Use less code, get more security with a Nano Server

Engineering and IT Insight: The upcoming Microsoft Nano Server, with a much smaller footprint, exposes less code, decreases risk, and so will increase security. Reducing the need to patch, reducing the need to reboot, and optimizing for a virtual machine (VM) environment with the design of manufacturing information technology (IT) systems.

05/21/2015


Anyone who has to maintain a modern manufacturing information technology (IT) system, with dozens of applications and servers, knows that updates and server maintenance is a continual pain. Different applications typically have different server patch and update requirements. Applications from different vendors, even applications from the same vendor, usually cannot run on the same servers, necessitating multiple individually managed servers. It is not uncommon to have 30 or more servers in a typical manufacturing operations server room. VM technology has reduced the number of physical servers, but each VM must still be individually configured and managed. Even worse, each VM provides a large attack footprint for cyber attacks, so each VM must be continually monitored for compromise, patched, and updated.

Stripped down server version

Even though non-Microsoft systems have been used in a minority of manufacturing systems, they have long had the ability to use micro server installs, which have only the minimal operating system (OS) features needed for each application. Microsoft has a stripped down server version called the Server Core that allows users to remove unwanted parts of a Microsoft Windows server, but this has been difficult to configure and manage, so it is not commonly used in manufacturing systems. The typical manufacturing system server is a standard Microsoft Windows 2008 or Microsoft Windows Server 2012 server install, managed by using a local graphical user interface (GUI) that contains dozens of unused features and millions of lines of unused code.

All of this will change with the next Microsoft Windows server version, with the introduction of the Microsoft Windows Nano Server. The Nano Server is headless, which means that it has no GUI, only a 64-bit, minimal footprint VM and a cloud-ready Windows server.

The Nano Server follows the good security practice of only including the minimal services needed for an application. For most manufacturing applications this is a very small subset of the complete Windows server environment. The Nano Server is estimated to be less than 10% of the size of the Server Core version. The major advantages for manufacturing operations are: reduced security vulnerabilities, a 92% reduction in critical bulletins, and an 80% reduction in system reboots. The smaller-sized OS also means that more VMs can be put on a physical server, with potentially hundreds of VMs in a large physical server.

Smaller attack surface, fewer patches

The smaller Nano Server footprint, smaller attack surface, fewer patches, fewer reboots, and optimization for cloud and VM environments make it a great fit for manufacturing systems. The small footprint also allows vendors to optimize applications for one "application per server" environment, reducing testing requirements, simplifying installation procedures, and simplifying upgrade procedures. It allows vendors to introduce new versions of some applications without impact to other applications. All of these advantages are a strong incentive for vendors to start testing their applications on the Nano Server beta for delivery in 2016.

The removal of the GUI, remote desktop services, and MSI (Windows Installer package) significantly reduces the security attack surface and code size, but it also means that end users will need to learn new tools to manage server rooms. The new OS will be managed using Microsoft Windows PowerShell scripts (task automation software) and Microsoft Windows Management Instrumentation (WMI) tools.

Task automation for manufacturing systems

End-user system administrators should immediately start learning and using PowerShell and WMI to manage their current servers. They will find that they can automate many tasks that formerly had to be done manually, and they will reduce their administrative load in maintaining dozens of servers.

Overall, this is a move in the right direction for manufacturing systems. Reducing the need to patch, reducing the need to reboot, and optimizing for a VM environment helps us design systems with the 10-plus-year lifetime that is needed for manufacturing IT systems.

- Dennis Brandl is president of BR&L Consulting in Cary, N.C. His firm focuses on manufacturing IT. Edited by Eric R. Eissler, editor-in-chief, Oil & Gas Engineering, eeissler@cfemedia.com.

ONLINE extra

This posted version contains more information than the print/digital edition issue of Control Engineering.

At www.controleng.com, search Brandl for more on related topics.

See other articles for 2015 at www.controleng.com/archives.

See other Manufacturing IT articles



No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Motor specification guidelines; Understanding multivariable control; Improving a safety instrumented system; 2017 Engineers' Choice Award Winners
Selecting the best controller from several viewpoints; System integrator advice for the IIoT; TSN and real-time Ethernet; Questions to ask when selecting a VFD; Action items for an aging PLC/DCS
Robot advances in connectivity, collaboration, and programming; Advanced process control; Industrial wireless developments; Multiplatform system integration
Motion control advances and solutions can help with machine control, automated control on assembly lines, integration of robotics and automation, and machine safety.
This article collection contains several articles on the Industrial Internet of Things (IIoT) and how it is transforming manufacturing.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Future of oil and gas projects; Reservoir models; The importance of SCADA to oil and gas
Big Data and bigger solutions; Tablet technologies; SCADA developments
SCADA at the junction, Managing risk through maintenance, Moving at the speed of data
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
click me