Because of gluttony Windows-systems in the VPS environment are dominated by light Linux-distributions: Mint, Colibri OS, Debian or Ubuntu, devoid of the cumbersome desktop environment that's unnecessary for our purposes. As they say, all console, all hardcore! And in fact, this is no exaggeration: the same Debian It runs on 256 MB of memory and a single core running at 1 GHz, which is pretty much all you need. For comfortable operation, you'll need at least 512 MB and a slightly faster processor. But what if we told you that you could do roughly the same thing on a VPS? Windows? That there is no need to roll out heavy Windows Server, which requires three to four hectares of RAM and at least a couple of cores with a clock speed of 1,4 GHz? Just use Windows Server Core — get rid of the GUI and some services. We'll discuss how to do this in this article.
Who is this guy of yours? Windows Server Core?
Clear information about what it is Windows (server) Core isn't even on the official Mike website, or rather, everything is so confusing there that you can't figure it out right away, but the first mentions date back to the era Windows Server 2008. In essence, Windows Core is a working kernel Windows Server (suddenly!), "slimmed down" by the size of its own GUI and about half of the side services.
The main feature Windows Core is undemanding in terms of hardware and has full console management via PowerShell.
If you go to the Microsoft website and check the technical requirements, then to start Windows Server In 2016/2019, you'll need at least 2 GB of RAM and at least one core clocked at 1,4 GHz. But we all understand that with such a configuration, we can only expect the system to boot, not the comfortable operation of our OS. For this very reason, Windows Server They usually allocate more memory and at least 2 cores/4 threads from the processor, if they don’t even provide it with an expensive physical machine on some Xeon, instead of a cheap virtual machine.
At the same time, the core of the server system itself requires only 512 MB of memory, and those processor resources that were consumed by the GUI just to simply draw on the screen and keep their numerous services running can be used for something more useful.
Here's a comparison of the services supported out of the box. Windows Core and full-fledged Windows Server from the official Microsoft website:
application
server core
server withdesktop experience
command prompt
available
available
Windows PowerShell/Microsoft .NET
available
available
perfmon.exe
not available
available
Windbg (GUI)
supported
available
Resmon.exe
not available
available
Regedit
available
available
fsutil.exe
available
available
Disksnapshot.exe
not available
available
diskpart.exe
available
available
Diskmgmt. msc
not available
available
devmgmt.msc
not available
available
Server Manager
not available
available
mmc.exe
not available
available
Eventvwr
not available
available
Wevtutil (Event queries)
available
available
Services.msc
not available
available
Control Panel
not available
available
Windows Update (GUI)
not available
available
Windows Explore
not available
available
taskbar
not available
available
Taskbar notifications
not available
available
taskmgr
available
available
Internet Explorer or Edge
not available
available
Built-in help system
not available
available
Windows 10 Shell
not available
available
Windows media Player
not available
available
PowerShell
available
available
PowerShellISE
not available
available
PowerShell IME
available
available
Mstsc.exe
not available
available
Remote Desktop Services
available
available
Hyper V Manager
not available
available
As you can see from Windows A lot has been cut out of Core. Services and processes related to the system GUI have been removed, as well as any other "junk" that is definitely not needed on our console virtual machine, for example: Windows Media Player.
Almost like Linux, but not him
Windows Server I really want to compare Core with Linux-distributions, but in fact, this isn't entirely correct. Yes, these systems are similar in terms of reduced resource consumption due to the elimination of the GUI and many side services, but in terms of operation and some approaches to building, they are still Windows, not a unix system.
The simplest example is using manual kernel compilation Linux and subsequent installation of packages and services, even easier Linux- the distribution can be turned into something heavy and similar to a Swiss army knife (here I really want to make a funny joke about Python and insert a picture from the series “If Programming Languages Were Weapons”, but we won’t). In Windows Core has much less such freedom, because we are, after all, dealing with a Microsoft product.
Windows Server Core comes pre-built, with its default configuration shown in the table above. If you need anything from the unsupported list, you'll have to add the missing elements online via the console. Don't forget about Feature on Demand and the ability to download components as CAB files, which you can then add to the build before installation. However, this scenario won't work if you discover during development that you're missing any of the removed services.
But what distinguishes the Core version from the full version is the ability to update the system and add services without stopping operation. Windows Core supports hot-deployment of packages, without rebooting. As a result, based on practical observations: the machine under control Windows Core needs to be rebooted ~6 times less often than under control Windows Server, that is, once every six months, and not once a month.
A nice bonus for administrators will be that if the system is used as intended - through the console, without RDP - and not made into a second Windows Server, then it becomes extremely secure compared to the full version. After all, most of the vulnerabilities Windows Server It all comes down to RDP and the actions of the user, who, through this very RDP, does something they shouldn't. It's a bit like the story of Henry Ford and his attitude toward car color: "Any customer can have a car painted any color he wants, so long as it is black". So it is with the system: the user can communicate with the system in any way, the main thing is that he does it through console.
Installation and management Windows Server 2019 Core
We mentioned earlier that Windows Core is actually Windows Server without a GUI wrapper. This means you can use almost any version. Windows Server as a core version, that is, abandon the GUI. For products of the family Windows Server 2019 is 3 out of 4 server builds: core mode is available for Windows Server 2019 Standard Edition, Windows Server 2019 Datacenter and Hyper-V Server 2019, that is, only the following is excluded from this list Windows Server 2019 Essentials.
