Perhaps the most important way to increase security in your organization is to lower the security threshold, or footprint, of your servers and infrastructure. In other words, if there are any services running or ports open on your servers that aren't actually being used purposefully, you should disable or turn that particular service off. Now, hardening a Windows Server by disabling services and uninstalling things isn't an easy job; you can quickly turn something off that is important to the operating system and cause all kinds of problems on that server. Thankfully, there is a much safer and more secure way to harden your servers, but it requires planning from the beginning of your server build.

Server Core is a version of Windows Server 2016 that is essentially a headless operating system; all of your interaction with it is either command-line driven or done remotely from other servers or systems. Server Core is an alternate installation method to the full Windows desktop version of Server 2016. It installs the necessary technical componentry to behave as a Windows Server, join to your domain, and host the roles and services you need it to host, but it does all of that without a graphical desktop interface. This dramatically lowers the security vulnerability footprint and attack vectors on the server, but does mean you have to re-wire your brain in how you interact with these servers. Since Server Core is a big leap forward for security in many companies, it is appropriate that we start working with it here in our chapter regarding security. Let's take a quick look at the installation process for it, and an initial glance at the interface, so you get familiar with the console you will be looking at on these new, hardened servers you are going to start using.

We are going to build a new instance of Windows Server 2016 but will be making sure to choose the appropriate options for installing Server Core and not the full desktop experience version of the operating system. Our new server will be a VM; it doesn't have to be actual hardware.

Here is a procedure that will get you started rolling out your first instance of Windows Server 2016, Server Core:

1. Create your new VM—or physical server—and insert the Windows Server 2016 installation media, just like you would if you were installing the full version of the operating system. Walk through the installation steps, the only difference being that you want to make sure and choose the default option for Windows Server 2016 Standard. Or you can, of course, choose the Datacenter installation option, but the important part here is that you do NOT choose the (Desktop Experience) version of the operating system, as that would give us a regular old desktop interface just like any other server. By choosing the top option, and notice that it is now the default installation option, we are telling it that we want the more secure Server Core version of Windows Server 2016:

2. Finish walking through the installation wizard, and when your new server has booted, instead of being presented with the standard Windows mini-setup wizard in order to start configuring your server, you will simply be presented with the following screen:

3. Upon pressing Ctrl + Alt + Delete you are prompted to set a password for the local administrator account, after which you will find yourself sitting at a traditional Command Prompt interface. From this interface, you can interact with your new server by using Command Prompt commands, or you can even type powershell in order to move over into the PowerShell interface and start working from there, just like you would with PowerShell on any Windows Server 2016:

4. The Server Core Shell is not limited to command-line interfacing. If you were to type notepad.exe and press Enter, the Notepad application will appear, within which you can utilize your mouse as well as the keyboard:

5. From this point, the most common tasks are going to be the same as the things you would do in a desktop experience version of Windows Server 2016. You can use the Command Prompt or PowerShell interfaces to set IP addresses, set a hostname for your server, and even join it to your domain. There are cmdlets that will allow you to install the Windows roles that you need to run on this server as well.

Microsoft would like headless servers to be the way of the future, and it is critical that server administrators know this technology exists, and start to use it in their day-to-day server workloads. A quick recipe in order to get the operating system up and running is a good start, but working with Server Core regularly and learning the common commands that you will need to use is essential information to really get started interacting with these headless versions of the operating system. Server Core can be an enormous security benefit; all you need to do is start using it!