Should I Choose Server Core When Installing Windows Server?

Starting in Windows Server 2012, Server Core is the default install option.

As it makes initial configuration easier, it’s tempting to opt for the full GUI install of Windows Server instead of Server Core, but Server Core is the default choice for a reason. Among the benefits, Server Core has a smaller footprint, a reduced attack surface, and it lowers the frequency with which reboots are needed after applying Windows updates. Today I’ll go into the reasons why you should stick to the default Server Core install option in Windows Server 2012.

Server Core Compatibility

Microsoft announced compatibility for more applications in Windows Server Core 2012. Nevertheless, there will still be applications that cannot run on Server Core. While some Microsoft server-based applications such as SQL Server 2012 are now compatible with Server Core, you should check the requirements for any applications that you plan to install on Server Core. Exchange 2013 and SharePoint Server 2013 are not compatible with Windows Server Core 2012.

Server Core Is More Secure

The work undertaken by Microsoft in the development of MinWin and Windows 8 allowed for the first time componentization of the operating system, untangling complex dependencies which had previously necessitated installing the entire code base, even if only a subset of the OSes features were being used.

The ability to separate components and load them as required lead to Windows Server Core: a bare minimum install of the server OS managed from the command line. One benefit of this approach is the reduced attack surface. Windows Server Core is less vulnerable to attack because there is less code that could be exploited.

If this is not reason enough to consider Server Core, the reduced complexity means simpler patching and less need for reboots after updates are applied. Performance is also improved because without a GUI and other unnecessary components, there is less overhead.

Legacy Desktop Environment and Risks

The Modern UI interface has been designed from the ground up to be secure. Apps cannot interact with each other or the operating system, and they require your permission before they can access user data or hardware. The desktop on the other hand, was designed in an era where usability came before security.

Although it is possible to secure the desktop, it requires additional features such as AppLocker, and adhering to other security best practices, to ensure that the risk is minimized. For example, it’s much easier on the desktop for a user to run an unauthorized application or piece of code.

That’s not to say that Server Core is immune to malware, but if you follow best practices and use PowerShell with constrained endpoints for administrative purposes, Server Core is still less vulnerable than its GUI cousin.

PowerShell Remoting

PowerShell constrained endpoints, and adhering to other security best practices, provide the most secure way to manage Server Core and the full GUI version of Windows Server. PowerShell Remoting can be configured to give IT staff access to only the management features and commands needed for the job, and combined with least privilege security, is more secure than managing Windows Server using Remote Desktop or the Remote Server Administration Tools (RSAT).

Command-line management in Server Core

Switching Between the GUI and Server Core

Prior to Windows Server 2012, opting for Server Core or the full GUI was a one-time only decision and couldn’t be reversed. This perhaps made system administrators nervous about choosing Server Core at install time, partly because they weren’t familiar with command-line management and Server Core configuration, rising to concerns about how to support the server in the event of a problem.

Windows Server 2012 (and later) provides administrators with the option to switch between Server Core and the full GUI version if required. A simple command can be used to make the change, and after the server reboots, the GUI will be restored or removed as specified.

Get More Out of Virtualization

Due to the improved performance and reduced overhead of Server Core, you can run more virtual instances of Windows Server on VMware or Hyper-V than might be possible with the GUI version. This allows organizations to make better use of servers in datacenters and squeeze more resources out of each physical server.

Windows Server Without Windows!

While Server Core will make some system administrators nervous about the management challenges and learning curve involved, Server Core can bring many benefits, not least including improved security and lower operational overhead. On that basis alone, wherever possible, you should stick to the default Server Core install option in Windows Server 2012 to get the most benefit from the advances Microsoft has made in performance and security, which will help reduce the operational and management costs of Windows Server.