigh, N.C., who has extensive experience in networking technologies and Internet connectivity. He runs his own Web-hosting business, Enable Hosting. His previous book, RADIUS (O'Reilly & Associates), is a guide to implementing the RADIUS authentication protocol and overall network security.

This was first published in October 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.