Patching and Server Core
Our podcast and blog on Microsoft’s new minimal attack surface Server Core seemed to get the same reaction Server Core got at the MSMUG summit - - little or none. We believe this is an important development, even potential top ten story for 2008, so let me try another way.
We reviewed the 25 security bulletins Microsoft issued through April of this year and our best estimate is only 4 would apply to Server Core. While this is not an apples to apples comparison, and the percentage may be a little higher or lower, it is a significant reduction in patch processing. The real data will come out when patches are issued on Server 2008 and Server Core, but significant reductions in patching are virtually assured due to the smaller attack surface.
We are telling our clients running control systems on Windows to begin asking their vendors how Server Core fits into their development plans.
Author: Dale Peterson
Posted: April 17th, 2008 under Microsoft.
Comments: 4
Comments
Comment from Jake Brodsky
Time: April 17, 2008, 12:37 pm
Dale, the first rule I apply to everything that comes out brand new is to wait for at least one patch cycle. I don’t put my money on anything with a version number that ends with .0.
That’s why you hear a dead silence. We’re waiting for others to bump in to the sharp edges so that by the time we get involved, everyone knows where most of them are.
These Microsoft products appear to be a substantial improvement at first glance. But anyone with experience knows that even really good looking conceptual designs can turn ugly all too fast. I’ll wait for someone else to get the experience from their battle scars before I decide to forge ahead on my own.
Comment from amino world
Time: April 17, 2008, 3:57 pm
another factor in the ‘dead air’ on this topic is that this offering is out of our reach — our vendors don’t sell products that use the server core installation and probably won’t for a couple of years.
now if someone ported this approach *back* to server 2003, now we’ve got something to talk about!!
Comment from stephan beirer
Time: April 18, 2008, 6:43 am
The principle of minimizing the attack surface is not limited to the Windows world. I have seen vendors providing their Unix-based control systems on fully-fledged standard installations of RHEL/SLES/Solaris..
Gigabytes of unneeded packages..a minimal installations reduces this to some hundred megabytes. Every package you don’t install you don’t have to patch.. and I’m still waiting for the day we’ll need the Flash player in the CC…
Comment from Dale Peterson
Time: April 18, 2008, 7:30 am
Stephan - This is one of the many benefits of Bandolier. We work with the vendors to identify the required importantly ports/services and use the Nessus audit capability to verify only these services are running. So Bandolier will test if you have a minimal exposed attack surface. We have audit files in process, soon to be out in beta, for control system applications running on Windows, Linux and TRU64. Of course this only a small portion of a large number of audit tests in each Bandolier audit file.
I realize this is not as good as checking for a minimal package installation, but it is a significant first step and we encourage the vendors to go further.
Write a comment