64

Lately, I was watching an online video about Microsoft Certified Solutions Associate (MCSA) and in one of the videos it says "removing GUI from Windows server makes it less vulnerable."

Is that true? If so, how does removing the GUI have that effect?

Improve this question
6
  • 3
    So it working for Linux and Microsoft and any other system.
    – R1W
    Commented Aug 26, 2018 at 17:04
  • 12
    It is ironic that this advice comes from Microsoft, which has always provided server OSes with GUIs.
    – dr_
    Commented Aug 27, 2018 at 9:43
  • 5
    @dr01 Their servers since 2012 have had Core mode - no GUI out of the box. Mixed results, obviously, but they've been at least moderately pushing to remove the GUI - or at least make it optional - for years.
    – WernerCD
    Commented Aug 27, 2018 at 17:16
  • 7
    Because GUI interface, when written in Visual Basic, can track IP addresses.
    – Vanity Slug - codidact.com
    Commented Aug 27, 2018 at 19:58
  • 2
    Note that removing the desktop is not the same as removing the graphical user interface. A window with gadgets and borders is still a GUI, even if that window is displaying a Windows console used by a command interpreter.
    – JdeBP
    Commented Aug 28, 2018 at 16:45

2 Answers 2

Reset to default
117

Removing the GUI is useful and recommended. It will remove unused components, a lot of libraries, and makes the install size smaller.

How does this make it less vulnerable?

Fewer components equal less attack surface. A vulnerability on a GUI component will not affect you. Attacks relying on GUI components won't work either.

So, when designing a server, remove every single component not needed by the application you are serving. It will be way more secure than using the default install.

Improve this answer
9
  • 8
    This is also true for Linux systems. As per hardening guidelines, you should remove X Windows System packages, unless very much required.
    – Krishna Pandey
    Commented Aug 26, 2018 at 16:24
  • 36
    It is just Windows and Linux. This is true for any system. For instance, ask any network professional if they have the GUI enabled on their Cisco switches or routers. Less services running or less services exposed/available means a more secure system.
    – YLearn
    Commented Aug 26, 2018 at 16:33
  • 12
    @R1- You can manage a Windows server with PowerShell, remotely. A GUI installed on the server is not required or even desirable.
    – Michael Hampton
    Commented Aug 26, 2018 at 22:28
  • 10
    You don't even need PowerShell just to view logs. Windows Event Viewer (the GUI part) is network-capable. You can view server logs from a workstation; it just opens the local logs by default.
    – MSalters
    Commented Aug 27, 2018 at 8:35
  • 6
    @KrishnaPandey Absolutely. At ${EMPLOYER} our standard RHEL image has no X components whatsoever. I occasionally run into software installation packages that ASS|U|ME X is running, and have to ask the vendor for documentation on how to create and use a response file (which I prefer anyway, as it makes installation reliably repeatable, which really helps when you want to be able to spin up new servers (and shut down old) to handle fluctuating demand.
    – Monty Harder
    Commented Aug 27, 2018 at 17:37
42

Removing the GUI also has the side effect of making it a bit more "human safe" because put bluntly, it makes the OS more idiot proof.

There are countless stories of small businesses having users reading mail and browsing the internet on the company DC. The user opens a bad attachment and suddenly everything is on fire. Simply removing the GUI from server prevents this sort of thing from happening.

Another useful side to this is protecting servers from sysadmins. The general consensus is that you should not be running standard user programs on a server but instead in containers/somewhere else. I've stumbled upon a few servers in my time running CCleaner. While the use of the tool is arguable, it has absolutely no place running on a DC because it simply isn't designed for servers.

Most of these aren't mistakes that any experience sysadmin would make. Security of an enterprise, however, is based on the weakest link. If all of your other sites are extraordinarily well secured but one manager decides that Bob from finance needs a faster computer to work on spreadsheets but doesn't want to purchase one and decides to let him into the server closet, you're in trouble if he manages to sign in.

Improve this answer
4
  • 1
    In case of Microsoft Windows or Linux, we are talking about removing GUI from the server and it is not Client Side
    – R1W
    Commented Aug 27, 2018 at 12:40
  • 8
    @R1- I am very much aware. Removing the GUI from Windows Server (ie core) prevents a lot of bad behavior as I explained in my answer.
    – Allison
    Commented Aug 27, 2018 at 14:18
  • 5
    "Most of these aren't mistakes that any experienced sysadmin would make." Sadly, my personal experience is contrary to this assertion. Which is why I believe this answer is actually the better of the two: saving the server from bad system administration is more of a real-world day-to-day need than reducing its attack area just slightly.
    – Todd Wilcox
    Commented Aug 28, 2018 at 20:08
  • Given that over 80% of breaches happen because of human error, I also suggest that removing browsing and HTML email reduces vulnerabilities more than removing the GUI libraries from the threat surface (although that is also a factor).
    – schroeder
    Commented Sep 10, 2018 at 9:53

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .