27 November 2012

Attack surface comparison for Server 2012 editions

With Windows Server 2012 Microsoft has done a great job with simplifying the features and capabilities of the server platform.  Essentially there are no longer any functional differences between Standard Edition and Data Centre Edition.

There are however  still a few options to consider.  The table below will cover the different deployment option and cover the default attack / patching surface for a default installation.

The different option we will compare are:

  • Full install with all the GUI components
  • Full install with GUI components removed with PowerShell (Full - GUI)
  • Core install
  • Windows Hyper-V Server 2012

The table below shows the various role option WRT installation.   the states are as follows

  • Installed : Role is installed and active
  • Available: Role is available and ready for installtion
  • Removed:  Role is available for installtion form external installation media
  • N/A : Role or feature is not available for the platform




Role  Version
---> Feature Full Full - GUI Core Hyper-V
Active Directory Certificate Services Available Available Available
--->  Certification Authority Available Available Available
--->  Certificate Enrollment Policy Web Service Available Available Available
--->  Certificate Enrollment Web Service Available Available Available
--->  Certification Authority Web Enrollment Available Available Available
--->  Network Device Enrollment Service Available Available Available
--->  Online Responder Available Available Available
Active Directory Domain Services Available Available Available
Active Directory Federation Services Available Available Removed
--->  Federation Service Available Available Removed
--->  AD FS 1.1 Web Agents Available Available Removed
--->  AD FS 1.1 Claims-aware Agent Available Available Removed
--->  AD FS 1.1 Windows Token-based Agent Available Available Removed
--->  Federation Service Proxy Available Available Removed
Active Directory Lightweight Directory Services Available Available Available
Active Directory Rights Management Services Available Available Available
--->  Active Directory Rights Management Server Available Available Available
--->  Identity Federation Support Available Available Removed
Application Server Available Available Removed
--->  .NET Framework 4.5 Available Available Removed
--->  COM+ Network Access Available Available Removed
--->  Distributed Transactions Available Available Removed
--->  WS-Atomic Transactions Available Available Removed
--->  Incoming Network Transactions Available Available Removed
--->  Outgoing Network Transactions Available Available Removed
--->  TCP Port Sharing Available Available Removed
--->  Web Server (IIS) Support Available Available Removed
--->  Windows Process Activation Service Support Available Available Removed
--->  HTTP Activation Available Available Removed
--->  Message Queuing Activation Available Available Removed
--->  Named Pipes Activation Available Available Removed
--->  TCP Activation Available Available Removed
DHCP Server Available Available Available
DNS Server Available Available Available
Fax Server Available Removed Removed
File And Storage Services Installed Installed Installed Installed
--->  File and iSCSI Services Available Available Available Available
--->  File Server Available Available Available Available
--->  BranchCache for Network Files Available Available Available
--->  Data Deduplication Available Available Available
--->  DFS Namespaces Available Available Available
--->  DFS Replication Available Available Available
--->  File Server Resource Manager Available Available Available
--->  File Server VSS Agent Service Available Available Available
--->  iSCSI Target Server Available Available Available
--->  iSCSI Target Storage Provider (VDS and V... Available Available Available
--->  Server for NFS Available Available Available
Storage Services Installed Installed Installed Installed
Hyper-V Available Available Available Installed
Network Policy and Access Services Available Available Removed
--->  Network Policy Server Available Available Removed
--->  Health Registration Authority Available Available Removed
--->  Host Credential Authorization Protocol Available Available Removed
Print and Document Services Available Available Available
--->  Print Server Available Available Available
--->  Distributed Scan Server Available Available Removed
--->  Internet Printing Available Available Removed
--->  LPD Service Available Available Available
Remote Access Available Available Available
--->  DirectAccess and VPN (RAS) Available Available Available
--->  Routing Available Available Available
Remote Desktop Services Available Available Available Available
--->  Remote Desktop Connection Broker Available Available Available
--->  Remote Desktop Gateway Available Available Removed
--->  Remote Desktop Licensing Available Available Available
--->  Remote Desktop Session Host Available Available Removed
--->  Remote Desktop Virtualization Host Available Available Available Available
--->  Remote Desktop Web Access Available Available Removed
Volume Activation Services Available Available Available
Web Server (IIS) Available Available Available
--->  Web Server Available Available Available
--->  Common HTTP Features Available Available Available
--->  Default Document Available Available Available
--->  Directory Browsing Available Available Available
--->  HTTP Errors Available Available Available
--->  Static Content Available Available Available
--->  HTTP Redirection Available Available Available
--->  WebDAV Publishing Available Available Available
--->  Health and Diagnostics Available Available Available
--->  HTTP Logging Available Available Available
--->  Custom Logging Available Available Available
--->  Logging Tools Available Available Available
