With the release of Windows Server 2016 due sometime in the third quarter, Microsoft is crowdsourcing its efforts to smooth out any vulnerabilities with a key feature in its next major server operating release — the smaller server deployment dubbed Nano Server — by offering a financial incentive for bug hunters.
As most administrators know, patches to close remote-code execution (RCE) flaws will get a critical rating. For these types of exploits in Nano Server, Microsoft will pay $15,000 for a “high quality” report. Unlike Microsoft’s other ongoing bounty programs, this hunt is being held for a limited time. The deadline to submit a report for is July 29.
For other vulnerabilities, the payoff is a bit less. For “Remote Unauthenticated Denial of Service, Elevation of Privilege, or other higher severity vulnerabilities in specific Nano Server DLLs” vulnerabilities, bounty hunters can earn up to $9,000. Bugs that affect Nano Server DLLs, such as spoofing and information disclosure, will fetch $500.
Nano Server is a lightweight server operating system that could be of great benefit to an organization that needs to deploy and manage containers and/or virtual machines in rapid fashion, so it’s particularly suited for a DevOps environment.
Nano Server takes up about 400 MB when installed, which is a substantial reduction when you consider a full install of Windows Server 2012 eats up about 6.3 GB of drive space.
By whittling down the server installation to just the essential core services, the smaller deployment size allows organizations to maximize the number of virtual machines running on a host. Microsoft also positions Nano Server as a scale-out file server and a host for Windows Server and Hyper-V containers.
Nano Server is a headless server that has had a majority of the .NET framework removed. You can’t manage Nano Server locally. For administrators who prefer using a GUI, that isn’t an option. Administrators will need to use a remote management tool such as PowerShell Direct or the forthcoming “server management tools” application currently in preview mode in the Management section of the Azure Marketplace.
This substantial reduction in code also means the attack surface for Nano Server is much smaller. In theory, Nano Server’s small footprint means fewer vulnerabilities. But for a company moving to a container-based infrastructure where the microservices sit on top of the underlying operating system, it’s critical that the foundation remains as secure as possible.
If this all sounds familiar, it’s because it is. Microsoft has been down this minimal server footprint path before with the Server Core release that came out with Windows Server 2008. But Server Core never caught on with most administrators. It was marginally more secure than Windows Server, and administrators had to surmount a learning curve to manage it.
So what is different with Nano Server? Maybe it’s not so different, but it’s the times they have a-changed. More companies are deploying servers at scale, which has lead to a significant uptick of interest in PowerShell. And Microsoft could not just sit idly by while competitors such as VMware were courting cloud customers with Photon, its own stripped-down Linux OS geared for hosting containers.
You could look at this bug bounty one of two ways. First, one could say this effort is indicative of the culture shift under Microsoft CEO Satya Nadella where transparency is emphasized.
Or perhaps it’s a more calculated move where Microsoft is thumping its chest at the collective Internet and calling out all comers who have knocked the company for its security failings. What better way for Microsoft to prove to potential customers that its new deployment model is bullet-proof than through this type of public display.
Click this link for more information about the Nano Server bug bounty.