ServerCore FTW?
Bl8ckr0uter
Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
So i've been doing some research on the security features of server 2k8. Server core seems sofa king sweet. I am thinking of suggesting that we use server core for our IIS and DCs. Is anyone else running a setup like this?
Comments
-
rwmidl Member Posts: 807 ■■■■■■□□□□I've only been using SC in our test lab (testing security policy, etc). For forward (internet) facing webservers/application servers, etc I'd use it.CISSP | CISM | ACSS | ACIS | MCSA:2008 | MCITP:SA | MCSE:Security | MCSA:Security | Security + | MCTS
-
Bl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□I've only been using SC in our test lab (testing security policy, etc). For forward (internet) facing webservers/application servers, etc I'd use it.
It seems pretty incredible. I have been reading some quick reference guides for it and it doesn't seem that bad. I personally want to go this route for our IIS server(s) as it seems more stable/secure. -
RobertKaucher Member Posts: 4,299 ■■■■■■■■■■Bl8ckr0uter wrote: »So i've been doing some research on the security features of server 2k8. Server core seems sofa king sweet. I am thinking of suggesting that we use server core for our IIS and DCs. Is anyone else running a setup like this?
I totally agreee with this, and suggested it for the virtualized systems here at work. I was over-ruled on this for a very good reasson.
The other members of the team did not want to invest the time into learning to use SC as the benifits did not seem to out weigh the fact that when the chips were down they would not have been able to work with/troubleshoot it as easily.
The usability factor really needs to be considered as every admin that works with these servers on a regular basis (not just adding accounts in AD, etc. really messes with the thing) needs to be a CLI guru. Knowing PoSh really well would not be bad either.
The last thing I wanted was something to go wrong and for my teammates to be muttering under their breath about damn Server Core and how they told me we shouldn't use it. -
rwmidl Member Posts: 807 ■■■■■■□□□□I was just thinking to myself, I wonder if you have a SC dc, if you could use the remote server administration toolkit to manage accounts, etc from your local system via MMC? I'm going to say probably not (I'm thinking outloud here) since the gui is not installed on MMC, but if you could that would be the best of both worlds...CISSP | CISM | ACSS | ACIS | MCSA:2008 | MCITP:SA | MCSE:Security | MCSA:Security | Security + | MCTS
-
Bl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□RobertKaucher wrote: »I totally agreee with this, and suggested it for the virtualized systems here at work. I was over-ruled on this for a very good reasson.
The other members of the team did not want to invest the time into learning to use SC as the benifits did not seem to out weigh the fact that when the chips were down they would not have been able to work with/troubleshoot it as easily.
The usability factor really needs to be considered as every admin that works with these servers on a regular basis (not just adding accounts in AD, etc. really messes with the thing) needs to be a CLI guru. Knowing PoSh really well would not be bad either.
The last thing I wanted was something to go wrong and for my teammates to be muttering under their breath about damn Server Core and how they told me we shouldn't use it.
IMO ease of use should not over ride security when it comes to an admins perspective but I see their point. Interesting point. I'm just spitballing. One thing is for sure, I think 2008 is the way to go (vs 2003). -
gateway Member Posts: 232Bl8ckr0uter wrote: »IMO ease of use should not over ride security when it comes to an admins perspective but I see their point. Interesting point. I'm just spitballing. One thing is for sure, I think 2008 is the way to go (vs 2003).
I haven't started studying 2008 yet, but surely you could have a sc install for a dc and use the rsat mmc snap ins to manage this from a client? I can't imagine having some pre-configured PoSH templates just to add a user account? I bet more mistakes would be made that way too.Blogging my AWS studies here! http://www.itstudynotes.uk/aws-csa -
MrAgent Member Posts: 1,310 ■■■■■■■■□□So to add my .02¢
We have a couple of remote sites where we have RODC, which are core servers. While the concept is great and it provides better security, it is a PITA to patch when mandatory patches need to be applied. I work for the government, so they are pretty hardcore about keeping systems patched.
Theres a whole seperate process for patching these things that we had to come up with.
Keep that in mind if you are deciding to deploy these and if you are not good with the CLI and/or powershell. -
rwmidl Member Posts: 807 ■■■■■■□□□□So to add my .02¢
We have a couple of remote sites where we have RODC, which are core servers. While the concept is great and it provides better security, it is a PITA to patch when mandatory patches need to be applied. I work for the government, so they are pretty hardcore about keeping systems patched.
Theres a whole seperate process for patching these things that we had to come up with.
Keep that in mind if you are deciding to deploy these and if you are not good with the CLI and/or powershell.
