ServerCore FTW?

Bl8ckr0uter

So i've been doing some research on the security features of server 2k8. Server core seems sofa king sweet. I am thinking of suggesting that we use server core for our IIS and DCs. Is anyone else running a setup like this?

rwmidl

I've only been using SC in our test lab (testing security policy, etc). For forward (internet) facing webservers/application servers, etc I'd use it.

Bl8ckr0uter

rwmidl wrote: »

I've only been using SC in our test lab (testing security policy, etc). For forward (internet) facing webservers/application servers, etc I'd use it.

It seems pretty incredible. I have been reading some quick reference guides for it and it doesn't seem that bad. I personally want to go this route for our IIS server(s) as it seems more stable/secure.

RobertKaucher

Bl8ckr0uter wrote: »

So i've been doing some research on the security features of server 2k8. Server core seems sofa king sweet. I am thinking of suggesting that we use server core for our IIS and DCs. Is anyone else running a setup like this?

I totally agreee with this, and suggested it for the virtualized systems here at work. I was over-ruled on this for a very good reasson.
The other members of the team did not want to invest the time into learning to use SC as the benifits did not seem to out weigh the fact that when the chips were down they would not have been able to work with/troubleshoot it as easily.

The usability factor really needs to be considered as every admin that works with these servers on a regular basis (not just adding accounts in AD, etc. really messes with the thing) needs to be a CLI guru. Knowing PoSh really well would not be bad either.

The last thing I wanted was something to go wrong and for my teammates to be muttering under their breath about damn Server Core and how they told me we shouldn't use it.

rwmidl

I was just thinking to myself, I wonder if you have a SC dc, if you could use the remote server administration toolkit to manage accounts, etc from your local system via MMC? I'm going to say probably not (I'm thinking outloud here) since the gui is not installed on MMC, but if you could that would be the best of both worlds...

Bl8ckr0uter

RobertKaucher wrote: »

I totally agreee with this, and suggested it for the virtualized systems here at work. I was over-ruled on this for a very good reasson.
The other members of the team did not want to invest the time into learning to use SC as the benifits did not seem to out weigh the fact that when the chips were down they would not have been able to work with/troubleshoot it as easily.

The usability factor really needs to be considered as every admin that works with these servers on a regular basis (not just adding accounts in AD, etc. really messes with the thing) needs to be a CLI guru. Knowing PoSh really well would not be bad either.

The last thing I wanted was something to go wrong and for my teammates to be muttering under their breath about damn Server Core and how they told me we shouldn't use it.

IMO ease of use should not over ride security when it comes to an admins perspective but I see their point. Interesting point. I'm just spitballing. One thing is for sure, I think 2008 is the way to go (vs 2003).

gateway

Bl8ckr0uter wrote: »

IMO ease of use should not over ride security when it comes to an admins perspective but I see their point. Interesting point. I'm just spitballing. One thing is for sure, I think 2008 is the way to go (vs 2003).

+1

I haven't started studying 2008 yet, but surely you could have a sc install for a dc and use the rsat mmc snap ins to manage this from a client? I can't imagine having some pre-configured PoSH templates just to add a user account? I bet more mistakes would be made that way too.

MrAgent

So to add my .02¢
We have a couple of remote sites where we have RODC, which are core servers. While the concept is great and it provides better security, it is a PITA to patch when mandatory patches need to be applied. I work for the government, so they are pretty hardcore about keeping systems patched.

Theres a whole seperate process for patching these things that we had to come up with.

Keep that in mind if you are deciding to deploy these and if you are not good with the CLI and/or powershell.

rwmidl

MrAgent wrote: »

So to add my .02¢
We have a couple of remote sites where we have RODC, which are core servers. While the concept is great and it provides better security, it is a PITA to patch when mandatory patches need to be applied. I work for the government, so they are pretty hardcore about keeping systems patched.

Theres a whole seperate process for patching these things that we had to come up with.

Keep that in mind if you are deciding to deploy these and if you are not good with the CLI and/or powershell.

+1 on the PITA for keeping it patched. We use WSUS internally in the lab and the way we have our policy set up, it doesn't automatically install the patches, so you have to massage the SC installation to get them installed. Same goes for AV (from at least what I've seen).

