One of Windows Server 2008’s most interesting aspects is its Server Core option. A Server Core system functions like a regular server, but it’s missing a few pieces. Two notable missing pieces are the .NET Framework and—more important—most of the GUI. The result is a version of Server 2008 that uses less disk space, runs in less RAM, offers attackers fewer places to attack, and runs leaner than its graphical counterpart.
I’m a command-line junkie, so I’m thrilled by the prospect of Server Core. I dug into an early beta as soon as I could get my hands on it. However, as I attempted to set up a Server Core system from scratch, I realized to my chagrin that the old saying is true: “Be careful what you wish for—you might get it.” Although I could do just about everything I needed to do from the command line, a few items left me scratching my head. Thankfully, I stumbled upon the very helpful Scregedit, a command-line registry tool built specifically to assist in configuring Server Core.
Before Scregedit
One of the items I had trouble with was determining how
to enable Remote Desktop for a Server Core system. After
noodling around with a full Server 2008 installation, I concluded
that enabling Remote Desktop is as simple as opening
port 3389 on the firewall. Working through the problem,
I could start with the command
netsh firewall set icmpsettings opmode=disable
I could then access the HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Control\Terminal Server registry subkey and set the fDenyTSConnections value to 0. In a moment of inspiration, I realized that I could do all that from the command line by using the Reg command:
reg add “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /d 0 /t REG_DWORD /f
I could even cheat and use Regedit (one of the rare GUI tools that do work in Server Core) to set the registry entry, but no matter how I sliced it, I was in for a lot of typing. Scregedit came to the rescue at just the right time.
Scregedit Syntax
Scregedit is a command-line tool that offers built-in support
for some of the most commonly modified registry entries.
The tool’s beauty is the simplicity of its syntax:
scregedit /<parameter value>
Alternatively, to see the current value of the parameter, you can simply type
scregedit /<parameter> /v
For example, to enable Remote Desktop, I can type
scregedit /ar 0
To disable it, I’d replace the 0 with a 1. (The registry entry’s name, fDenyTSConnections, is worded so that enabling it enables the deny aspect; thus, you use 0 to enable. As any Windows vet knows, you need to get accustomed to mirror thinking to understand some Group Policy and registry settings!) To see its value, you’d type
scregedit /ar /v
which would (after some boilerplate information) net you a response of
System\CurrentControlSet\Control\Terminal Server fDenyTSConnections View registry setting 1
By the way, Scregedit is actually a script. Located in the Windows\System32 folder, its name is scregedit.wsf. Therefore, it will offer better-looking output if you first type
cscript //h:cscript
which tells Windows to run scripts by default under the CScript (i.e., command-line script) engine rather than the default WScript (i.e., Windows script) engine.
More Options
As I write this column, Scregedit has just seven options. The
/cli option offers some text with examples of the commandline
way to do a number of command-line tasks—a sort of
condensed Help file. You can use Scregedit /au 4 to have
Server Core automatically download and install updates,
Scregedit /cs to have Remote Desktop allow connections
from pre–Windows Vista Remote Desktop clients, Scregedit
/im 1 to permit remote IPsec management, and Scregedit
/dp priority and Scregedit dw priority to adjust the DNS priority
and weight, respectively, of a Server Core system’s SRV
records (assuming it’s a domain controller—DC). I wouldn’t
be surprised if Microsoft gave Scregedit a few more options
before Server 2008 hits the streets.
If you can get ahold of a copy of the Server 2008 beta, I encourage you to take Server Core for a spin.