--->  ODBC Logging Available Available Available
--->  Request Monitor Available Available Available
--->  Tracing Available Available Available
--->  Performance Available Available Available
--->  Static Content Compression Available Available Available
--->  Dynamic Content Compression Available Available Available
--->  Security Available Available Available
--->  Request Filtering Available Available Available
--->  Basic Authentication Available Available Available
--->  Centralized SSL Certificate Support Available Available Available
--->  Client Certificate Mapping Authentic... Available Available Available
--->  Digest Authentication Available Available Available
--->  IIS Client Certificate Mapping Authe... Available Available Available
--->  IP and Domain Restrictions Available Available Available
--->  URL Authorization Available Available Available
--->  Windows Authentication Available Available Available
--->  Application Development Available Available Available
--->  .NET Extensibility 3.5 Available Available Available
--->  .NET Extensibility 4.5 Available Available Available
--->  Application Initialization Available Available Available
--->  ASP Available Available Available
--->  ASP.NET 3.5 Available Available Available
--->  ASP.NET 4.5 Available Available Available
--->  CGI Available Available Available
--->  ISAPI Extensions Available Available Available
--->  ISAPI Filters Available Available Available
--->  Server Side Includes Available Available Available
--->  WebSocket Protocol Available Available Available
--->  FTP Server Available Available Available
--->  FTP Service Available Available Available
--->  FTP Extensibility Available Available Available
--->  IIS Hostable Web Core Available Available Available
--->  Management Tools Available Available Available
--->  IIS Management Console Available Available Removed
--->  IIS 6 Management Compatibility Available Available Available
--->  IIS 6 Metabase Compatibility Available Available Available
--->  IIS 6 Management Console Available Available Removed
--->  IIS 6 Scripting Tools Available Available Available
--->  IIS 6 WMI Compatibility Available Available Available
--->  IIS Management Scripts and Tools Available Available Available
--->  Management Service Available Available Available
Windows Deployment Services Available Available Removed
--->  Deployment Server Available Available Removed
--->  Transport Server Available Available Removed
Windows Server Update Services Available Available Available
--->  WID Database Available Available Available
--->  WSUS Services Available Available Available
--->  Database Available Available Available
.NET Framework 3.5 Features Available Available Available Available
--->  .NET Framework 3.5 (includes .NET 2.0 and 3.0) Removed Removed Removed Removed
--->  HTTP Activation Available Available Available
--->  Non-HTTP Activation Available Available Available
.NET Framework 4.5 Features Installed Installed Installed Installed
---> .NET Framework 4.5 Installed Installed Installed Installed
--->  ASP.NET 4.5 Available Available Available Available
---> WCF Services Installed Installed Installed
--->  HTTP Activation Available Available Available
--->  Message Queuing (MSMQ) Activation Available Available Available
--->  Named Pipe Activation Available Available Available
--->  TCP Activation Available Available Available
--->TCP Port Sharing Installed Installed Installed
Background Intelligent Transfer Service (BITS) Available Available Available Available
--->  IIS Server Extension Available Available Removed
--->  Compact Server Available Available Available Available
BitLocker Drive Encryption Available Available Available Available
BitLocker Network Unlock Available Available Removed
BranchCache Available Available Available
Client for NFS Available Available Available
Data Center Bridging Available Available Available Available
Enhanced Storage Available Available Available Available
Failover Clustering Available Available Available Available
Group Policy Management Available Available Available
Ink and Handwriting Services Available Available Removed
Internet Printing Client Available Available Removed
IP Address Management (IPAM) Server Available Available Removed
iSNS Server service Available Available Available
LPR Port Monitor Available Available Removed
Management OData IIS Extension Available Available Available
Media Foundation Available Available Available Available
Message Queuing Available Available Available
--->  Message Queuing Services Available Available Available
--->  Message Queuing Server Available Available Available
--->  Directory Service Integration Available Available Available
--->  HTTP Support Available Available Available
--->  Message Queuing Triggers Available Available Available
--->  Multicasting Support Available Available Available
--->  Routing Service Available Available Available
--->  Message Queuing DCOM Proxy Available Available Available
Multipath I/O Available Available Available Available
Network Load Balancing Available Available Available
Peer Name Resolution Protocol Available Available Available
Quality Windows Audio Video Experience Available Available Available
RAS Connection Manager Administration Kit (CMAK) Available Available Removed
Remote Assistance Available Available Removed
Remote Differential Compression Available Available Available
Remote Server Administration Tools Available Available Available Available
--->  Feature Administration Tools Available Available Available Available
--->  SMTP Server Tools Available Available Removed
--->  BitLocker Drive Encryption Administratio... Available Available Available Available
--->  BitLocker Drive Encryption Tools Available Available Removed
--->  BitLocker Recovery Password Viewer Available Available Removed
