Choosing a management operating system

In Hyper-V in the Acquiring Hyper-V section. The first decision you must make before going into production is which of these methods you'll choose. This is not a clear choice, as each approach has its own strengths and weaknesses.

Hyper-V Server

In terms of security, the primary strength of Hyper-V Server is that it has a much smaller attack surface than even the smallest Windows Server deployment. This also has a side effect of having the fewest operating system components that could potentially compete with virtual machines for resources. Even though it's highly stripped-down compared to its full-featured counterpart, it does contain all the necessary options for running a Hyper-V environment, such as RemoteFX, the Remote Desktop Virtualization Host, and the ability to participate in a failover cluster.

The limitations that make Hyper-V Server more secure, however, also limit its appeal. There is no built-in GUI available on Hyper-V Server. While this increases the security of the system from a direct attack, it can also reduce the security of the host if the administrators responsible for it aren't sufficiently comfortable or knowledgeable to manage it properly. Frustration due to the lack of a familiar interface can lead to taking shortcuts that unnecessarily increase the risk to the host. For example, manipulating firewall rules from the command line can become overwhelming, so some administrators may take the single-line approach of disabling it entirely.

Another concern is that some of the features that are only found in Windows Server may be desirable to your Hyper-V environment. You should consider the fact that Microsoft does not support many roles alongside Hyper-V in the management operating system. One example of a Windows Server-only feature that is both supported and desirable in a Hyper-V environment is Data Deduplication. While Data Deduplication is currently only recommended when guests are running desktop operating systems (Virtual Desktop Infrastructure), it is supported for Hyper-V in 2012 R2 regardless of your usage. Another example is the Automatic Virtual Machine Activation feature of Windows Server Datacenter Edition.

Note

If your Hyper-V Server stores its guests on a remote system, such as a SAN or an SMB 3 file server, that system can employ any Data Deduplication technology that it has available. The lack of availability of native Data Deduplication on Hyper-V Server only applies to the host's local storage.

Windows Server – full GUI installation

At the opposite end of the spectrum from Hyper-V Server is a complete installation of Windows Server with the Hyper-V role enabled. The primary reason most people choose this method is for the familiarity of the graphical interface. This does, of course, come at the cost of having the greatest attack surface of all possible deployment methods. The risk can be minimized by enabling no more roles or features than are necessary for the successful deployment and management of Hyper-V. Apart from the security benefits of this recommendation, Microsoft does not support the use of most of the other available components while Hyper-V is active.

Windows Server – Core installation

In current Windows versions, the default installation mode is Core. Like Hyper-V Server, this mode has no graphical interface of its own. However, most of the Windows Forms' components and application interfaces are still present, and the current versions of the .NET Framework can be installed, so applications that do not depend on the Microsoft Management Console or Internet Explorer will usually work normally.

While this is the smallest possible installation of Windows Server with the least attack surface, it is still larger than Hyper-V Server. This mode can be used to strike a compromise between the desire for higher security and the need for some supporting technologies that are only available in Windows Server, such as Data Deduplication. Do recall that, as previously mentioned, it is not supported to run many of the other Windows Server components on the host with Hyper-V.

Windows Server – Minimal Server Interface installation

Between the full and core installation options is Minimal Server Interface. One of the most common attack vectors on the Windows platform is Internet Explorer. By removing most of the features of Internet Explorer along with related components such as the Start screen and the desktop, some built-in graphical capabilities are retained while dramatically reducing the operating system's exposure. The Microsoft Management Console (MMC) application is available, which grants access to a number of tools such as Hyper-V Manager.

Switching between Windows Server modes

Before making your decision, keep in mind that you can convert Windows Server between any of its three modes with nothing more impacting than a system reboot. Hyper-V Server only provides the single GUI-less option.

You can use the Features page in the Add Roles and Features wizard or the Remove Roles and Features wizard to adjust these settings. Locate the User Interfaces and Infrastructure heading and expand it. Add or remove entries according to the desired mode using the following table as a guide:

You can also change these in PowerShell. Use the Get-WindowsFeature cmdlet to check the installation status of items. The cmdlets to be used to modify the changed status are Add-WindowsFeature and Remove-WindowsFeature. The feature names to use in PowerShell are as follows:

An example of feature usage is:

Remove-WindowsFeature ?Name Server-Gui-Mgmt-Infra, Server-Gui-Shell

Note

When the Graphical Management Tools and Infrastructure component is removed using the wizard, a warning box will notify you that all dependent MMC components, such as Hyper-V Manager, will also be removed. When it is removed using PowerShell, you are not warned.

For either method, be aware that if the operating system was initially installed in Core mode, you'll have to provide the source installation media to add the graphical files as they are not included by default.

Practical guidance to chose a deployment

There is no single correct answer in deciding between your available options. Before you start, it's a good idea to check whether the hardware that you'll be installing on is supported not only with Windows Server but also when the server is installed in Core mode. Anything that works in Core mode should also be supported with Hyper-V Server, but this can only be definitively confirmed by the hardware manufacturer.

The third-party software you intend to use on the system can also play a part. You should keep such software to minimum, but backup software or agents are largely unavoidable, and this may be true for anti-malware in some cases. Most software does work even on Core, as the Windows Forms Framework and API are available, but the Windows Presentation Framework is not.

Even if the hardware and software you intend to use does function on Server Core and Hyper-V Server, the manufacturer may not provide support for it. Ensure you check with the manufacturers of these tools before settling on a deployment method. A good place to start is the Windows Server Catalog, which is viewable at http://windowsservercatalog.com/. Items on this site are supported by both Microsoft and the manufacturer.

Two basic metrics to help you settle on a deployment method are the overall technical expertise level of your Windows Server administrators and your deployment's expected dependence on features. A basic conceptualization is shown in the following graph:

Of course, technical expertise levels will naturally improve through exposure, and your organization may be willing to make an investment in time and costs for training. The additional risks incurred through the larger attack surface of the more full-featured options are certainly present and must not be ignored, but they should not be treated as a major part of the decision for any institution except those already at a high risk. Files that are never accessed by the operating system do little for an attacker that manages to compromise them. In this light, you can reduce your risk by rigidly adhering to two rules. First, never enable additional roles and services. Second, fully remove old operating systems and replace them with newer versions instead of performing in-place upgrades.