So the server version of Windows 8 is losing the GUI. And some people aren’t happy about it.
Let’s talk about upside.
It always irritated me that so many unnecessary components were loaded on Windows servers. I used to remote-desktop into the domain controller and fire up pinball just to illustrate it. Who needs a pinball game on their server? Who even wants a pinball game on their server?
One of the things I like most about Linux is that you can install just the components you need to accomplish your task. Go to Turnkey Linux and you can see that most of their server appliance downloads are 200 megabytes or less. When installed, they occupy around 500 megabytes. That’s because they contain a kernel, a command line, the fundamental command-line utilities you expect to have in a Unix or Unix-like system, a text editor or two, whatever server components are necessary for the task at hand, and not much else. If a critical security update comes out for whatever Linux is using for an X Window system these days, I don’t sweat it because I don’t have those components installed at all. I’m not vulnerable, period.
New vulnerabilities that affect Linux systems are discovered all the time, but not everyone is affected, particularly the servers. You’re only affected if you install every possible component.
And that’s always been the issue with Windows servers. There just weren’t very many optional components. Under Windows 2000, for instance, you couldn’t even uninstall Pinball and Solitaire unless you hacked an .inf file. The situation improved somewhat with Windows 2003, but I was still patching components I rarely used. I had one job where I administered several hundred servers, and the only time anyone used the GUI on a good number of them was when I logged in to check and see if the patches installed. In the meantime, I was patching vulnerabilities in Explorer, the font engine, and everything else. And don’t even get me started on forcing me to have a web browser installed. I had servers with no connectivity to the outside world whatsoever, and yet, I had to have a web browser installed. And that meant every other month I was deploying Internet Explorer patches to fix vulnerabilities in a component that had no legitimate use. Why patch them at all, you ask? Insider threats. You hope your fellow employees aren’t scanning your servers for exploits, but you can’t guarantee that they aren’t.
Windows Server 2008 was a step in the right direction, letting you load less and less. I see the GUI-less default as an even better thing. It’s possible to accomplish most server-related GUI tasks remotely via MMC and has been for more than a decade now. The fewer things you have loaded on a server, the fewer things you have to patch, and the safer you are in between patches. It doesn’t matter if there’s a 0-day vulnerability for Internet Explorer if you don’t even have Internet Explorer installed.
In this new way of doing things, there may be months when system administrators don’t have to deploy any patches at all. And when you do have to patch, you’ll be deploying fewer patches, so the patch process will take less time. And with no GUI to load, the servers should shut down and restart faster.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.