These are the significant benefits of this modular approach from a security standpoint:
- Server Core, by definition has a reduced attack surface.
The fact that these Server Core machines only run the most basic elements of the Windows Server operating system makes them less susceptible to attack. The fewer moving parts there are, the less the likelihood there is that a vulnerability exists or an exploit can occur. These machines are more appropriate for placement in environments where you might not have considered putting a Windows machine.
- The modular architecture of Server Core means less to patch and less to manage.
You only need to worry about patching the services you're using, whereas with previous versions of Windows on the server, certain vulnerabilities meant you had to patch the whole machine. Additionally, you only manage what you use, so there's less administrative burden.
- Server Core machines further enable role-based deployment.
In previous versions of Windows Server -- namely Windows Server 2003 -- roles were a part of the "Configure Your Server" wizard. While this did a good job of ensuring that appropriate components for a specific role were installed, it didn't necessarily remove components that weren't required. Consequently, the machine was still running an entire, full-fledged installation of the fundamental operating system. With Server Core, role-based deployment is truly role-based: You use only what you need, and none of the inessential extras.
- Server Core availability means appliance-like machines are as functional as they are hardened.
The IT appliance industry is growing each year, mainly because of the unique traits of such a product. You plug it in, configure it initially through a very simple process and then let it do its job. Generally, appliances are as close to set-and-forget as you will get in information technology. Core OS brings the power of Windows, Active Directory and Group Policy manageability -- among other things -- to the closed, hardened, specialized nature of an appliance.
- Manageability is better than a farm of Linux machines that performed the functions Server Core boxes are destined to run.
Distributed groups of Linux machines can't participate in Active Directory or Group Policy in a meaningful way without third-party software, despite the fact that Linux and Unix appliance-like machines are often placed in front-line environments or in areas with other, threatening conditions. Server Core brings all the advantages of Windows to areas in which alternative operating systems have thrived.
About the author: Jonathan Hassell is the author of "Hardening Windows" (Apress LP) and is a SearchWindowsSecurity.com site expert. Hassell is a systems administrator and IT consultant residing in Raleigh, N.C., who has extensive experience in networking technologies and Internet connectivity. He runs his own Web-hosting business, Enable Hosting. His previous book, RADIUS (O'Reilly & Associates), is a guide to implementing the RADIUS authentication protocol and overall network security.
This was first published in October 2006