+1 on the PITA for keeping it patched. We use WSUS internally in the lab and the way we have our policy set up, it doesn't automatically install the patches, so you have to massage the SC installation to get them installed. Same goes for AV (from at least what I've seen).CISSP | CISM | ACSS | ACIS | MCSA:2008 | MCITP:SA | MCSE:Security | MCSA:Security | Security + | MCTS -
Bl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□So the other admin and I talked it over, I was able to convince him that 2k8 is the way to go. Now I just need to sell the server core stuff. I will need to do some testing (mcafee, backupexec, IIS monitoring tools, packtrap) to see how it works and like rwmidl said, if we can monitor it remotely with some MMC based stuff. We will see....
-
marcels Member Posts: 57 ■■□□□□□□□□I'm using Server Core in production, for file and print, and as Hyper-V servers. Using McAfee 8.7i.
No hassles at all yet, just a learning curve for some of my team. -
Bl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□I'm using Server Core in production, for file and print, and as Hyper-V servers. Using McAfee 8.7i.
No hassles at all yet, just a learning curve for some of my team.
I haven't even touched it yet. Let me ask you a stupid question. Does it even load gui based apps in their guis or do you have to use the cli commands for everything?
Example:
If you are using Mcafee (and I pray you are using epo) you know that you can run the mcagent.exe/ (commands) to do various things (check policies, send props, etc). Well you can also run the mcagent to make it show the gui front in and it allows you to do the same things as the switches for the mcagent.exe. On server core, would the gui portion even show up? Since I didn't get a chance to play with it (and neither I nor the other admin has worked with it) that is something the other guy is concerned about. -
rwmidl Member Posts: 807 ■■■■■■□□□□I can kind of answer that. We use Symantec AV in our lab (non-managed). I can open up the gui via cli (ex: I just go to the path it's installed in and run whatever.exe) and the gui will pop right up.
SC doesn't load the gui Windows portion. Anything else the gui is still there, you just have to launch it from where it's installed.CISSP | CISM | ACSS | ACIS | MCSA:2008 | MCITP:SA | MCSE:Security | MCSA:Security | Security + | MCTS -
Bl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□I can kind of answer that. We use Symantec AV in our lab (non-managed). I can open up the gui via cli (ex: I just go to the path it's installed in and run whatever.exe) and the gui will pop right up.
SC doesn't load the gui Windows portion. Anything else the gui is still there, you just have to launch it from where it's installed.
That's exactly what I thought but I haven't tested it. Yes, yes, yes! Does it browse the internet with ie with a gui or does it use something like links (text based browser)? Sorry if I sound like a noob, I am just trying to build the case to build the case to ask my manager to at least allow me to explore this but what I don't want to do is make an administrative nightmare for myself. Since the other guy (surprising) asked me if I want to take the lead on this, I pretty much need to make this work like a champ lol. -
rwmidl Member Posts: 807 ■■■■■■□□□□No IE is not installed..I think. Yeah I'm pretty sure IE isn't installed, as having IE would increase the attack surface. I bet you could install IE (or FF), but again, the purpose of SC is to streamline the server and limit your attack surface.CISSP | CISM | ACSS | ACIS | MCSA:2008 | MCITP:SA | MCSE:Security | MCSA:Security | Security + | MCTS
-
marcels Member Posts: 57 ■■□□□□□□□□I am able to open the console (mcconsole.exe) and use the GUI if that helps. You can get various GUIs like the iSCSI initiator on Server Core so its not all command based work.
The server roles and features such as DNS, DHCP, Print Management etc can be accessed by remote connecting from a full install using MMC.
Yes, I'm using EPO 4.5 -
Bl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□I am able to open the console (mcconsole.exe) and use the GUI if that helps. You can get various GUIs like the iSCSI initiator on Server Core so its not all command based work.
The server roles and features such as DNS, DHCP, Print Management etc can be accessed by remote connecting from and a full install using MMC.
Yes, I'm using EPO 4.5
You guys don't know how happy you made me. Rep all around!!!!
So basically (besides the whole, oh no I can't point and click) there isn't really much loss. But there will be a decent amount of gain. I was reading somewhere where there is like 60-70% less patches with server core. That alone almost makes it worth it to me.No IE is not installed..I think. Yeah I'm pretty sure IE isn't installed, as having IE would increase the attack surface. I bet you could install IE (or FF), but again, the purpose of SC is to streamline the server and limit your attack surface.
How does it get patches if you can't get to windows updates? WSUS only? Also what about flash drives and stuff. Do you have to mount them every time (no plug and play)? That wouldn't be a real issue since I would very rarely use a flash drive on a web server.
Sounds like I am going to have to really get in this thing and go at it to get some of these answers. -
rwmidl Member Posts: 807 ■■■■■■□□□□Marcels - thanks for confirming you can access via MMC (I was going to check today but had other things come up).
Ideally - I'd set the SC installation up, get it configured then managed it via MMC remotely.CISSP | CISM | ACSS | ACIS | MCSA:2008 | MCITP:SA | MCSE:Security | MCSA:Security | Security + | MCTS -
Bl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□Ideally - I'd set the SC installation up, get it configured then managed it via MMC remotely.
