Microsoft touts the smaller attack surface as one of the biggest benefits of using Server Core, compared to a Full installation of Windows Server 2008. Because a Server Core installation is optimized, it doesn’t include most of the vulnerabilities found in Full installations. A consequence of these optimizations is a Server Core installation might need fewer patches and possibly fewer reboots associated with installing these patches as well.
A year ago, roughly one year after the launch of Windows Server 2008, I analyzed the claim from Microsoft of a 40% reduction in Server Core applicable patches, compared to a Full installation. Before that I made fun of Secunia, but that’s another story 😉
Andrew Mason, the Principal Program Manager for Server Core, at Tech∙Ed Europe 2009 this week shared his research on the amount of Server Core applicable patches and (most important) the amount of reboots involved with patching over the last two years.
I’ve placed the information he shared in the table below:
|Scenario||Reduction of Patches||Reduction of Reboots|
|Accepting all applicable patches on Server Core||53%||67%|
|Applying only necessary patches on Server Core||68%||68%|
|Installing only critical patches on Server Core||62%||62%|
|Installing only necessary critical patches on Server Core||82%||82%|
The scope of these values is based on:
- These figures apply to a Server Core installation, without the Active Directory Domain Services, DNS Server, Print Server, Media Services, Telnet or Internet Information Services (IIS) roles installed. When these roles are taken into account the following table applies:
|Scenario||Reduction of Patches|
|Accepting all applicable patches on Server Core||40%|
|Applying only necessary patches on Server Core||54%|
|Installing only critical patches on Server Core||44%|
- The difference between applicable patches and necessary patches is based on exploitability. Necessary patches are patches that apply to Server Core installations, because the affected files are on the disk of a Server Core installation but are not exploitable on Server Core installations. These are the updates containing the following information:
* Windows Server 2008 Server Core installation not affected. The vulnerabilities addressed by this update do not affect supported editions of Windows Server 2008 if Windows Server 2008 was installed using the Server Core installation option, even though the files affected by these vulnerabilities may be present on the system. However, users with the affected files will still be offered this update because the update files are newer (with higher version numbers) than the files that are currently on your system.
- Examples of this category can be found on Jeremy Jameson’s blog here.
(Manually) Updating Server Core
(Automatically) Updating Server Core
Analyzing the Server Core Updates Estimate
Handling Server Core Roles and Features
Server Core patching benefits, as shown by Secunia