Security Advisor

Secure to the Core

Managing Server Core can be a challenge; here are some tips to help you keep it secure.

• By Joern Wettern
• 04/01/2009

It's Running -- What Now?
Server Core is an implementation of Windows Server 2008 that foregoes many components, including most GUI tools. The result is a lean server operating system that's Spartan enough to cure any Linux envy you may feel. It uses fewer hardware resources than a full installation of Windows Server, but, more importantly, it also has a smaller attack surface. The reason for this is that fewer components mean that less can go wrong and that an intruder has fewer potential venues for attacking your server. Granted, Server Core only provides limited functionality, but what it can do includes most core network infrastructure components. Possible Server Core roles include domain controller, DNS server or file server, among others.

Prepare for a mild shock after starting your first Windows Core server. Once the installation has finished and you've changed the Administrator password, you're presented with just a command-prompt window. That's it; no GUI tools are in sight anywhere. Depending on how good you are at using a command prompt for administering your network, you may be able to configure some basic functionality, but odds are that you'll find yourself stuck pretty quickly. So how do you continue without compromising the security of your server?

One of the first things you should do on your new server is to install the latest patches and configure automatic updates. The easiest way to do this is to use Group Policy to configure your server to automatically install updates. If that's not an option, use the following commands to configure the server to automatically check for and install updates at the default time of 3 a.m. every day:

cscript 
c:\windows\system32\scregedit.w
sf /au 4
net stop wuauserv && net start 
wuauserv

To check for required updates immediately, use the following command:

Wuauclt /detectnow

To list all installed updates to see whether the update was successful, use this command:

wmic qfe list /format:list | find 
"HotFixID"

For more details, including alerts if any of the installed updates require a computer restart to take effect, use the following command:

wmic qfe list /format:list | more

Taming the Beast
The next order of business is to prepare for administering your server. The easiest way to do this is to use the familiar graphical administration tools on another server to connect to your Server Core computer. For example, you can run the DNS console on a full Windows Server installation and point it to your Server Core computer. Even better, if your desktop computer is running Windows Vista with Service Pack 1, you can install the server administration tools there so they're right at your fingertips.

Before you can remotely access the Server Core computer, though, you'll have to deal with the Windows Firewall. By default, Server Core locks down access to the OS, and this means that the Windows Firewall is configured to block all incoming connections -- including your attempts to administer the server. One solution to this problem would be to stop the Windows Firewall, but why undermine your server's security? Server Core includes everything needed to allow only the connections required to administer the server over the network. To configure the Windows Firewall to allow remote administration, type the following command:

netsh advfirewall firewall set rule 
group="remote administration" 
new enable=yes

Once the Windows Firewall has been configured, you can establish Microsoft Management Console (MMC) connections to the computer. However, some functionality, including Disk Management and Event Viewer, require the configuration of additional firewall rule groups. The required commands are described on TechNet here. One of the rule groups, aptly named "Windows Firewall with Advanced Security," opens up the ports that are required to configure the firewall itself from a remote MMC console. I generally enable remote firewall administration shortly after installing Server Core and then use it to limit connections to be only accepted from authorized administrator workstations.

By default, the screensaver on a Windows Server Core computer locks the screen after 600 seconds, or 10 minutes. If this doesn't suit you, use one of the few GUI tools included with Server Core, the Registry Editor. To start it, type regedit at the command prompt, then edit any of the following registry keys:

HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveActive
(Change this from 1 to 0 to disable the screensaver.)

HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE
(Change this from logon.scr to scrn save.scr to switch from the Windows logo screensaver to the blank screen version.)

HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaverIsSecure
(Change the value from 1 to 0 if you don't want Windows to prompt you for credentials when waking the server.)

HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut
(Edit this value to change the timeout from its default value of 600 seconds.)

As you're making other tweaks to Server Core, don't forget that many other changes can also be made using the Registry Editor, but don't get carried away. The fewer manual changes you make, the more supportable and secure your Server Core installation tends to be. If a setting can be configured using Group Policy, use it instead of manual changes.

Managing and maintaining Server Core can be a challenge, but the tips here should give you a head start for doing this securely. Also, there are many good resources available to help you in the process, both from Microsoft and members of the general community; go to Redmondmag.com to see some of my top picks.