There is a law of computing that states that the larger the footprint of code that’s running on a server, the better the chance that the code will contain an exploitable security hole. In spite of this law, both operating systems and applications tend to become more bloated with every new release. Longhorn Server puts this law into practice by offering a new minimal installation model called a core server. The core server is secure, but very restrictive. In this article, I will explain what a core server is and show you how to deploy one.
Sometime shortly after Windows Server 2003 was released, Microsoft seemed to finally acknowledge this philosophy. They produced several different documents that explained which services can (and often should) be disabled in order to reduce the footprint size of the code that’s executing on the server, thereby making that server more secure.
It seems like that this time Microsoft has learned from their past mistakes though. Longhorn Server will support what is known as a core installation. A core installation is a bare minimal installation that includes only a tiny subset of the code that is normally installed on a Longhorn Server.
Of course there is a catch to performing a core deployment. With a reduced code base also comes restrictions. One restriction is that a Longhorn server running as a core server can only function in four possible roles. These roles include a DHCP Server, a file server, a DNS server, or a domain controller.
The main idea behind having a core server is that if you have a dedicated server that is running one of these four roles, you can harden that server beyond what would normally be possible.
I realize that a lot of this probably sounds like marketing hype, but a core server really is running an absolute minimum code base. If you don’t believe me then consider this; A core Longhorn server does not even have a GUI interface. Omitting the GUI is a huge step for a company that spends an enormous amount of resources figuring out how to make the GUI prettier or more user friendly.
Of course leaving out the GUI raises a lot of questions. One of the first questions is probably, what does the interface look like? Well, it’s impossible for me to get a screen capture of it because I can’t install any sort of screen capture utility. However, I have used Photoshop to create an image of what a core server deployment looks like. You can see this image shown in Figure A.
Figure A: This is what a core Longhorn Server deployment looks like
As you can see in the figure, a core deployment offers only a pseudo GUI. While you do get the nice blue background and the Command Prompt window, there is nothing else. There are no icons, no Start menu, and no task bar. So this raises another question. How do you configure and maintain a core server?
For the server’s initial configuration, you have no choice but to use the command prompt. After the initial configuration is complete, you can continue to manage the server locally from the command prompt, or you have a couple of other options.
One option is that you can configure the server to support a limited Terminal Service environment. This environment would allow you to remotely manage the server, but you would still be forced to use the command prompt.
If you are the type that prefers to use the GUI, then you will be happy to know that you can remotely manage the server through the Microsoft Management Console. Unfortunately, there is no getting around the requirement that the server has to be initially configured from the Command line though.
Installing a Core Server
Obviously, the procedure for installing and configuring a core server is different for each of the supported roles. There is no way that I have the space to walk you through deploying the various roles. Even so, I want to guide you through the process of deploying a core server up to the point that it is ready to be assigned a role.
The Setup process begins when you insert your Longhorn Server installation CD and boot the server. Click Setup and you will be prompted as to whether you want to perform a normal installation or a core installation (I forget the exact wording that is used by Windows Setup). After doing so, you must simply enter your product key and wait for the installation to complete. You now have a core server.
When logged in, there will be two command prompt windows open. If you happen to accidentally close these windows, you can press CTRL-ALT-DELETE to access the Task Manager and then run CMD.EXE to open a new Command Prompt window.
Even though you technically have a core server when the Setup process completes, the server is absolutely useless until you do some basic configuration. For example, you must still set the Administrator’s password, set an IP address (assuming that the server needs a static IP address), join a domain, activate the server, and configure the firewall.
Setting the Administrator’s Password
The first task that needs to be done is setting the Administrator’s password. To do so, enter the following command:
Net user administrator *
The asterisk at the end of the command tells Windows to prompt you for a password rather than you entering the password as a part of the command. The advantage of doing so is that it prevents your password from being displayed in clear text on the screen.
Setting an IP Address
If your server is going to use a dynamic IP address, then you don’t even have to worry about this step. If the server needs a static IP address though, then you will have to set one up. This is a little tricky because the IP address must be bound to a specific interface. Therefore, you must begin the process by getting a list of network adapters in the system. To do so, enter the following command:
Netsh interface ipv4 show interfaces
Windows will now display a list of available interfaces. Make note of the number in the IDX column for the interface that you want to assign the address to. This is the interface number.
Now that you know the adapter’s number, it’s time to assign the IP address. To do so, use this command:
Netsh interface ipv4 set address name=”ID” source=IP Address mask=subnet mask gateway=default gateway
In the command above, ID refers to the interface number. The IP Address, Subnet Mask, and Default Gateway references refer to the corresponding numbers. When used in a production environment, the actual command would look more like this:
Netsh interface ipv4 set address name=”2” source=192.168.1.15 mask=255.255.0.0 gateway=192.168.1.1
The last step in configuring an IP address is adding a DNS server. To do so, you would use this command:
Netsh interface ipv4 add dnsserver name=”ID” address=DNS IP Address index=1
Again, the ID would be replaced by the interface number and DNS IP Address would be replaced by the IP address of your DNS server.
Joining a Domain
Joining a domain isn’t nearly as long of a procedure as setting up an IP address. To do so, enter this command:
Netdom join computer name /domain:domain name /userd:username /password:*
In the command above, computer name refers to the name of the server that you are joining the domain. The domain name parameter is obviously the name of the domain, and username is the name of the user account that is being used to join the server to the domain.
Activate the Server
After the server has been joined to the domain, it’s time to activate it. To do so, just enter this command:
Enable the Firewall
The last step in the initial configuration process is to enable the firewall. The catch is that you can’t configure the firewall from the core server. You must instead go to another Longhorn Server and use the Firewall snap-in for MMC to remotely configure the firewall.
As you can see, deploying core servers can greatly enhance the security of your organization. Core servers take some getting used to though because of their lack of a graphical user interface and because of other limitations.