S 4.416 Use of Windows Server Core

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator, Head of IT

Under Windows Server 2008 and higher, the operating system can be installed as "Server Core". The Server Core is a minimal system that is mainly without a graphic interface. Configurations on the system itself are only possible by means of the command line or under Windows Server 2008 R2 with PowerShell provided that this feature is installed.

The benefits of a Server Core are as follows:

• The points of attack of the system are reduced significantly (less software means less relevant weaknesses).
• Less patches must be installed. This results in lower downtimes caused by the software maintenance.

In certain cases, for example when used as Hyper-V, the lower resource utilisation is also an advantage.

A Server Core installation should be taken into consideration for all server services when well-defined and central infrastructure services are installed or when higher protection requirements are foreseeable.

Since the direct migration between a full installation and Server Core is not possible, it must already be clarified during the planning phase if Server Core is to be used and if certain features are required. Special attention should also be paid to the type of administration.

The administrators of a Server Core must be adequately trained to administer the server using the available tools on the command line.

In most cases, the missing interactive local administrative options are compensated for by the generic remote administration options (Server Manager, MMC) or application-specific remote management options. The applicability of existing administrative tools should be tested in advance.

On a Server Core, not all roles or features can be installed; only specific roles are supported. The largest restriction in practice is the lack of support of .NET (no "Managed Code") in the default installation.

For the supported server roles, the main focus is therefore placed on "simple" services such as

• Active Directory Certificate Services
• Active Directory domain services
• Active Directory Lightweight Directory Services (AD-LDS)
• DHCP server, DNS server
• File services, print services
• Hyper-V
• Streaming media services and
• Web server.

As not each software can be used on the Server Core, it is essential to adequately test the software to be used on this configuration.

Review questions:

• Was it tested for the operation of infrastructure services or for servers with higher protection requirements whether the server can be operated as Server Core?
• Was the administration personnel trained adequately for the command line-based administration?
• Have all software components required on the Windows Server Core been tested adequately in this environment?