Web Server Role on Server Core a Management Failure
As you might know, Windows Server 2008 has an installation option called Server Core. A Server Core installation is one that includes a small subset of the binaries that are included with a full Windows Server installation and provides just enough functionality so that the core operating system can run. The goal of the Server Core installation is to reduce the overall attack surface and to reduce the need for updates that aren't required on a server for components that it doesn't use.
There is no user interface on Server Core. Everything is done locally at the command prompt, or remotely using an RDP session or by using Windows Remote Shell (WinRS, which is like the Windows Server 2008 version of SSH). Actually, there are a few user interfaces. You can access notepad.exe and regedit.exe so that you can manage the long command line arguments and answer files you need to get the initial configuration of server core running. Also, Task Manager is available.
When installing and doing the initial configuration of Server Core, I was kind of jazzed about doing the initial configuration tasks from the command line. While I'll never be able to commit to memory the procedures required for initial configuration tasks and post installation tasks, Microsoft has done a good job at documenting everything in their Server Core Step by Step Guide which you can find at http://technet2.microsoft.com/windowsserver2008/en/library/e7e522ac-b32f-42e1-b914-53ccc78d18161033.mspx?mfr=true The only problem is that if you can't access this guide, you better print it out, or else you'll never remember all the things you need to do from the command line if you install a Server Core less than once a week.
That said, the guide does a really good job at walking you through the installation and configuration. You can tell that they worked on this for a while and actually listened to users who were trying to do a variety of configuration steps. Almost everything you can think of what you want to do with Server Core is included in the step by step guide.
I also found that it was easy to get the remote MMCs working once you configured the Windows Firewall on the Server Core machine to allow the connections. DHCP, DNS, Disk Management, Active Directory, and others worked a treat. However, profound dismay, disillusionment, disappointment and pure amazement took place when I found out that you cannot use the IIS 7 console to remotely manage the Web server role on Server Core. You have to use the command line tool appcmd.exe to perform all management of the IIS Web server role on the server core machine.
Why would they do this? Microsoft worked hard to make a very sophisticated upgrade to the IIS MMC, one that provides much better functionality and usability than previous versions. After all the good work they did, why did they through it out the window for Server Core installations? The reason, from what I'm told, is that the IIS MMC depends on the .NET managed code, and Server Core does not support .NET.
So, just to let you know, if you plan to manage a Web Server on Server Core, you're going to need to spend quite a bit of time getting up to speed on appcmd.exe. For more information on using appcmd.exe, check out http://www.iis.net/articles/view.aspx/IIS7/Use-IIS7-Administration-Tools/Using-the-Command-Line/Getting-Started-with-AppCmd-exe It's extraordinarily complex and I suspect that it will be a bit unnerving for more than a few people who would like to manage IIS.
Hopefully, Microsoft will release a service pack in the future that will enable remote MMC management for IIS -- until then, consider using a full installation of Windows Server 2008 for any Web server deployment. The theoretical gains from the reduced attack surface will be lost due to the complexity of management and the possibility of security misconfiguration due to the obscure management interface. For all other supported roles on Server Core, I definitely suggest going with the Server Core option.
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: [email protected]
MVP - Microsoft Firewalls (ISA)