To Server Core or not to Server Core?

sbumpas
sbumpas used Ask the Experts™
on
Does anybody have experience with the 2008R2 Server Core implementation?  These will be hosted in an ESX environment, and we have only about 5 VMs (file server, print server, DC/DNS/DHCP, WSUS)  out of maybe 20 that fit the bill, and I question whether it's worth all the extra effort.

My primary concerns is, in order to use the RSAT, you have to open so many ports on the firewall that it seems as if you're exposing the server more than you would on a normal install, thus negating the "reduced attack surface"?

Also, anybody know if you can install RDS licensing on a server core setup?  I can't find that info anywhere.

Anybody out there with real world experience on the benefits/negatives of Server Core?  I'm not afraid of the CLI, but only if it pays off in the long run.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Adam BrownSenior Systems Admin
Top Expert 2010

Commented:
Benefits of Server Core is increased security due to the lack of unnecessary services and such. The major downside is that you can't run all available roles on a server core installation. The following site explains which roles can be used on which version of Server Core: http://www.microsoft.com/windowsserver2008/en/us/r2-compare-core-installation.aspx 

Remote Desktop Services is not one of the roles that you can install on a Core installation, nor is any part of it.

Author

Commented:
Doesn't increased exposure to services that DO exist put the box at risk moreso than only managing the box via RDP or console access?  That's my primary concern.
Adam BrownSenior Systems Admin
Top Expert 2010

Commented:
Just as a note, AD Communications through firewalls should be done through IPSec tunneling, not by opening loads of ports to allow RPC communication and the like.

That said, the Server Manager portion of RSAT is the only thing used to manage a Server Core installation. A very detailed explanation is here: http://technet.microsoft.com/en-us/library/dd759202.aspx 
Server Manager utilizes Powershell and WinRM which operates through a single port (Port 80 by default, this can be changed). It can also be configured to communicate with only a specific computer.

Short answer, there isn't a need to open lots of ports to manage a server core install, so that doesn't detract from the smaller attack vector.

Author

Commented:
IPSec tunneling even for general AD authentication and the like?  I've never heard that before.  Could you direct me toward documentation on that as well?
Adam BrownSenior Systems Admin
Top Expert 2010

Commented:
Full IPSec requires CA and PKI architecture to work. It's been bumped up in Windows 2008 a bit, but the full shebang is here: http://technet.microsoft.com/en-us/network/bb531150.aspx (Side note: The Army's Active Directory is fully protected by IPSec links)
Adam BrownSenior Systems Admin
Top Expert 2010

Commented:
If you aren't willing to get that intense with IPSec, there are also registry keys that will pinch down the virtual ports available for RPC so you don't have to open 30,000 ports in your firewall :D I used to have an ADM template for that but it went the way of formatted computers.

Author

Commented:
We don't have a CA/PKI architecture, and have no desire to implement one.  We're just too small for that kind of operation.

I also found the technet article regarding RPC registry settings - I guess my last (hopefully) question is, do these RPC ports need to be opened in the firewall for a full 2008R2 install, or is this a condition present in Server Core only?

Seems to me I need a better understanding of RPC, or maybe even Windows security in general.
Senior Systems Admin
Top Expert 2010
Commented:
RPC contains a lot of the functions that make AD really useful. I can't list them off the top of my head, though. They don't *need* to be opened, but a lot of the more advanced features (WMI in particular) don't work without those ports. For smaller implementations, it's usually a good idea to utilize an Application layer firewall between DMZ servers and the rest of the environment if you want to utilize a DMZ (I assume this is what your setup is doing, application servers available from the internet surrounded by firewalls). ISA is a good product for handling this. I'll point you to a good article on why that setup is usually less preferable: http://redmondmag.com/articles/2005/07/01/dump-your-dmz.aspx?sc_lang=en

Windows Security is a tricky thing, and not many Admins really understand it. Spending a year Auditing Security on government networks gave me a good bit of knowledge on the subject, but I'm still only touching the surface. Also, you may be surprised at how little is needed to implement PKI in Windows. I'd highly recommend investing in a book on the 70-299 certification test for Microsoft. It's good stuff. 70-298 is more or less useless, though :(

Author

Commented:
Thanks for the info - I'll stick with the Core install for now, until it gives me sufficient reason not to.  The article you linked reminded me that maybe my security concerns are a bit  over the top for my environment (public library).  We don't allow any internet access in to our network, these precautions are only in place to protect servers from staff and patrons.  With that in mind, I feel as though the precautions I do have in place are a reasonable balance of security and functionality, especially compared to the last 10 years of 0 firewalls on any server.
Adam BrownSenior Systems Admin
Top Expert 2010

Commented:
Yeah, I'd say you're in a low security requirement environment. Companies that have to meet demands of stuff like HIPAA and PCI are a lot more complex.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial