Reduced attack surface area

Jeff Jones (Strategy Director in the Microsoft Security Technology Unit) has written a post about Server Core and how its reduced footprint increases security dramatically. The key here is “reduced attack surface area” as all of the most insecure areas of a server have been removed, such as IIS, Internet Explorer, Windows Media Player, etc…

However, pulling all these components out of a server have also reduced its functionality, which is why only the following roles are available: (taken from the excellent Server Core Step By Step Guide)

  • Active Directory Domain Services
  • Active Directory Lightweight Directory Services (AD LDS)
  • Dynamic Host Configuration Protocol (DHCP) Server
  • DNS Server
  • File Services
  • Print Server
  • Streaming Media Services

I’m a big fan of this approach and I can’t wait for Server Core to be improved so that the GUI is completely removed. Server Core GUI also hope that the modulisation of the components is improved so that the Web Server role becomes available as a Server Core option. It would seem to me that one of the best scenarios to implement a server with a “reduced attack surface area” would be on a public-facing web server.

Leave a Reply

Your email address will not be published. Required fields are marked *