Securing Windows Server 2008: Server Core best practices

Service provider takeaway: This section of the chapter excerpt titled "Microsoft Windows Server 2008: Server Core" is taken from the book Securing Windows Server 2008: Prevent Attacks from Outside and Inside Your Organization. Learn tips for implementing Server Core including how to distinguish one server from another and how to remotely administer core servers.

Download the .pdf of the "Securing Windows Server 2008: Prevent Attacks from Outside and Inside Your Organization" chapter here.

Server Core Best Practices

If you work as a field engineer and must install Server Core at various customer locations, wouldn't it be nice to have some kind of manual that summarizes some of the best practices? Some documentation exists in books and on the Internet, but the neater tricks are hard to find, or can't be found at all. Working as a consultant, I collected some of these tricks and bunched them together. Some made me think, "Hey, why didn't I think of that?" Other tricks (I think) are pretty cool, like "enabling remote cmd.exe with terminal services." In the paragraphs that follow, you'll find some practical tips that will come in handy when implementing Server Core.

Installing Software

Just to be sure...you do have backup clients and antivirus engines running on your servers, don't you? Thankfully, it's possible to install antivirus software like Microsoft's ForeFront and backup agents such as Symantec Backup Exec 12 on Windows 2008 Server Core. But how do you arrange this if you don't have Add/Remove Programs or even a GUI? Well, you still have msiexec.exe and the normal executable files. If you want to install an application with msiexec, just type msiexec /i productname .msi/. If you want to see the full list, use the link: http://support.microsoft.com/kb/227091. You may get the feeling that without a GUI nothing can happen with your Server Core installation. With fewer DLLs, the attack surface may be reduced, but it's still advisable to install antivirus and backup agents on the machine. Maybe it's better to say that Server Core is shell-less and a little bit GUI-less. If you want, you can still install lots of software, as long as the software doesn't need DLLs (which are aren't available on Server Core). It's even possible to install a browser like Mozilla Firefox on Server Core. But it's strongly recommended you only install supported software on Server Core.

Changing Background Settings and More

Imagine you are a system administrator and working in a server park with approximately 200 Core Servers. Ten of them are very important because these are installed with IIS and take care of the companies' core business. You surely don't want to mess up these servers. So you are looking for a manner to distinguish these servers from the others.

Well let's use the old fashioned way. We can change the background color to (for instance) red. Type regedit in the console, browse to the key HKEY_CURRENT_ USERControl PanelColorsBackground, and change the value to 255 0 0. Don't forget to log off and log on again so your Registry changes are applied. The default background is now changed to red.

If you want to disable the screensaver, again type regedit at the command prompt and go to HKEY_CURRENT_USERControl PanelDesktopScreenSaveActive. Then, change the value from 1 to 0. But maybe you want to do the opposite and add a screensaver with a warning text that says Don't touch my Web server! The Web servers are still your companies' core business, right? The screensaver we're taking about is called Marquee and the screensaver file is not available on Server Core by default, so we have to copy it. Locate the file ssmarque.scr (c:windowssystem32) on an XP machine and copy it to the same location on a Server Core machine. On the Core Machine, open the Registry with regedit.exe and browse to HKEY_CURRENT_ USERControl PanelDesktop. Change the value SCRNSAVE.EXE to C:WINDOWSsystem32ssmarque.scr and you're almost done. If you want to change the default screensaver timeout of ten minutes, change the value ScreenSaveTimeOut from 600 seconds to a value better suited to your needs. The last thing we must do is change the default text from the screensaver. To arrange this, type the command c: windowssystem32ssmarque.scr in the command prompt and change the text in the box.

Enabling remote cmd.exe with Terminal Services

Imagine you are still working on that company that has approximately 200 Core Servers, and you are looking for a way to remotely administer them. You are in possession of one GUI-based Server 2008 machine. The following steps should be performed to get remote cmd.exe working as a Terminal Services Remote Program. This "cool" function is similar to administering Server Core with mstsc.exe /v server name. The only difference is that you don't use the full-sized remote desktop functionality anymore, only a "published" remote application. The protocol used is still RDP.

1. Enable Remote Desktop on the Server Core computer by typing the command prompt cscript c:windowssystem32scregedit.wsf /ar 0.
2. Install the role Terminal Server on the GUI Server 2008 machine with Server Manager or by typing servermanagercmd.exe --install TS-Terminal-Server at the command prompt. Don't forget to reboot after installation.
3. After the reboot, open the MMC TS RemoteAPP Manager you just installed. Remember, you must open TS RemoteAPP Manager with MMC because Server Manager doesn't let you make connections with other servers.
4. Instead of a local computer, select the IP address or hostname of the Core
Server.
5. Click Add RemoteApps in the upper right corner, and then click Next.
6. Click Browse and type servercorenamec$system32cmd.exe, and then click Open | Next | Finish.
7. cmd.exe will be added to the list of remote programs.
8. In the RemoteApps pane, you should see the application you just created. Right-click the application and select create .rdp File.
9. Save the RDP file to the location of your choice.
10. If you open the RDP file, a remote command session will start to the Server
Core machine.

About the book
"Securing Windows Server 2008: Prevent Attack from Outside and Inside Your Organization" will teach you how to configure Windows Server 2008 to secure your network, how to use Windows Server 2008 hand-in-hand with Active Directory and Vista and how to understand Server Core. This book also focuses on public key infrastructure management, virtualization, terminal services, Active Directory Domain security changes and certificate management.