Welcome to Dirteam.com/ActiveDir.org Blogs Sign in | Join | Help

The things that are better left unspoken

a blog by Sander Berkouwer

Related

AD Manager Plus
 

Blog roll

News



Archives

Analyzing the Server Core Updates Estimate

One of Server Core's touted benefits is it requires less security updates. Jeff Jones did some interesting research a little while ago in which he compared a theoretical Windows Server 2003 Server Core edition to a Windows Server 2003 installation in terms of security updates. In the accompanying blogpost he concluded:

[…] looking at the Windows Server Security Bulletins over the past two years, 40% of them would not have applied to a theoretical Server Core build. The results of the analysis are encouraging in terms of security progress.

Read the full report here.

In this post I'll look at the updates required for various flavors and derivates of Windows Server 2008 and the implications in terms of (planned) downtime between these flavors.

Note:
This blogpost is not intented to fully research the difference in the total amount of updates between a Server Core installation and a Full installation of Windows Server 2008. It merely provides a comparison based on a random moment in time as reference material. It does not take refreshed updates into account.

      

Updating

I’ve looked at updating:

  • Microsoft Windows Server 2008 x64 Enterprise Edition, Full installation
  • Microsoft Windows Server 2008 x64 Enterprise Edition, Server Core
  • Microsoft Windows Server 2008 x64 Standard Edition, Full installation
  • Microsoft Windows Server 2008 x64 Standard Edition, Server Core
  • Microsoft Hyper-V Server 2008 (x64)

I used five identical Dell XPS 420 boxes to install Windows Server 2008 and Hyper-V Server 2008. I used the following media:

  1. en_windows_server_2008_datacenter_enterprise_standard_x64_dvd_X14-26714.iso
  2. ServerHyper_MUIx2-080912.iso

The only setting I changed during installation was the keyboard lay-out which I set to US-International.

On the full installations I used Windows Update to determine the required updates. On the Server Core installations I used cscript.exe WUA_SearchDownloadInstall.vbs to determine the updates. On Hyper-V Server 2008 I used HVConfig.cmd wizard.

I installed and checked for updates on Wednesday October 22, 2008.

I saw there were no differences between updating a Windows Server 2008 edition with or without Hyper-V (same updates apply) and no differences between updating an Enterprise and a Standard edition (same updates apply).

In the table below you'll find the updates by Knowledgebase Article number per installation:

Update Description

Full

Server Core

Hyper-V Server

KB890830

Malicious Software Removal Tool

a

a

a

KB938464

Security Update

a

a

a

KB940518

Update for Server Manager (Optional)

a

 

 
KB947864 Cumulative Update (Internet Explorer 7)  

a

a

KB948590

Security Update

a

a

a

KB949189

Update (Replication)

a

a

 

KB950050

Update for Hyper-V RTM

a

a

 

KB950582

Security Update

a

a

a

KB950762

Security Update

a

 

 

KB950974

Security Update

a

 

a

a

KB951066

Security Update (Windows Mail)

a

 

 

KB951072

Update (Daylight Saving Time)

a

a

a

KB951698

Security Update

a

 

 

KB951978

Update (Cscript/Wscript)

a

a

a

KB952287

Update (MDAC)

a

a

a

KB953631 Update (Last known Good Configuration)  

a

 

KB953733

Security Update

a

a

a

KB953838 Cumulative Update (Internet Explorer 7)  

a

a

KB954211 Security Update

a

a

a

KB954366

Update (App Comp)

a

a

 

KB955020

Update (dictionaries)

a

 

 

KB955302

Update (performance)

a

a

a

KB956390 Cumulative Update (Internet Explorer 7)

a

   
KB956391 Cumulative Update (Active X / IE 7)

a

   
KB956841 Security Update

a

a

a

KB957095 Security Update

a

a

a

      

Analyzing

Full installations of Windows Server 2008 required 22 updates  and 1 optional update.
Server Core installations of Windows Server 2008 required 19 updates.
After installation Hyper-V Server 2008 required 15 updates.

At first glance these numbers don’t seem to represent Microsoft’s promise of 40% less updates.

When distinguishing between security updates and updates that improve the performance, stability and compatibility of Windows Server 2008 the following figure shows what Microsoft meant:

You can see clearly both Server Core and Full installations of Windows Server 2008 get the same performance, compatibility and stability updates. Since Hyper-V Server doesn’t contain the ‘usual’ Server roles, these apparently didn’t need to be patched. Server Core installations and Full installations of Windows Server 2008 required 8 updates. Hyper-V Server 2008 required a mere 4 updates.

When looking at the Security Updates however a huge difference becomes clear between Server Core installations and Hyper-V Server on one side and Full installations on the other side. Full installations require 13 security updates, where Server Core installations and Hyper-V Server require 10 security updates. (All installations including two cumulative security updates for Internet Explorer)

   

Concluding

Server Core installations require 23% less security updates, compared to Full installations of Windows Server 2008. (10 compared to 13)

This 23% difference might not result in less (managed) downtime for applying updates, since roughly the same updates apply. (2 differences)

Server Core installations and Hyper-V Server 2008 installations however are less vulnerable to unknown attacks, compared to Full installations of Windows Server 2008.

