sbumpas
asked on
To Server Core or not to Server Core?
Does anybody have experience with the 2008R2 Server Core implementation? These will be hosted in an ESX environment, and we have only about 5 VMs (file server, print server, DC/DNS/DHCP, WSUS) out of maybe 20 that fit the bill, and I question whether it's worth all the extra effort.
My primary concerns is, in order to use the RSAT, you have to open so many ports on the firewall that it seems as if you're exposing the server more than you would on a normal install, thus negating the "reduced attack surface"?
Also, anybody know if you can install RDS licensing on a server core setup? I can't find that info anywhere.
Anybody out there with real world experience on the benefits/negatives of Server Core? I'm not afraid of the CLI, but only if it pays off in the long run.
My primary concerns is, in order to use the RSAT, you have to open so many ports on the firewall that it seems as if you're exposing the server more than you would on a normal install, thus negating the "reduced attack surface"?
Also, anybody know if you can install RDS licensing on a server core setup? I can't find that info anywhere.
Anybody out there with real world experience on the benefits/negatives of Server Core? I'm not afraid of the CLI, but only if it pays off in the long run.
ASKER
Doesn't increased exposure to services that DO exist put the box at risk moreso than only managing the box via RDP or console access? That's my primary concern.
Just as a note, AD Communications through firewalls should be done through IPSec tunneling, not by opening loads of ports to allow RPC communication and the like.
That said, the Server Manager portion of RSAT is the only thing used to manage a Server Core installation. A very detailed explanation is here: http://technet.microsoft.com/en-us/library/dd759202.aspx
Server Manager utilizes Powershell and WinRM which operates through a single port (Port 80 by default, this can be changed). It can also be configured to communicate with only a specific computer.
Short answer, there isn't a need to open lots of ports to manage a server core install, so that doesn't detract from the smaller attack vector.
That said, the Server Manager portion of RSAT is the only thing used to manage a Server Core installation. A very detailed explanation is here: http://technet.microsoft.com/en-us/library/dd759202.aspx
Server Manager utilizes Powershell and WinRM which operates through a single port (Port 80 by default, this can be changed). It can also be configured to communicate with only a specific computer.
Short answer, there isn't a need to open lots of ports to manage a server core install, so that doesn't detract from the smaller attack vector.
ASKER
IPSec tunneling even for general AD authentication and the like? I've never heard that before. Could you direct me toward documentation on that as well?
Full IPSec requires CA and PKI architecture to work. It's been bumped up in Windows 2008 a bit, but the full shebang is here: http://technet.microsoft.com/en-us/network/bb531150.aspx (Side note: The Army's Active Directory is fully protected by IPSec links)
If you aren't willing to get that intense with IPSec, there are also registry keys that will pinch down the virtual ports available for RPC so you don't have to open 30,000 ports in your firewall :D I used to have an ADM template for that but it went the way of formatted computers.
ASKER
We don't have a CA/PKI architecture, and have no desire to implement one. We're just too small for that kind of operation.
I also found the technet article regarding RPC registry settings - I guess my last (hopefully) question is, do these RPC ports need to be opened in the firewall for a full 2008R2 install, or is this a condition present in Server Core only?
Seems to me I need a better understanding of RPC, or maybe even Windows security in general.
I also found the technet article regarding RPC registry settings - I guess my last (hopefully) question is, do these RPC ports need to be opened in the firewall for a full 2008R2 install, or is this a condition present in Server Core only?
Seems to me I need a better understanding of RPC, or maybe even Windows security in general.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the info - I'll stick with the Core install for now, until it gives me sufficient reason not to. The article you linked reminded me that maybe my security concerns are a bit over the top for my environment (public library). We don't allow any internet access in to our network, these precautions are only in place to protect servers from staff and patrons. With that in mind, I feel as though the precautions I do have in place are a reasonable balance of security and functionality, especially compared to the last 10 years of 0 firewalls on any server.
Yeah, I'd say you're in a low security requirement environment. Companies that have to meet demands of stuff like HIPAA and PCI are a lot more complex.
Remote Desktop Services is not one of the roles that you can install on a Core installation, nor is any part of it.