When thinking about the attack surface of a server operating system, the attack surface is drastically reduced when the server operating system is not running a GUI. When adding a GUI to a server, there is exponentially more code that can be exploited by an attacker. The components of the GUI add a lot of components that need to be patched as well when thinking about patching.
In the Windows Server operating system, Microsoft introduced a new installation type for Windows Server in Windows Server 2008 with the Server Core release. The Server Core release helps to eliminate many of the security vulnerabilities that are found in the full-blown Windows Server operating system with the Desktop Experience installed (GUI). Server core has not had the widespread adoption however due to the cumbersome nature of managing Server Core. However, there are a couple of features with Windows Server 2019 that will allow organizations to effectively be able to utilize the Windows Server Core operating system much more effectively and efficiently.
Let’s take a look at how to effectively use Server Core with Windows FoD and Windows Admin Center in Windows Server 2019.
What is Server Core?
Windows Server Core was introduced with Windows Server 2008 and provides a “GUI-less” version of Microsoft Windows Server that allows having a very minimal version of Windows to run applications. One of the huge benefits that Linux server admins have touted for decades was the much more secure stance of Linux with the GUI-less operating system that required minimal patching and servicing.
With Server Core, Microsoft entered into the headless operating system landscape. The Server Core operating system is meant to be managed and administered from another Windows Server operating system or from a Windows workstation operating system. Without the GUI, or desktop experience as is noted in the installation, the attack surface of Server Core is much smaller. Additionally, the patching and servicing of the Server Core instance are much more minimal when compared to the Desktop Experience enabled server.
However, Server Core has not had the stellar adoption in enterprise datacenters like one would expect, especially when considering security as a driving factor in today’s environments. A large number of Windows Server installations are still with the Desktop Experience installed or the GUI as we know it as well. Many administrators have cited the difficulty in management and lack of a consolidated set of tools that allow effectively managing Server Core as one of the main reasons for the slow adoption.
Windows Server Core does include a very minimalistic utility out of the box called sconfig.exe that allows performing some of the most basic administrative configuration and management tasks from the Server Core installation itself.
However, with Windows Server 2019, there are a couple of developments that should help to drive the adoption of Server Core as a very valid installation of Windows Server in the enterprise datacenter. With Windows Server 2019, the Windows Admin Center is tailored for the new server operating system.
In fact, many of the platform features in Windows Server 2019 can only be configured in a GUI via the Windows Admin Center. Additionally, the Server Core App Compatibility Feature on Demand or FoD installation allows organizations to increase the compatibility of Server Core when installing applications from a Windows Server platform perspective.
How does it accomplish this?
Let’s take a look at both the Windows Admin Center and Compatibility Feature on Demand to see how each help to make Server Core a much more viable solution for the enterprise.
Windows Admin Center
Windows Admin Center is at the heart of managing and interacting with Windows Server 2019. In fact, with the new GA release of Windows Server 2019, when you launch Server Manager, you are prompted to download and use the Windows Admin Center instead. The writing is on the wall so to speak at where Microsoft is heading with Windows Admin Center. They want it to be the one size fits all management platform for managing your servers, Hyper-V clusters, Failover Clusters, and Hyper-converged infrastructure.
Windows Admin Center makes Server Core a much more viable option in that it contains most if not all the tools that administrators will want to use in managing a Server Core installation. One of the complaints over the years with Server Core is the massive number of tools that had to be used to perform all the needed management tasks. This led to management utility sprawl and frustration on the part of administrators attempting to interact with and perform basic management activities with Server Core.
Windows Admin Center provides a monolithic, clean, streamlined interface to have a single-pane-of-glass view of your servers. The great thing about Windows Admin Center is that it interacts with the servers it is managing through WinRM and PowerShell. With that being said, it requires no management agents on the target Windows Servers. It can manage Windows Servers regardless of sites they reside in which allows administrators to manage multiple sites from the same interface. The interface is browser based as well. When installed in Gateway mode on a host Windows Server, it allows remotely connecting to Windows Admin Center for remote management via the gateway
Having all of the management tools found in one interface, managing Server Core with Windows Admin Center make the platform a much more viable solution for enterprise environments. Managing such things as files, firewall, installed apps, local users & groups, network, processes, registry, and even connecting via remote desktop can be accomplished on your Server Core from the Windows Admin Center.
Compatibility Features on Demand
Another challenge for environments attempting to utilize the Server Core platform has been compatibility with applications. Many legacy or traditional applications require DLLs or other packages that are found in the Desktop Experience version of Windows. The applications may not even truly require these prerequisites but often check for them during installation. This previous lack of compatibility when attempting to install on Windows Server Core has presented a major roadblock to adopting the platform for production workloads.
Many organizations may be running custom applications that have been written with legacy requirements including desktop components. A complete rewrite of the custom application may not be possible.
How can organizations get past the challenge of compatibility with running Server Core and requiring many of the desktop packages and components?
Microsoft has introduced something called the Server Core App Compatibility Feature on Demand or FoD.
By installing FoD, you can significantly improve the app compatibility of Windows Server Core. The FoD installation installs a subset of binaries and packages from Windows Server with Desktop, without adding the Desktop Experience graphical environment. The FoD package is installed using a separate ISO that allows adding the components via the command line.
Another use case of installing the FoD is to have tools locally for troubleshooting purposes directly on the Server Core installation. Such tools as Event Viewer, MMC console, and ResMon to name a few are not available in the default installation of Server Core. However, after adding the FoD installation, you will be able to access these utilities.
Windows Server Core provides a powerful platform to improve an organization’s overall security footprint and minimize the amount of servicing and patching that needs to be done on production servers.
With Windows Server 2019, the Windows Admin Center has taken the management of Windows Servers, including Server Core to the next level. By allowing administrators to have all the tools they need for administration in one place, the ease of configuring, managing, and troubleshooting Server Core installations, the platform is able to be utilized much more easily in production environments.
The Compatibility Features on Demand allows adding components and packages that may be required for legacy apps or to have access to tools locally on the Server Core installation. Many applications require packages that may be installed by the Desktop Experience but not with Server Core. Installing FoD allows adding the components without actually adding the Desktop Experience. With Windows Admin Center and Compatibility Features on Demand, Server Core will no doubt become a much more valid option for deploying production workloads in the enterprise.