Our podcast and blog on Microsoft’s new minimal attack surface Server Core seemed to get the same reaction Server Core got at the MSMUG summit – – little or none. We believe this is an important development, even potential top ten story for 2008, so let me try another way.
We reviewed the 25 security bulletins Microsoft issued through April of this year and our best estimate is only 4 would apply to Server Core. While this is not an apples to apples comparison, and the percentage may be a little higher or lower, it is a significant reduction in patch processing. The real data will come out when patches are issued on Server 2008 and Server Core, but significant reductions in patching are virtually assured due to the smaller attack surface.
We are telling our clients running control systems on Windows to begin asking their vendors how Server Core fits into their development plans.