--->  BITS Server Extensions Tools Available Available Removed
--->  Failover Clustering Tools Available Available Available Available
--->  Failover Cluster Management Tools Available Available Removed
--->  Failover Cluster Module for Windows ... Available Available Available Available
--->  Failover Cluster Automation Server Available Available Available Available
--->  Failover Cluster Command Interface Available Available Available Available
--->  IP Address Management (IPAM) Client Available Available Removed
--->  Network Load Balancing Tools Available Available Removed
--->  SNMP Tools Available Available Removed
--->  Windows System Resource Manager RSAT [De... Available Available Removed
--->  WINS Server Tools Available Available Removed
--->  Role Administration Tools Available Available Available Available
--->  AD DS and AD LDS Tools Available Available Available
--->  Active Directory module for Windows ... Available Available Available
--->  AD DS Tools Available Available Available
--->  Active Directory Administrative ... Available Available Available
--->  AD DS Snap-Ins and Command-Line ... Available Available Available
--->  Server for NIS Tools [DEPRECATED] Available Available Removed
--->  AD LDS Snap-Ins and Command-Line Tools Available Available Available
--->  Hyper-V Management Tools Available Available Available Available
--->  Hyper-V GUI Management Tools Available Available Removed
--->  Hyper-V Module for Windows PowerShell Available Available Available Available
--->  Remote Desktop Services Tools Available Available Removed
--->  Remote Desktop Gateway Tools Available Available Removed
--->  Remote Desktop Licensing Diagnoser T... Available Available Removed
--->  Remote Desktop Licensing Tools Available Available Removed
--->  Windows Server Update Services Tools Available Available Available
--->  API and PowerShell cmdlets Available Available Available
--->  User Interface Management Console Available Available Removed
--->  Active Directory Certificate Services Tools Available Available Removed
--->  Certification Authority Management T... Available Available Removed
--->  Online Responder Tools Available Available Removed
--->  Active Directory Rights Management Servi... Available Available Removed
--->  DHCP Server Tools Available Available Removed
--->  DNS Server Tools Available Available Available
--->  Fax Server Tools Available Removed Removed
--->  File Services Tools Available Available Removed
--->  DFS Management Tools Available Available Removed
--->  File Server Resource Manager Tools Available Available Removed
--->  Services for Network File System Man... Available Available Removed
--->  Share and Storage Management Tool Available Available Removed
--->  Network Policy and Access Services Tools Available Available Removed
--->  Print and Document Services Tools Available Available Removed
--->  Remote Access Management Tools Available Available Available
--->  Remote Access GUI and Command-Line T... Available Removed Removed
--->  Remote Access module for Windows Pow... Available Available Available
--->  Volume Activation Tools Available Available Removed
--->  Windows Deployment Services Tools Available Available Removed
RPC over HTTP Proxy Available Available Available
Simple TCP/IP Services Available Available Removed
SMTP Server Available Available Removed
SNMP Service Available Available Available Available
--->  SNMP WMI Provider Available Available Available Available
Subsystem for UNIX-based Applications [Deprecated] Available Available Available
Telnet Client Available Available Available Available
Telnet Server Available Available Removed
TFTP Client Available Available Removed
User Interfaces and Infrastructure Installed Available Installed
---> Graphical Management Tools and Infrastructure Installed Available Removed
--->  Desktop Experience Available Removed Removed
---> Server Graphical Shell Installed Removed Removed
Windows Biometric Framework Available Available Removed
Windows Feedback Forwarder Available Available Available Available
Windows Identity Foundation 3.5 Available Available Removed
Windows Internal Database Available Available Available
Windows PowerShell Installed Installed Installed Installed
---> Windows PowerShell 3.0 Installed Installed Installed Installed
--->  Windows PowerShell 2.0 Engine Removed Removed Removed Available
---> Windows PowerShell ISE Installed Available Removed
--->  Windows PowerShell Web Access Available Available Available
Windows Process Activation Service Available Available Available
--->  Process Model Available Available Available
--->  .NET Environment 3.5 Available Available Available
--->  Configuration APIs Available Available Available
Windows Search Service Available Removed Removed
Windows Server Backup Available Available Available Available
Windows Server Migration Tools Available Available Available
Windows Standards-Based Storage Management Available Available Available Available
Windows System Resource Manager [Deprecated] Available Available Removed
Windows TIFF IFilter Available Available Removed
WinRM IIS Extension Available Available Available
WINS Server Available Available Available
Wireless LAN Service Available Available Removed
WoW64 Support Installed Installed Installed Available
XPS Viewer Available Available Removed
-->


Even though the remote management of the different deployments are very similar the actual footprint of the server can be very different.  With all the enhancements in management that came with Server 2012 you need a really good reason to use core as opposed to a full install. Keep in mind that a "removed" role or feature can be installed.  This is probably why core is the default installation choice.

Hyper-V server also show off just how thin it really is but it still packs a load of functionality into a very tidy (and free) package.


No comments:

Post a Comment