Share via

Configuration Lockdown for a Server Appliance

  • Article

6/22/2010

Restricting Administrators and users from configuring a server appliance helps to ensure that the server appliance remains configured to perform its intended function. Unlike the customer of a general-purpose server running a full installation of Windows Server, the server-appliance customer keeps the configuration of the appliance within specifications established by the manufacturer so that it can be supported.

The design of the server-appliance platform itself can be used to restrict the configuration. For example, you can prevent a user from installing software by disabling or restricting Terminal Services on the server appliance. You can also limit physical access to the appliance by not including an attached monitor, keyboard, pointing device, or optical drive, making it more difficult to change the configuration.

The following table shows, for each version of Windows Server, the various methods you can use to restrict the configuration of a server appliance.

Configuration restriction Server Core for Windows Server 2008 R2 and Windows Server 2008 Full installation of Windows Server 2008 R2 and Windows Server 2008 Windows Server 2003

Prevent installation of applications or Windows Installer packages (MSIs)
  • Implement Group Policy.
  • By default, choosing Server Core helps restrict configuration because many applications do not run on Server Core.
  • Implement Group Policy.
  • Design a custom Web-based user interface to restrict access.
  • Implement Group Policy.
  • Use the Server Appliance Kit (SAK) Web-based user interface to restrict access.

Prevent installation of server roles and optional features
  • Implement Group Policy.
  • Remove server roles and optional features from Server Core.
  • Implement Group Policy.
  • Design a custom Web-based user interface to restrict access.
  • Implement Group Policy.
  • Use the Server Appliance Kit (SAK) Web-based user interface to restrict access.

Prevent registry changes
  • Implement Group Policy.
  • Disable remote registry service and restrict Terminal Services access.
  • Design a custom Web-based interface to restrict access.
  • Implement Group Policy.
  • Design a custom Web-based user interface to restrict access.
  • Disable the remote registry service.
  • Use the Server Appliance Kit (SAK) Web-based user interface to restrict access.
  • Disable the remote registry service.

Recover the original manufacturer configuration
  • Provide recovery media with factory image from the manufacturer.
  • Provide recovery media with factory image from the manufacturer.
  • Provide recovery media with factory image from the manufacturer.

See Also

Concepts

Attack Surface Reduction for a Server Appliance
Package Removal From Server Core