One of Windows Server 2008’s most interesting
aspects is its Server Core option. A Server Core
system functions like a regular server, but it’s
missing a few pieces. Two notable missing pieces are the
.NET Framework and—more important—most of the GUI.
The result is a version of Server 2008 that uses less disk
space, runs in less RAM, offers attackers fewer places to
attack, and runs leaner than its graphical counterpart.
I’m a command-line junkie, so I’m thrilled by the
prospect of Server Core. I dug into an early beta as soon
as I could get my hands on it. However, as I attempted to
set up a Server Core system from scratch, I realized to my
chagrin that the old saying is true: “Be careful what you
wish for—you might get it.” Although I could do just about
everything I needed to do from the command line, a few
items left me scratching my head. Thankfully, I stumbled
upon the very helpful Scregedit, a command-line registry
tool built specifically to assist in configuring Server Core.
Before Scregedit
One of the items I had trouble with was determining how
to enable Remote Desktop for a Server Core system. After
noodling around with a full Server 2008 installation, I concluded
that enabling Remote Desktop is as simple as opening
port 3389 on the firewall. Working through the problem,
I could start with the command
netsh firewall set icmpsettings opmode=disable
I could then access the HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Control\Terminal Server registry
subkey and set the fDenyTSConnections value to 0. In a
moment of inspiration, I realized that I could do all that
from the command line by using the Reg command:
reg add “HKLM\SYSTEM\CurrentControlSet\Control\Terminal
Server” /v fDenyTSConnections /d 0 /t REG_DWORD /f
I could even cheat and use Regedit (one of the rare GUI
tools that do work in Server Core) to set the registry entry,
but no matter how I sliced it, I was in for a lot of typing.
Scregedit came to the rescue at just the right time.
Scregedit Syntax
Scregedit is a command-line tool that offers built-in support
for some of the most commonly modified registry entries.
The tool’s beauty is the simplicity of its syntax:
scregedit /<parameter value>
Alternatively, to see the current value of the parameter, you
can simply type
scregedit /<parameter> /v
For example, to enable Remote Desktop, I can type
scregedit /ar 0
To disable it, I’d replace the 0 with a 1. (The registry entry’s
name, fDenyTSConnections, is worded so that enabling it
enables the deny aspect; thus, you use 0 to enable. As any
Windows vet knows, you need to get accustomed to mirror
thinking to understand some Group Policy and registry
settings!) To see its value, you’d type
scregedit /ar /v
which would (after some boilerplate information) net you
a response of
System\CurrentControlSet\Control\Terminal Server
fDenyTSConnections
View registry setting
1
By the way, Scregedit is actually a script. Located in the Windows\System32 folder, its name is scregedit.wsf. Therefore,
it will offer better-looking output if you first type
cscript //h:cscript
which tells Windows to run scripts by default under the
CScript (i.e., command-line script) engine rather than the
default WScript (i.e., Windows script) engine.
More Options
As I write this column, Scregedit has just seven options. The
/cli option offers some text with examples of the commandline
way to do a number of command-line tasks—a sort of
condensed Help file. You can use Scregedit /au 4 to have
Server Core automatically download and install updates,
Scregedit /cs to have Remote Desktop allow connections
from pre–Windows Vista Remote Desktop clients, Scregedit
/im 1 to permit remote IPsec management, and Scregedit
/dp priority and Scregedit dw priority to adjust the DNS priority
and weight, respectively, of a Server Core system’s SRV
records (assuming it’s a domain controller—DC). I wouldn’t
be surprised if Microsoft gave Scregedit a few more options
before Server 2008 hits the streets.
If you can get ahold of a copy of the Server 2008 beta, I
encourage you to take Server Core for a spin.