Bl8ckr0uter

So the other admin and I talked it over, I was able to convince him that 2k8 is the way to go. Now I just need to sell the server core stuff. I will need to do some testing (mcafee, backupexec, IIS monitoring tools, packtrap) to see how it works and like rwmidl said, if we can monitor it remotely with some MMC based stuff. We will see....

marcels

I'm using Server Core in production, for file and print, and as Hyper-V servers. Using McAfee 8.7i.

No hassles at all yet, just a learning curve for some of my team.

Bl8ckr0uter

marcels wrote: »

I'm using Server Core in production, for file and print, and as Hyper-V servers. Using McAfee 8.7i.

No hassles at all yet, just a learning curve for some of my team.

I haven't even touched it yet. Let me ask you a stupid question. Does it even load gui based apps in their guis or do you have to use the cli commands for everything?

Example:

If you are using Mcafee (and I pray you are using epo) you know that you can run the mcagent.exe/ (commands) to do various things (check policies, send props, etc). Well you can also run the mcagent to make it show the gui front in and it allows you to do the same things as the switches for the mcagent.exe. On server core, would the gui portion even show up? Since I didn't get a chance to play with it (and neither I nor the other admin has worked with it) that is something the other guy is concerned about.

rwmidl

I can kind of answer that. We use Symantec AV in our lab (non-managed). I can open up the gui via cli (ex: I just go to the path it's installed in and run whatever.exe) and the gui will pop right up.

SC doesn't load the gui Windows portion. Anything else the gui is still there, you just have to launch it from where it's installed.

Bl8ckr0uter

rwmidl wrote: »

I can kind of answer that. We use Symantec AV in our lab (non-managed). I can open up the gui via cli (ex: I just go to the path it's installed in and run whatever.exe) and the gui will pop right up.

SC doesn't load the gui Windows portion. Anything else the gui is still there, you just have to launch it from where it's installed.

That's exactly what I thought but I haven't tested it. Yes, yes, yes! Does it browse the internet with ie with a gui or does it use something like links (text based browser)? Sorry if I sound like a noob, I am just trying to build the case to build the case to ask my manager to at least allow me to explore this but what I don't want to do is make an administrative nightmare for myself. Since the other guy (surprising) asked me if I want to take the lead on this, I pretty much need to make this work like a champ lol.

rwmidl

No IE is not installed..I think. Yeah I'm pretty sure IE isn't installed, as having IE would increase the attack surface. I bet you could install IE (or FF), but again, the purpose of SC is to streamline the server and limit your attack surface.

marcels

I am able to open the console (mcconsole.exe) and use the GUI if that helps. You can get various GUIs like the iSCSI initiator on Server Core so its not all command based work.

The server roles and features such as DNS, DHCP, Print Management etc can be accessed by remote connecting from a full install using MMC.

Yes, I'm using EPO 4.5

Bl8ckr0uter

marcels wrote: »

I am able to open the console (mcconsole.exe) and use the GUI if that helps. You can get various GUIs like the iSCSI initiator on Server Core so its not all command based work.

The server roles and features such as DNS, DHCP, Print Management etc can be accessed by remote connecting from and a full install using MMC.

Yes, I'm using EPO 4.5

You guys don't know how happy you made me. Rep all around!!!!

So basically (besides the whole, oh no I can't point and click) there isn't really much loss. But there will be a decent amount of gain. I was reading somewhere where there is like 60-70% less patches with server core. That alone almost makes it worth it to me.

rwmidl wrote: »

No IE is not installed..I think. Yeah I'm pretty sure IE isn't installed, as having IE would increase the attack surface. I bet you could install IE (or FF), but again, the purpose of SC is to streamline the server and limit your attack surface.

How does it get patches if you can't get to windows updates? WSUS only? Also what about flash drives and stuff. Do you have to mount them every time (no plug and play)? That wouldn't be a real issue since I would very rarely use a flash drive on a web server.

Sounds like I am going to have to really get in this thing and go at it to get some of these answers.

rwmidl

Marcels - thanks for confirming you can access via MMC (I was going to check today but had other things come up).

Ideally - I'd set the SC installation up, get it configured then managed it via MMC remotely.

