Previously we recorded a podcast on the minimal install / small attack surface install of Windows Server 2008 called Server Core. One benefit of a smaller attack surface should be fewer security patches. We made some estimates on the reduced patching if a Server Core had existed for Server 2003, but this admittedly was an educated estimate at best.

We have been tracking the actual reduced Server Core patching statistics since Server 2008 was released on Feb 29th of this year. We now have four months of statistics, and here is a summary:

  • Total Number of Security Patches: 23
  • Security Patches that Apply to Server 2008: 9
  • Security Patches that Apply to Server Core: 3

This is a serious reduction as expected.

Microsoft made it easier to do this analysis with the June Security Bulletins. They now list the applicability of the patch on Server Core as an * note if the bulletin applies to Server 2008.

OSIsoft’s PI Server is one of the early adopters of the Server Core in the entire IT space, and the only one we have heard of in the control system space. (full disclosure: OSIsoft is a contributor to the Bandolier and Portaledge projects). We would be very interested to learn if other control system vendors are planning to release a version on Server Core. Send us an email if you have any info.