Planning for Windows Server 2016
Recently I was involved in an email list discussion about Windows Server 2016 and the lack of graphical interface options. I know this is a topic I’ve covered before, but I hope you’ll stay with me, as I think there’s an new idea I haven’t really considered before.
In the past, IT pros could install a Windows server with options for a full graphical, desktop-like interface, a server core installation, or a middle ground called Minimal Server Interface. Although I’ve never installed anything with the Minimal Server Interface, you could easily add or remove the GUI after installation.
In other words, you could do a full graphical installation, configure as necessary, and then remove the GUI bits. Or you could always add the GUI to a server core installation after the fact. But with Windows Server 2016, at least with Technology Preview 4 (TP4), these options are gone. And this is a good thing in my opinion.
Passwords Haven’t Disappeared Yet
123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?
Microsoft, as they often do, rely on a great deal of market research and real-world analyses. How are companies deploying servers? Are they switching GUIs on and off? What’s important to them? I can’t speak for Microsoft, but I think they then balance this information with where they would like to go, as well as pesky requirements like security. With TP4, you now have to make a choice at installation. Do you need a full graphical environment or can you live with Server Core? There’s no minimal UI, nor is there an option to toggle between Server Core and a full installation.
I’m not going to advocate that you never use a full graphical installation because that simply isn’t realistic. There are still plenty of server components that rely of full access to the .NET Framework or otherwise require a graphical environment. I get it. Of course, if you have some of these components I hope you are actively searching for replacements that don’t have such limitations. Notice I didn’t say “requirement,” because I think these types of products or services limit how you can deploy your server.
Now, what if someone deploys a server and later decides it really should have been deployed differently? Certainly this is something that can happen when you “inherit” servers. For me, this is where the concept of treating your servers like cattle and not pets comes into play. Server not configured the way you want it to be? Shoot it and re-deploy. This is why Microsoft has invested so heavily in technologies like Desired State Configuration (DSC) and collaborated with groups like Chef. Yes, I realize it might take some effort to build out your infrastructure but in the long run, this is where you need to be anyway. The fact that TP4 practically forces this upon you I view as a positive.
In fact, I think we’ve been looking at this “GUI/No-GUI” idea all wrong. With Windows Server 2016, you will have range of installation options. Need a full, standard server installation with a complete graphical interface? Sure, go ahead. Can you live without a GUI and go with Server Core? That would be a smart move. Can you get by without even an interactive console? Nano Server is your answer.
As IT pros, we’ve long known about the concept of least privilege use, that is, giving users the least amount of privilege and permission they need to do their job. We should extend this concept to least server use. What is the bare minimum server installation that you can live with in order to deliver the necessary services and functionality?
What you will discover is that the more minimal you can go, the faster the installation and deployment and the faster the reboots. Actually, you will probably need even less reboots because you won’t need as many patches. And the more that Microsoft can remove from your installation, the fewer attack vectors you have to worry about.
Now is the time for you to evaluate your servers and your management processes. How much management are you still doing via remote desktop? How much are you using remote management tools? How much are you doing from PowerShell? I have suspicion that many IT pros go with a full server installation because they think it is the easiest for them. But is it really in the long run?
I’d really like to hear your thoughts on this. How do you decide what installation option to go with? Am I out of touch with the real world? What are you doing to get ready for Windows Server 2016, or is it even on your radar? Comments eagerly accepted.