Server Core Management a Potential Security Issue
You're more likely to do something right when its easy to do. When you were in school (or if you're in school now), which tests do you make fewer mistakes on? The easy tests or the hard tests? When setting the time on a device, when are you more likely to make a mistake? When you're setting the time on your watch or on your VCR? When incomes taxes are prepared, where are more mistakes made? On a 1040EZ or on the pages and pages of a Schedule C filing?
Easy leads to fewer mistakes. And the more transparent and understandable a process is, the less likely it will be that you'll make a mistake. Even hardware device makers, who used to depend on command line management only realized that there were serious configuration errors made on their network gear because of the complexity and lack of transparency provided by the command line interface. Now these network gear makers include a graphical user interface to reduce the number of configuration error incumbent in command line management.
Indeed, its a well-known fact in the firewall world that the vast majority of security breaches due to firewall issues are not from any inherent weaknesses in the firewall itself, but from misconfiguration of the firewall. And the more difficult it is to configure the firewall, the more likely it will be that mistakes will be made, and sometimes those mistakes can have disastrous effects on network security.
Enter now Windows Server 2008 Core. Server Core is an installation option that allows you to install Windows Server 2008 with a minimal number of binaries required to get the operating system running. Because only a minimal number of binaries are included in the operating system installation, Server Core can host only a subset of the 17 Server Roles available in Windows Server 2008. There is no graphical interface for managing the Server Core operating system. You must use a local command prompt or RDP into a command prompt environment. For server roles that you install on Server Core, there is the option of remote management through an MMC console.
If you have a chance, try the Server Core installation option. Now try to do very basic configurations like assigning IP addressing information, changing the name of the server, setting the time zone and the data and time and joining a domain. Then try to add Server Role and Role services and then try to add some Server features such as BitLocker. You won't be able to do it. However, you can refer to this guidance: http://technet2.microsoft.com/windowsserver2008/en/library/59e1e955-3159-41a1-b8fd-047defcbd3f41033.mspx?mfr=true
Now try setting up Server Core by using that guidance. Make it a real installation, complete with real server roles, like File Server with DFS and failover clustering. Now with that experience, try installing Server Core again and install another Server role, such a DHCP and DNS server but without looking at the guidance.. Remember to configure the Windows Firewall for remote management. You didn't remember all the commands? OK, give it another try while looking. Now try again without looking. Did you get it right? Odds are, probably not.
Server Core is advertised as more secure because of the smaller attack surface. I can't argue with that. They also advertise it as easier to manage. That is something only a marketing guy who needs a vacation could come up with. What they were trying to say is that Server Core doesn't need so many updates, since much of the functionality of Windows Server 2008 isn't available in Server Core, so you don't need to update binaries that aren't there. But saying it's easier to manage could only come from someone who hasn't tried to manage Server Core.
The question is -- will the security advantage of a smaller attack surface outweigh the security risks of a complex and non-transparent configuration and management environment? Will Server Core run into the same issues that hardware firewall vendors ran into with the security breaches related to misconfiguration due to complexity and lack of transparency? No one knows yet, as Windows Server 2008 hasn't yet been released. One might draw parallels with the Unix environment -- where misconfiguration do to CLI management is a very common occurrence. What's disturbing is that Unix administrators are highly skilled with the command line and have worked with it exclusively for many years. What will be the effects of putting Windows administrators in such an unfriendly and unforgiving environment?
I suggest you keep a close eye on security reports on Server Core installations being compromised due to misconfiguration in the year following Windows Server 2008's release. Doing it wrong with Server Core is easy -- one typo, one wrong command, and the difficulty in reviewing your configuration may well conspire against the advantages of the lower attack surface.
That's it for today 🙂
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: [email protected]
MVP - Microsoft Firewalls (ISA)