In this case, the installation package Windows Server There's no need to search for Core. The standard Microsoft installer offers the Core version by default, while the GUI version requires manual selection:
There are actually more system management options than just the mentioned PowerShell, which is offered by default by the manufacturer. Manage a virtual machine on Windows Server Core can be done in at least five different ways:
- Remote PowerShell;
- Remote Server Administration Tools (RSAT);
- Windows Admin Center;
- Sconfig;
- ServerManager.
Of greatest interest are the first three positions: standard PowerShell, RSAT and Windows Admin Center. However, it's important to understand that while we gain the benefits of one tool, we also accept its limitations.
We will not describe the capabilities of the console, PowerShell is PowerShell, with its obvious pluses and minuses. With RSAT and WAC, things are a little more complicated.
WAC gives you access to important system controls such as registry editing and disk and device management. RSAT in the first case works only in view mode and will not allow you to make any changes, and Remote Server Administration Tools needs a GUI to manage disks and physical devices, which is not about our case. In general, RSAT cannot work with files and, accordingly, updates, installation / removal of programs in editing the registry.
▍System management
WAC
RSAT
Component Management
Yes
Yes
Registry Editor
Yes
No
Network management
Yes
Yes
View events
Yes
Yes
Shared Folders
Yes
Yes
Disk management
Yes
Only for servers with GUI
Task Scheduler
Yes
Yes
Device management
Yes
Only for servers with GUI
File management
Yes
No
user management
Yes
Yes
Group management
Yes
Yes
Certificate Management
Yes
Yes
Updates
Yes
No
Removing programs
Yes
No
System Monitor
Yes
Yes
On the other hand, RSAT gives us full control over the roles on the machine, when Windows Admin Center can do literally nothing in this regard. Here's a comparison of RSAT and WAC capabilities in this regard, for clarity:
▍Role management
WAC
RSAT
Advanced Thread Protection
PREVIEW
No
Windows Defender
PREVIEW
Yes
Containers
PREVIEW
Yes
AD Administrative Center
PREVIEW
Yes
AD Domain and Trusts
No
Yes
AD sites and services
No
Yes
DHCP
PREVIEW
Yes
DNS
PREVIEW
Yes
DFS Manager
No
Yes
GPO Manager
No
Yes
IIS Manager
No
Yes
That is, it is already clear that if you abandon the GUI and PowerShell in favor of other controls, you won’t be able to get away with using some kind of mono-tool: for full-fledged administration on all fronts, we need at least a bunch of RSAT and WAC.
It is important to remember that using WAC will cost you 150-180 megabytes of RAM. Windows When connecting, Admin Center creates 3-4 server-side sessions that persist even when disconnecting from the virtual machine. WAC also doesn't work with older versions of PowerShell, so you'll need at least PowerShell 5.0. This goes against our resource-saving paradigm, but convenience comes at a price. In our case, it's RAM.
Another option for managing Server Core is to install the GUI using third-party tools so as not to drag those tons of garbage that come with the full assembly along with the interface.
In this case, we have two options: roll out the original Explorer to the system or use Explorer ++. As an alternative to the latter, any file manager is suitable: Total Commander, FAR Manager, Double Commander, and so on. The latter is preferable if saving RAM is critical for you. You can add Explorer++ or any other file manager by creating a network folder and launching it through the console or scheduler.
Installing a full-fledged Explorer will give us more options in terms of working with UI-equipped software. For this we to the Server Core App Compatibility Feature on Demand (FOD) which will return MMC, Eventvwr, PerfMon, Resmon, Explorer.exe and even Powershell ISE to the system. However, you will have to pay for this, as in the case of WAC: we will irretrievably lose about 150-200 megabytes of RAM, which explorer.exe and other services will ruthlessly devour. Even if there is no active user on the machine.
This is what the system memory consumption looks like on machines with and without the native Explorer package.
This raises a logical question: why bother with PowerShell, FOD, and file managers if every step you take leads to increased RAM consumption? Why bother with a bunch of tools and rushing around to ensure comfortable work on Windows Server Core, when you can just roll it Windows Server 2016/2019 and live like a white person?
There are several reasons to use Server Core. First, it uses almost half as much memory. If you recall, this was the basis for our article at the very beginning. Here's a comparison of memory consumption: Windows Server 2019, compare with the screenshots just above:
And now, 1146 MB of consumed memory instead of 655 MB on the Core.
Assuming you don't need WAC and use Explorer++ instead of the original Explorer, then you you will still win almost half a hectare on each virtual machine under management Windows ServerIf you have just one virtual machine, the gain is negligible, but what if you have five? That's where the GUI becomes crucial, especially if you don't need it.
Second - any dancing around Windows Server Core won't get you to the core of the problem of exploitation Windows Server — RDP and its security (or rather, its complete lack thereof). Windows Even with the FOD, RSAT, and WAC coating, Core is still a server without RDP, meaning it is not susceptible to 95% of existing attacks.
Remaining
Generally Windows Core is only slightly "fatter" than any stock one Linux-distribution, but it's much more functional. If you need to free up resources and are willing to work with the console, WAC, and RSAT, using file managers instead of a full-fledged GUI, then Core is worth considering. Especially since it allows you to avoid paying extra for a full-fledged version. Windows, and spend the saved money on upsetting your , adding RAM there, for example. For convenience, we added Windows Server Core in your .
Source: habr.com
