rwmidl wrote: » I've only been using SC in our test lab (testing security policy, etc). For forward (internet) facing webservers/application servers, etc I'd use it.
Bl8ckr0uter wrote: » So i've been doing some research on the security features of server 2k8. Server core seems sofa king sweet. I am thinking of suggesting that we use server core for our IIS and DCs. Is anyone else running a setup like this?
RobertKaucher wrote: » I totally agreee with this, and suggested it for the virtualized systems here at work. I was over-ruled on this for a very good reasson. The other members of the team did not want to invest the time into learning to use SC as the benifits did not seem to out weigh the fact that when the chips were down they would not have been able to work with/troubleshoot it as easily.The usability factor really needs to be considered as every admin that works with these servers on a regular basis (not just adding accounts in AD, etc. really messes with the thing) needs to be a CLI guru. Knowing PoSh really well would not be bad either. The last thing I wanted was something to go wrong and for my teammates to be muttering under their breath about damn Server Core and how they told me we shouldn't use it.
Bl8ckr0uter wrote: » IMO ease of use should not over ride security when it comes to an admins perspective but I see their point. Interesting point. I'm just spitballing. One thing is for sure, I think 2008 is the way to go (vs 2003).
MrAgent wrote: » So to add my .02¢ We have a couple of remote sites where we have RODC, which are core servers. While the concept is great and it provides better security, it is a PITA to patch when mandatory patches need to be applied. I work for the government, so they are pretty hardcore about keeping systems patched. Theres a whole seperate process for patching these things that we had to come up with. Keep that in mind if you are deciding to deploy these and if you are not good with the CLI and/or powershell.
marcels wrote: » I'm using Server Core in production, for file and print, and as Hyper-V servers. Using McAfee 8.7i. No hassles at all yet, just a learning curve for some of my team.
rwmidl wrote: » I can kind of answer that. We use Symantec AV in our lab (non-managed). I can open up the gui via cli (ex: I just go to the path it's installed in and run whatever.exe) and the gui will pop right up. SC doesn't load the gui Windows portion. Anything else the gui is still there, you just have to launch it from where it's installed.
marcels wrote: » I am able to open the console (mcconsole.exe) and use the GUI if that helps. You can get various GUIs like the iSCSI initiator on Server Core so its not all command based work. The server roles and features such as DNS, DHCP, Print Management etc can be accessed by remote connecting from and a full install using MMC. Yes, I'm using EPO 4.5
rwmidl wrote: » No IE is not installed..I think. Yeah I'm pretty sure IE isn't installed, as having IE would increase the attack surface. I bet you could install IE (or FF), but again, the purpose of SC is to streamline the server and limit your attack surface.
rwmidl wrote: » Ideally - I'd set the SC installation up, get it configured then managed it via MMC remotely.
Bl8ckr0uter wrote: » That seems very smart. I think I would still need to build some scripts to do some quick things (IIS stuff mostly) but if I can do 90 percent of the administration of the box remotely then the other guy will be happy and it would make it much easier to sell to my boss.
changlinn wrote: » Server core is about reducing the attack surface and by that the amount of components that need to be patched. If there is a bug found that allows remote code exec in say help or IE, or even windows explorer server core maybe immune to it. Problem I heard with IIS on server core was that .Net couldn't be installed as some of .Net's dependencies were rather stupidly tied to the GUI, that was supposed to have changed with R2, but I am not sure. You could enable telnet for remote administration, or install an SSH server then also tunnel your rpc over the SSH to use the management tools.
changlinn wrote: » Server core is about reducing the attack surface and by that the amount of components that need to be patched. If there is a bug found that allows remote code exec in say help or IE, or even windows explorer server core maybe immune to it.
