Server Core Patch Analysis
From SCADApedia
Server Core is Microsoft's attempt at a minimal attack surface version of Server 2008. A Server Core benefit should be a reduced patching burden. This page tracks the Microsoft Security Bulletins since Server Core was released and compares the number of bulletins that apply to Server 2008 to the number of bulletins that apply to Server Core.
The analysis assumes Server 2008 is installed with a least privilege, hardened application server configuration. For example, the analysis assumes that Microsoft Office is not installed on Server 2008.
Current 2008 Tallies
- Total Bulletins: 54
- Apply to Server 2008: 25
- Apply to Server Core: 14
| Bulletin | Server 2008 | Server Core |
|---|---|---|
| MS08-014 | No (Office) | No |
| MS08-015 | No (Outlook) | No |
| MS08-016 | No (Office) | No |
| MS08-017 | No (Office) | No |
| MS08-018 | No | No |
| MS08-019 | No | No |
| MS08-020 | No | No |
| MS08-021 | Yes | No |
| MS08-022 | No | No |
| MS08-023 | Yes | No |
| MS08-024 | Yes | Yes |
| MS08-025 | Yes | Yes |
| MS08-026 | No (Office) | No |
| MS08-027 | No (Office) | No |
| MS08-028 | No | No |
| MS08-029 | No (Malware) | No |
| MS08-030 | No | No |
| MS08-031 | Yes (IE) | No |
| MS08-032 | Yes | Yes |
| MS08-033 | Yes (DirectX) | No |
| MS08-034 | No | No |
| MS08-035 | Yes | Yes |
| MS08-036 | Yes | No |
| MS08-037 | Yes | Yes |
| MS08-038 | Yes | Yes |
| MS08-039 | No | No |
| MS08-040 | Yes (SQL Server) | Yes |
| MS08-041 | No | No |
| MS08-042 | No (Office) | No |
| MS08-043 | No (Office) | No |
| MS08-044 | No(Office) | No |
| MS08-045 | Yes | No |
| MS08-046 | No | No |
| MS08-047 | Yes | Yes |
| MS08-048 | Yes | No |
| MS08-049 | Yes | Yes |
| MS08-050 | No | No |
| MS08-051 | No (Office) | No |
| MS08-052 | Yes | No |
| MS08-053 | Yes | No |
| MS08-054 | Yes | No |
| MS08-055 | No (Office) | No |
| MS08-056 | No (Office) | No |
| MS08-057 | No (Office) | No |
| MS08-058 | Yes (IE) | No |
| MS08-059 | No | No |
| MS08-060 | No (Active Directory) | No |
| MS08-061 | Yes | Yes |
| MS08-062 | Yes | Yes |
| MS08-063 | Yes | Yes |
| MS08-064 | Yes | Yes |
| MS08-065 | No | No |
| MS08-066 | No | No |
| MS08-067 | Yes | Yes |
Patching Server Core
In a Server Core installation automatic updates are not enabled by default.
Updates can be enabled using a built in script: cscript C:\Windows\System32\SCregEdit.wsf /AU 4
A default Server Core installation enabled for updates using a default update server (via internet to Microsoft) has loaded the following patches:
Systeminfo as of 17Dec08
HotFixID
KB938464 / MS08-052 GDIPLUS.DLL
KB941693 / MS08-025 Kernel (Updates: WIN32K.SYS)
KB947864 / MS08-024 IE (ADVPACK.DLL,URLMON.DLL,...)
KB948590 / MS08-021 (GDI32.DLL)
KB950582 / MS08-038 Security (NTSHELL32.DLL)
KB950974 / MS08-049 Security (ES.DLL)
KB951072 / Non Security (August Timezone Update)
KB951978 / Non Security (VB Script) <--- Perhaps a classification error at MSFT?
KB952287 / Non Security (MSADCE.DLL) <--- N/A - MDAC(ADO) not present on default core)
KB953733 / MS08-047 Security (FWREMOTESVR,IPSECSVC,POLSTORE,WINIPSEC)
KB953838 / MS08-045 IE8 (ADVPACK.DLL,JSPROXY.DLL,URLMON.DLL,WININET.DLL)
KB954211 / MS08-061 WIN32K.SYS
KB954459 / MS08-069 (MSXML6) MSXML6.DLL, MSXML6R.DLL
KB955069 / MS08-069 (MSXML3) MSXML3.DLL,MSXML3R.DLL
KB955302 / Non Security (CDD.DLL) Display Driver Reliability Update
KB956802 / MS08-071 (GDI32.DLL)
KB956841 / MS08-064 Security Kernel (NTKRNLPA.EXE,NTOSKRNL.EXE)
KB957095 / MS08-063 Security SMB (SRV.SYS)
KB957097 / MS08-068 MRXSMB10.SYS
KB958623 / MS08-075 Security Windows Search (NETAPI32.DLL)
KB958644 / MS08-067 Security Server Service (NETAPI32.DLL)
