This past weekend I dug into an aspect of Windows Server codename “Longhorn” to personally check out something that I’ve been excited about for a while – a “server core” installation.
Doing the Installation
After burning myself a Beta3 disk, I fired it up and after a few basic screens (USEnglish keyboard, etc), I got this screen:
I selected the CORE installation and proceeded. Chose “new installation” and a disk partition for the install and zoom:
This installation went by very quickly, rebooted once and was ready to go. I then had to login as Administrator, setup a password, enable the firewall and do some other basic stuff.
Anyway, then I did a recursive dir starting at the root to see what footprint the server core had in relation to a normal Windows Server.
Look at that, only 1.775GB installed on the entire disk. To contrast that, I installed a default build of the regular Longhorn server on a 14.6GB partition and it only had 3.79GB remaining free space. Doing the math, I get:
- Longhorn Server Core footprint: 1.78 GB
- Longhorn Server default footprint: 10.81 GB
So, the Server Core installation is only 16% of a default Windows Server installation.
Why This is Cool for Security
Can you say “reduced attack surface area”? The disk space measurement is really just a proxy for the amount of code installed that the IT manager has to worry about in terms of managing security risk. I’m not claiming this was a Microsoft innovation, but it is chock full of security goodness.
Much of what normal users think of as “part of” Windows is not present in a Server Core deployment. All of these are absent:
- The Windows Graphical User Interface … gone
- (a minimal set of graphics capability is present)
- Internet Explorer … gone
- File Explorer … gone
- Media Player … gone
- Internet Information Server … gone
- much, much more … gone
In fact, this link describes the roles that are available in Server Core:
•Active Directory Domain Services
•Active Directory Lightweight Directory Services (AD LDS)
•Dynamic Host Configuration Protocol (DHCP) Server
•Streaming Media Services
Additionally, there are some other optional features (e.g. Subsystem for Unix Applications, Failover) available.
My next step is to go back through Windows Server 2003 vulnerabilities over the past few years and see how many would have not been applicable for a theoretical “Server Core” build of WS2003. This should give me a ballpark for how much Longhorn server security could benefit going forward.