|Executive Summary: The focus of the past few Windows Power Tools columns has been to show you how to get a new Windows Server 2008 Server Core system ready to do some work. To wrap up that focus, let’s set the system's time zone, configure its screen saver, and tweak its firewall.|
The focus of my past few columns has been to show you how to get a new Windows Server 2008 Server Core system ready to do some work. To wrap up that focus, I want to provide a few short command-line tips—namely, setting the system’s time zone, configuring its screen saver, and tweaking its firewall. After those tasks are done, we’ll have put the final polish on a ready-to-roll Server Core system.
Tinkering with Time Zones
You would think that setting a system’s time zone would be pretty simple—say, typing a number into the registry—but for some reason, time zones are tougher than that. So, Microsoft decided to simplify the graphical functionality of the Control Panel Date and Time applet so that it would work on Server Core. (Remember, Server Core isn’t completely GUI-less. Simple GUI-based apps such as Task Manager, Notepad, Regedit, and many setup programs work fine with Server Core’s limited interface.)
To set a Server Core system’s time zone, just type the timedate .cpl command at the command prompt and tap Enter, and the applet will appear. (Another way to set the time zone on a Server Core system is to use a script to do the installation.) The only other Control Panel applet to find its way into Server Core is Regional and Language Options (intl.cpl).
Setting the Screen Saver
By default, Server Core engages its screen saver after 10 minutes of inactivity, locking the screen until you log on again. While testing my Server Core system, I found this behavior irritating, so one of my favorite setup tasks is to open Regedit, navigate to HKEY_CURRENT_USER Control Panel\Desktop, and adjust the ScreenSaverIsSecure subkey’s value from 1 to 0, which removes password protection from the screen saver. You wouldn’t want to do that on a production machine, of course, but it might save your sanity on test systems.
You can also access the ScreenSaveTimeOut subkey to specify how many seconds of inactivity to wait before screen-saver activation, the ScreenSaveActive subkey to enable or disable the screen saver, and the SCRNSAVE.EXE subkey to identify which screen saver you want to use. Server Core offers only the standard logon.scr option (i.e., the Windows logo) or the scrnsave.scr option (i.e., a blank screen). In my tests, new ScreenSaverIsSecure, ScreenSaveActive, and SCRNSAVE.EXE values take effect immediately, but changing the ScreenSaveTimeOut value requires a logoff/logon.
Fine-Tuning the Firewall
All versions of Server 2008 differ from their predecessors by enabling their firewall by default. You can open Server Core’s firewall through Group Policy (i.e., Computer Configuration, Administrative Templates, Network, Network Connections, Windows Firewall). Then, in either the Domain Profile or Standard Profile folder, set the Windows Firewall: Protect All Network Connections value to Disabled.
You can also use the command line to disable the firewall:
netsh firewall set opmode disable
To re-enable the firewall, just replace disable with enable. If you don’t know the firewall’s state, just type
netsh firewall show state
This command produces about a dozen lines of fairly confusing output. Look for the line that begins with Operational Mode =; the presence of Enable or Disable will answer the question.
I like the idea of raising the Server Core firewall—after all, security is one of its selling points—but I typically open my firewalls just enough to let the system respond to pings. You can set your Server Core firewalls to allow the system to respond to pings by using the command
netsh firewall set icmpsetting 8 enable
In general, you won’t have to open ports in your firewall because Ocsetup automatically opens whatever ports a server module needs when you install that module. For example, installing the DNS Server service opens port 53 without any further work on your part. But if you did need to open a port, you’d type
netsh firewall set portopening tcp|udp <portnumber label>
To tell the system that you’ve enabled Remote Desktop through the registry (which doesn’t open the RDP port by default), type
netsh firewall set portopening tcp 3389 "Remote Desktop"
Ready to Roll
With these final tinkerings done, you’re ready to put your Server Core box to work as a DHCP server. Tune in next month for that!