64

Lately, I was watching an online video about Microsoft Certified Solutions Associate (MCSA) and in one of the videos it says "removing GUI from Windows server makes it less vulnerable."

Is that true? If so, how does removing the GUI have that effect?

Anders
  • 64,406
  • 24
  • 178
  • 215
R1W
  • 1,617
  • 3
  • 15
  • 30
  • 3
    So it working for Linux and Microsoft and any other system. – R1W Aug 26 '18 at 17:04
  • 12
    It is ironic that this advice comes from Microsoft, which has always provided server OSes with GUIs. – dr_ Aug 27 '18 at 09:43
  • 5
    @dr01 Their servers since 2012 have had Core mode - no GUI out of the box. Mixed results, obviously, but they've been at least moderately pushing to remove the GUI - or at least make it optional - for years. – WernerCD Aug 27 '18 at 17:16
  • 6
    Because [GUI interface, when written in Visual Basic, can track IP addresses](https://youtu.be/hkDD03yeLnU). – wha7ever Aug 27 '18 at 19:58
  • 2
    Note that removing the _desktop_ is not the same as removing the _graphical user interface_. A window with gadgets and borders is still a GUI, even if that window is displaying a Windows console used by a command interpreter. – JdeBP Aug 28 '18 at 16:45
  • 1
    Removing anything removes the vulnerabilities in that anything. If you remove the entire server, you no longer have any vulnerabilities to worry about. – Mast Aug 29 '18 at 07:08

2 Answers2

117

Removing the GUI is useful and recommended. It will remove unused components, a lot of libraries, and makes the install size smaller.

How does this make it less vulnerable?

Fewer components equal less attack surface. A vulnerability on a GUI component will not affect you. Attacks relying on GUI components won't work either.

So, when designing a server, remove every single component not needed by the application you are serving. It will be way more secure than using the default install.

R1W
  • 1,617
  • 3
  • 15
  • 30
ThoriumBR
  • 50,648
  • 13
  • 127
  • 142
  • 8
    This is also true for Linux systems. As per hardening guidelines, you should remove X Windows System packages, unless very much required. – Krishna Pandey Aug 26 '18 at 16:24
  • 36
    It is just Windows and Linux. This is true for **any** system. For instance, ask any network professional if they have the GUI enabled on their Cisco switches or routers. Less services running or less services exposed/available means a more secure system. – YLearn Aug 26 '18 at 16:33
  • 1
    I agree with your answer, I just dont recommend it to a junior admin, as without gui it can be harder for the server maintenance and to check the log for a junior, thus leading to the inverse – yagmoth555 Aug 26 '18 at 19:40
  • 12
    @R1- You can manage a Windows server with PowerShell, remotely. A GUI installed on the server is not required or even desirable. – Michael Hampton Aug 26 '18 at 22:28
  • 10
    You don't even need PowerShell just to view logs. Windows Event Viewer (the GUI part) is network-capable. You can view server logs from a workstation; it just opens the local logs by default. – MSalters Aug 27 '18 at 08:35
  • 6
    @KrishnaPandey Absolutely. At ${EMPLOYER} our standard RHEL image has no X components whatsoever. I occasionally run into software installation packages that ASS|U|ME X is running, and have to ask the vendor for documentation on how to create and use a response file (which I prefer anyway, as it makes installation reliably repeatable, which really helps when you want to be able to spin up new servers (and shut down old) to handle fluctuating demand. – Monty Harder Aug 27 '18 at 17:37
  • 5
    @yagmoth555 I disagree. Junior Windows server admins should learn to manage all of their servers from their desktops using the Server Manager tool. It's the GUI that runs on the management station, not on the server. It is installed with the Remote Server Administration Toolkit. We should not teach junior Windows admins to ever RDP to a server. – Todd Wilcox Aug 28 '18 at 20:05
  • @ToddWilcox Should learn, yes. I manage junior sysadmin at my job, so should is correctly wrote in your sentence. – yagmoth555 Aug 28 '18 at 20:24
  • 1
    @KrishnaPandey For Linux, it's especially important because the X system is sometimes made setuid, which makes it a security issue even if it is never actually executed and just sits there. – forest Aug 29 '18 at 03:11
42

Removing the GUI also has the side effect of making it a bit more "human safe" because put bluntly, it makes the OS more idiot proof.

There are countless stories of small businesses having users reading mail and browsing the internet on the company DC. The user opens a bad attachment and suddenly everything is on fire. Simply removing the GUI from server prevents this sort of thing from happening.

Another useful side to this is protecting servers from sysadmins. The general consensus is that you should not be running standard user programs on a server but instead in containers/somewhere else. I've stumbled upon a few servers in my time running CCleaner. While the use of the tool is arguable, it has absolutely no place running on a DC because it simply isn't designed for servers.

Most of these aren't mistakes that any experience sysadmin would make. Security of an enterprise, however, is based on the weakest link. If all of your other sites are extraordinarily well secured but one manager decides that Bob from finance needs a faster computer to work on spreadsheets but doesn't want to purchase one and decides to let him into the server closet, you're in trouble if he manages to sign in.

R1W
  • 1,617
  • 3
  • 15
  • 30
Allison
  • 3,975
  • 2
  • 13
  • 19
  • 1
    In case of Microsoft Windows or Linux, we are talking about removing GUI from the server and it is not Client Side – R1W Aug 27 '18 at 12:40
  • 8
    @R1- I am very much aware. Removing the GUI from Windows Server (ie core) prevents a lot of bad behavior as I explained in my answer. – Allison Aug 27 '18 at 14:18
  • 5
    "Most of these aren't mistakes that any experienced sysadmin would make." Sadly, my personal experience is contrary to this assertion. Which is why I believe this answer is actually the better of the two: saving the server from bad system administration is more of a real-world day-to-day need than reducing its attack area just slightly. – Todd Wilcox Aug 28 '18 at 20:08
  • Given that over 80% of breaches happen because of human error, I also suggest that removing browsing and HTML email reduces vulnerabilities more than removing the GUI libraries from the threat surface (although that is also a factor). – schroeder Sep 10 '18 at 09:53