 

    Related posts

    (Manually) Updating Server Core 
    (Automatically) Updating Server Core 
    About Microsoft Hyper-V Server 2008   
    Server Core patching benefits, as shown by Secunia  

    Further reading

    Hyper-v Server , what is it exactly ?
    Download: Server Core Potential Security Benefit   
    This is why we asked so much for Server Core 
    More on Server Core Patches 
    VIR367: Hyper-V Security and Best Practices  
    Hyper-V Server is Finally Here – But What Exactly Is It? 
    Patching Server Core in production 
    First Look at Windows Server 2008 Server Core 
    Server Core Install vs. Full Install – Let’s Get Ready to Rumble! 
    InformIT - Windows Server Core Overview
    RedmondMag - Server Core: Windows Without Windows

    Posted: Wednesday, October 22, 2008 4:56 PM by Sander Berkouwer

    Comments

    TrackBack said:

    Sander Berkouwer: One of Server Core's touted benefits is it requires less security updates. Jeff Jones did some interesting research a little while ago in which he compared a theoretical Windows Server 2003 Server Core edition to a Windows Server 2003 installation in terms of security updates. In the accompanying blogpost he concluded:

    […] looking at the Windows Server Security Bulletins over the past two years, 40% of them would not have applied to a theoretical Server Core build. The results of the analysis are encouraging in terms of security progress.

    Read the full report here.

    In this post I'll look at the updates required for various flavors and derivates of Windows Server 2008 and the implications in terms of (planned) downtime between these flavors.

    # October 22, 2008 10:58 PM

    Kenneth said:

    Hi Sander,

    Interesting Article.

    Are you sure that KB947864 is applied to Core and Hyper-V server only? I would say that this one only applies to Full since that's the only edition having IE7 installed. I also count 11 Security updates instead of 13 (what do you see as a security update?)

    Normally you patch your servers once a month, after the updates come out monthly. Can i conclude that although server core has less patches, you still have to reserve managed downtime to apply patches that server core also needs?

    So actually the number of patches isn't that important, but more the fact if you need to reboot your server core machine after applying a patch.

    For example: MS will issue 2 security updates next month, only one of those 2 will apply to server core. But you still have to update server core as well because it needs the other update. Downtime for Full and Core will be the same at that point.

    On the other hand, if only 1 security update is released for WS2008 and it only applies to the Full version, you don't have to plan downtime for your Core server.

    I'm very curious to see how the patching of server core will look like in a year or so. Time will tell.

    Regards,

    Kenneth

    # October 22, 2008 11:12 PM

    Sander Berkouwer said:

    Hi Kenneth,

    Thanks for your reply!

    Are you sure that KB947864 is applied to Core and Hyper-V server only? I would say that this one only applies to Full since that's the only edition having IE7 installed.

    The Cumulative update for Internet Explorer 7 (KB974864) corresponding with MS08-24 applies to Server Core installations and Hyper-V Server 2008 installations only. For Full installations this update has been replaced with a newer version (KB956390), corresponding with MS08-50. This later update does not (yet?) apply to Server Core installations.

    I also count 11 Security updates instead of 13 (what do you see as a security update?)

    I counted everything described as a Security Update as a Security Update, as well as updates related to a security bulletin or security advisory. I've therefor placed the cumulative updates for Internet Explorer 7 and the cumulative update for Active X Killbits in the Security Updates category.

    So actually the number of patches isn't that important, but more the fact if you need to reboot your server core machine after applying a patch.

    My idea exactly! Idea

    # October 22, 2008 11:31 PM

    The things that are better left unspoken said:

    Hyper-V Server 2008 R2 available 

    Microsoft Hyper-V Server 2008 R2 requires the least amount of patches.
    In comparison with Full and Server Core installations of  Windows Server 2008 and Windows Server 2008 R2, Hyper-V Server 2008 R2 requires the least amount of patches. This amount is not just based on the patch footprint in  Jeff Woolsey’s series, but also based on my own historical data

    # August 29, 2009 3:01 AM

    The things that are better left unspoken said:

    Microsoft touts the smaller attack surface as one of the biggest benefits of using Server Core, compared

    # November 13, 2009 8:47 AM

    AD, DNS and virtualization resources | I am legend said:

    Last post before I take a long and deserving vacation. Smile For all of those that are taking care of Active Directory configuration, management and planning, here are few great resources that will help you in keeping your AD and DNS infrastructure healthy and your users quiet and satisfied. Also, I included some virtualization and Windows core services articles. These articles, blog posts and document are collected during my research on LDAP, collaboration systems and AD/DNS best practices in the past few months.

    Links to blog posts and online articles:

    Links to whitepapers and FAQs:

    Have a great vacation! See you in 4 weeks.

    # July 27, 2010 11:44 AM
    Anonymous comments are disabled