Mar 26 2009

At Its Core

A stripped-down version of Windows Server 2008 might be just the ticket for some of your agency's servers — especially for extending the life of older systems.

Agencies that want to increase the stability and security of their systems and extend the useful life of older hardware should take a good, hard look at Server Core, an installation option of Microsoft Windows Server 2008.

In the past, if you chose to do a full installation of Windows, you got the binary code for all of the server operating system’s features, even if you didn’t want or need it all. For example, if you installed Server 2003, the binaries for Routing and Remote Access Services were installed even if you had no plans to use RRAS. More binaries create more attack surface (thus, a less secure system) and lead to more patch management (therefore, more maintenance).

Server 2008, however, offers two installation options: Full or Server Core. Server Core is basically a stripped-down version that runs only limited functions, such as Active Directory, Domain Name System, Dynamic Host Configuration Protocol, File/Print, Hyper-V, Internet Information Services and a few others. Because Server Core supports only a subset of features available from the full installation, Microsoft has removed anything not needed, including many OS components and services, the Windows Explorer desktop shell, Microsoft Management Console and most GUI tools.

This paring-down of Windows binaries offers some definite benefits. For one, an OS with fewer binaries requires fewer patches. Server Core also has only about 40 services running by default, compared with about 50 services for a full installation; this smaller service footprint translates into fewer possible vectors for malicious attack.

The area within the dashes indicates the Server 2008 features installed with the Server Core option, compared with the architecture of the full installation:

Smaller Byte

Server Core also has a much smaller disk footprint, requiring only 1.6 gigabytes, compared with 7.6GB for a full installation; and the default memory footprint is only 180 megabytes, compared with about 310MB. You might be able to run Server Core on older hardware, with disk space and RAM that would not support a full installation, thereby extending the life of your gear.

One of the most common uses for Server Core is for infrastructure servers, such as domain controllers, DNS servers and DHCP servers. Andrew Mason, principle program manager lead for Windows Server Core at Microsoft, says he’s seen a wide range of Server Core deployments, “with the most common roles being Hyper-V and servers with both Active Directory and DNS installed.”

By supporting Hyper-V, Server Core provides an ideal platform for consolidating multiple servers onto a single server through virtualization, while keeping virtual machines securely isolated from one another. Branch offices that might have less physical security and few (or no) IT staff to maintain servers are also good candidates for Server Core.

When you first log on to Server Core, it’s a bit shocking.

All you get is a command prompt — no desktop, taskbar or Start menu:

Managing a Server Core installation locally can be a bit challenging for administrators who aren’t comfortable working from the command line.

Apart from Notepad, Registry Editor and a couple of Control Panel utilities (all of which must be launched from the command prompt), there are few other GUI tools available. When you’re logged on locally to a Server Core box, you’re limited to using Windows command-line tools, batch scripts and scripts written in VBScript that use Windows Management Instrumentation (WMI) to manage your Server Core installation.

From Afar

Fortunately, remote management is a lot easier because you can use the same MMC consoles you would use to administer a full installation of Server 2008, either by enabling the Remote Server Administration Tools feature on a full installation or by installing RSAT on Windows Vista with Service Pack 1. Other options for remotely managing a Server Core installation include using Terminal Services to access the remote desktop, using Windows Remote Management (WinRM) to execute remote commands or using Group Policy to apply policy settings to a Server Core installation.

You can manage Server Core remotely almost identically to the way you manage a full installation — that’s almost identically. The full installation supports the .NET Framework, which brings the full power of Windows PowerShell to manage full installations either locally or remotely. But you can’t install the .NET Framework on Server Core, so not only are you restricted from running managed code (which makes Server Core unsuitable as an application-hosting platform), you also can’t install PowerShell or run most PowerShell commands remotely against a Server Core installation. About the only PowerShell command you can use to remotely manage a Server Core installation is the Get-WMIObject command, which lets you manage it using WMI the same way you might using VBScript.

Fortunately, this is going to change with the next version of the platform (Windows Server 2008 Release 2, which is available in beta as a free download). “Perhaps the most significant enhancement to Server Core in Windows Server 2008 R2 will be the addition of a subset of the .NET Framework, which will allow PowerShell to run locally on Server Core and will also add support for ASP.NET to IIS running on Server Core,” says Mason.

Not only will you be able to manage many more aspects of Server Core using PowerShell, you will also be able to use Server Core as a web application server for running ASP.NET apps.

For the latest news on what’s coming in Server Core R2, see Andrew Mason’s Server Core blog on Microsoft TechNet.