Server Core is a new feature in the Windows Server world. It installs a
command-line administration-only version of Windows Server 2008 that
helps reduce the attack surface of the server. Traditionally, there are
many attack options on a Microsoft server, and you, the administrator,
need to be aware of that and take action to ensure security. However,
with Server Core, less code is installed (that is, there is a smaller
footprint), and with that reduction in code comes a reduction in the
number of places an attacker can hit. Fewer moving parts equals fewer
vulnerabilities.
Note
What is the attack surface area
of an operating system? Keep in mind that each application added to a
system provides a corresponding opportunity for attack and so poses a
risk. In addition, certain services may leave your system open to
infiltration. This is all considered the attack surface, and the goal
in securing a system is to reduce that surface, typically by turning
off or removing features that are unnecessary.
Until
you see a Server Core system for yourself, you may not believe that you
are really going to be working from a command prompt again. But that is
truly what you have at your disposal. In fact, the Explorer shell is
not even installed. You may be surprised to learn that you aren’t
working with the new PowerShell command prompt.
PS Note
At
the time of this writing, PowerShell was not functional in Server Core
because it requires the .NET Framework, which cannot be installed on a
Server Core system at this time. The .NET team has worked on providing
a modularized version for Server Core admins to be able to work with
PowerShell, and this will be available in R2. See the section “Incorporate Server Core Changes in Server 2008 R2,” later in this chapter.
Now,
keep in mind that Server Core isn’t able to provide all the server
roles that a typical server would have. The supported roles in Server
Core include the following:
Active Directory Domain Services (ADDS)
Active Directory Lightweight Directory Services (AD LDS)
DHCP Server
DNS Server
File Services
Internet Information Services (IIS)
Print Services
Streaming Media Services
Windows Virtualization (Hyper-V)
And,
as you will soon see, you cannot use the Server Manager tool to install
these roles. Instead, you need to install them through the command
line, using a tool called ocsetup.exe.
Keep
in mind that third-party application software cannot typically be
installed and managed on a Server Core server, so this server isn’t
going to be used for things like your antivirus management or even some
of the management solutions that Microsoft provides that must be
installed on top of the server and require certain underlying services
to be running. What this is a good fit for in an environment, however,
is in areas like DNS or DHCP services or even file services.
Note
Although
IIS
is installable on Server Core, Server Core doesn’t currently
support ASP.NET. Due to the lack of support for managed code, there are
many reasons you might not be able to use Server Core for your
particular web server (for example, no IIS-ASPNET,
IIS-NetFxExtensibility, IIS-ManagementConsole, IIS-ManagementService,
IIS-LegacySnapIn, IIS-FTPManagement, WAS-NetFxEnvironment, and
WAS-ConfigurationAPI).
