3rd Party management applications and Server Core
Microsoft introduced the Server Core Installation option in the pre-releases of Windows Server 2008 four years ago. Since that time, many improvements have been made to the manageability of Server Core installations. Also, many dedicated 3rd Party and open source Server Core management applications have been introduced and Server Core admin have adopted these and already existing tools to manage their servers.
Personally, I’m an advocate of using the built-in management capabilities of Windows Server. I feel Microsoft has made big strides in Server Core Management with sconfig and Server Manager Remoting in Windows Server 2008 R2. Realistically though, I still run into fierce challenges sometimes to configure certain settings.
Sometimes I install an application for these purposes. Temporarily.
There’s a big reason why I won’t install 3rd party local management applications on my Server Core installations. I don’t use Revo Uninstaller and CCleaner on my boxes fulltime. They are part of my Server Core Helper DVD, along with a slew of other tools, but when I’m done with the settings they typically change, these programs are uninstalled.
Here’s why.
- Some of the applications I use were never designed or written with Server Core installations in mind. Calling a non-existent API might cause unpredictable behavior in these applications.
- Some of the applications have dubious ownership. Although the goal of the program may be to perform an action like removing unused items in Windows (Server Core doesn’t have much of these items, by the way), the goal of the writer or publisher of the application might be completely different. (installing adware, for instance, to gain an income or gathering statistics of usage of Server Core installations to justify the program itself to superiors)
- Any 3rd party application increases the attack surface of the installation. Remember, Microsoft uses a non-disclosure policy about vulnerabilities and hotfixes. The application you’ve installed on Server Core might just have a vulnerability that could make an attacker compromise the entire box.
- Keeping a Server Core installations with tons of 3rd party applications up to date is hard. Even if you pick applications from software publishers that have a disclosure policy for vulnerabilities, work actively to patch their products and have good reputations, keeping hundreds of their product installations up to date (with their update mechanism) is ad hoc, unreportable and thus unreliable. You lose overview pretty quickly.
A Server Core installation, however, will never be really rid of 3rd party applications. For UPS, anti-malware, backup & restore, reporting, monitoring, asset management and central management agents may still be needed, dependent on the environment.
For these 3rd party agents and applications a policy needs to be in place to keep these agents and applications up to date. Don’t make it harder on yourself than strictly needed and ban loading local management applications on your Server Core installations.