Bl8ckr0uter

rwmidl wrote: »

Ideally - I'd set the SC installation up, get it configured then managed it via MMC remotely.

That seems very smart. I think I would still need to build some scripts to do some quick things (IIS stuff mostly) but if I can do 90 percent of the administration of the box remotely then the other guy will be happy and it would make it much easier to sell to my boss.

RobertKaucher

Bl8ckr0uter wrote: »

That seems very smart. I think I would still need to build some scripts to do some quick things (IIS stuff mostly) but if I can do 90 percent of the administration of the box remotely then the other guy will be happy and it would make it much easier to sell to my boss.

Just mak sure you can fix it when it's broke. When something goes wrong, you still gotta' hit your SLA.

undomiel

I've mentioned it in another thread but I'll back up Robert here too. Managing core isn't the problem it is fixing it when it is broken, and swiftly, that is the real challenge.

MentholMoose

My lab contains a RODC on 2008 Enterprise Core, and a DC on 2008 Enterprise, so I did some comparisons. The RODC has 50 services started and 31 stopped, whereas the DC has 62 started and 59 stopped. The listening ports were identical (20 ports) on both. These machines aren't freshly installed, but they are relatively clean; the RODC doesn't have additional roles besides AD and DNS, while the DC also has WDS on it (apparently WDS is not running). They both have VMware Tools.

So, are the security benefits that great? About 10 fewer services running apparently by default is somewhat helpful security-wise, but not that amazing, and I probably could find a few to disable. The total available services is less, which is good, but how good is it really? It's also interesting that they have the same number of ports open.

changlinn

Server core is about reducing the attack surface and by that the amount of components that need to be patched. If there is a bug found that allows remote code exec in say help or IE, or even windows explorer server core maybe immune to it.
Problem I heard with IIS on server core was that .Net couldn't be installed as some of .Net's dependencies were rather stupidly tied to the GUI, that was supposed to have changed with R2, but I am not sure.
You could enable telnet for remote administration, or install an SSH server then also tunnel your rpc over the SSH to use the management tools.

Bl8ckr0uter

changlinn wrote: »

Server core is about reducing the attack surface and by that the amount of components that need to be patched. If there is a bug found that allows remote code exec in say help or IE, or even windows explorer server core maybe immune to it.
Problem I heard with IIS on server core was that .Net couldn't be installed as some of .Net's dependencies were rather stupidly tied to the GUI, that was supposed to have changed with R2, but I am not sure.
You could enable telnet for remote administration, or install an SSH server then also tunnel your rpc over the SSH to use the management tools.

R2 does fix the problems that you mention. I didn't think about RPC over SSH. Thanks for the suggestion.

earweed

I remembered reading something about this so looked it up.
.Net framework is an installation option on R2 ServerCore.
"This means that the full use of powershell CMDlets can be leveraged because ASP.NET applications on IIS installations can be enabled by administrators on server core. In addition this also allows for greater support for remote management tasks. The versions of .NET framework include 2.0, 3.0, 3.51, and 4.0" (1)
Page 379 Server 2008 R2 unleashed

MentholMoose

That is one of the new features of R2.

MentholMoose

changlinn wrote: »

Server core is about reducing the attack surface and by that the amount of components that need to be patched. If there is a bug found that allows remote code exec in say help or IE, or even windows explorer server core maybe immune to it.

I don't think that is very helpful in the real world. Most of the functionality removed from Core is related to desktop-type tasks which you shouldn't be using a production server anyway. I have machines running Core and they still almost always have to be patched and rebooted monthly, just possibly with one or two less patches. In the rare event that the monthly patches are only for IE and similar desktop functionality, I wouldn't necessary even apply those patches incur downtime anyway (other than for terminal servers where IE and the rest is actually going to be used). Anyway I'm not saying there is no benefit, but often the benefits don't outweigh the costs.

changlinn

Sorry to dig up an old thread, I had alerts for new messages turned off so I didn't see continued discussion. I am still testing 2008r2 server core in our environment and thought of another advantage. Less ram overhead, for us with limited RAM available in our ESX environment 2008r2 server core has a lower requirement, so that advantage may be worth the cost.