That seems very smart. I think I would still need to build some scripts to do some quick things (IIS stuff mostly) but if I can do 90 percent of the administration of the box remotely then the other guy will be happy and it would make it much easier to sell to my boss. -
RobertKaucher Member Posts: 4,299 ■■■■■■■■■■Bl8ckr0uter wrote: »That seems very smart. I think I would still need to build some scripts to do some quick things (IIS stuff mostly) but if I can do 90 percent of the administration of the box remotely then the other guy will be happy and it would make it much easier to sell to my boss.
Just mak sure you can fix it when it's broke. When something goes wrong, you still gotta' hit your SLA. -
undomiel Member Posts: 2,818I've mentioned it in another thread but I'll back up Robert here too. Managing core isn't the problem it is fixing it when it is broken, and swiftly, that is the real challenge.Jumping on the IT blogging band wagon -- http://www.jefferyland.com/
-
MentholMoose Member Posts: 1,525 ■■■■■■■■□□My lab contains a RODC on 2008 Enterprise Core, and a DC on 2008 Enterprise, so I did some comparisons. The RODC has 50 services started and 31 stopped, whereas the DC has 62 started and 59 stopped. The listening ports were identical (20 ports) on both. These machines aren't freshly installed, but they are relatively clean; the RODC doesn't have additional roles besides AD and DNS, while the DC also has WDS on it (apparently WDS is not running). They both have VMware Tools.
So, are the security benefits that great? About 10 fewer services running apparently by default is somewhat helpful security-wise, but not that amazing, and I probably could find a few to disable. The total available services is less, which is good, but how good is it really? It's also interesting that they have the same number of ports open.MentholMoose
MCSA 2003, LFCS, LFCE (expired), VCP6-DCV -
changlinn Member Posts: 42 ■■■□□□□□□□Server core is about reducing the attack surface and by that the amount of components that need to be patched. If there is a bug found that allows remote code exec in say help or IE, or even windows explorer server core maybe immune to it.
Problem I heard with IIS on server core was that .Net couldn't be installed as some of .Net's dependencies were rather stupidly tied to the GUI, that was supposed to have changed with R2, but I am not sure.
You could enable telnet for remote administration, or install an SSH server then also tunnel your rpc over the SSH to use the management tools.A+, C|EH, CISSP, CISM, CRISC, GSTRT, MCSA:Messaging, MCSE:Security
"Brain does not meet certification requirements, please install more certifications" Me
Currently Studying: Cyber Security masters and ISC2 CCSP.
Security blog; http://security.morganstorey.com -
Bl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□Server core is about reducing the attack surface and by that the amount of components that need to be patched. If there is a bug found that allows remote code exec in say help or IE, or even windows explorer server core maybe immune to it.
Problem I heard with IIS on server core was that .Net couldn't be installed as some of .Net's dependencies were rather stupidly tied to the GUI, that was supposed to have changed with R2, but I am not sure.
You could enable telnet for remote administration, or install an SSH server then also tunnel your rpc over the SSH to use the management tools.
R2 does fix the problems that you mention. I didn't think about RPC over SSH. Thanks for the suggestion. -
earweed Member Posts: 5,192 ■■■■■■■■■□I remembered reading something about this so looked it up.
.Net framework is an installation option on R2 ServerCore.
"This means that the full use of powershell CMDlets can be leveraged because ASP.NET applications on IIS installations can be enabled by administrators on server core. In addition this also allows for greater support for remote management tasks. The versions of .NET framework include 2.0, 3.0, 3.51, and 4.0" (1)
Page 379 Server 2008 R2 unleashedNo longer work in IT. Play around with stuff sometimes still and fix stuff for friends and relatives. -
MentholMoose Member Posts: 1,525 ■■■■■■■■□□That is one of the new features of R2.MentholMoose
MCSA 2003, LFCS, LFCE (expired), VCP6-DCV -
MentholMoose Member Posts: 1,525 ■■■■■■■■□□Server core is about reducing the attack surface and by that the amount of components that need to be patched. If there is a bug found that allows remote code exec in say help or IE, or even windows explorer server core maybe immune to it.MentholMoose
MCSA 2003, LFCS, LFCE (expired), VCP6-DCV -
changlinn Member Posts: 42 ■■■□□□□□□□Sorry to dig up an old thread, I had alerts for new messages turned off so I didn't see continued discussion. I am still testing 2008r2 server core in our environment and thought of another advantage. Less ram overhead, for us with limited RAM available in our ESX environment 2008r2 server core has a lower requirement, so that advantage may be worth the cost.A+, C|EH, CISSP, CISM, CRISC, GSTRT, MCSA:Messaging, MCSE:Security
"Brain does not meet certification requirements, please install more certifications" Me
Currently Studying: Cyber Security masters and ISC2 CCSP.
Security blog; http://security.morganstorey.com