Use less code, get more security with a Nano Server

Engineering and IT Insight: The upcoming Microsoft Nano Server, with a much smaller footprint, exposes less code, decreases risk, and so will increase security. Reducing the need to patch, reducing the need to reboot, and optimizing for a virtual machine (VM) environment with the design of manufacturing information technology (IT) systems.

By Dennis Brandl May 21, 2015

Anyone who has to maintain a modern manufacturing information technology (IT) system, with dozens of applications and servers, knows that updates and server maintenance is a continual pain. Different applications typically have different server patch and update requirements. Applications from different vendors, even applications from the same vendor, usually cannot run on the same servers, necessitating multiple individually managed servers. It is not uncommon to have 30 or more servers in a typical manufacturing operations server room. VM technology has reduced the number of physical servers, but each VM must still be individually configured and managed. Even worse, each VM provides a large attack footprint for cyber attacks, so each VM must be continually monitored for compromise, patched, and updated.

Stripped down server version

Even though non-Microsoft systems have been used in a minority of manufacturing systems, they have long had the ability to use micro server installs, which have only the minimal operating system (OS) features needed for each application. Microsoft has a stripped down server version called the Server Core that allows users to remove unwanted parts of a Microsoft Windows server, but this has been difficult to configure and manage, so it is not commonly used in manufacturing systems. The typical manufacturing system server is a standard Microsoft Windows 2008 or Microsoft Windows Server 2012 server install, managed by using a local graphical user interface (GUI) that contains dozens of unused features and millions of lines of unused code.

All of this will change with the next Microsoft Windows server version, with the introduction of the Microsoft Windows Nano Server. The Nano Server is headless, which means that it has no GUI, only a 64-bit, minimal footprint VM and a cloud-ready Windows server.

The Nano Server follows the good security practice of only including the minimal services needed for an application. For most manufacturing applications this is a very small subset of the complete Windows server environment. The Nano Server is estimated to be less than 10% of the size of the Server Core version. The major advantages for manufacturing operations are: reduced security vulnerabilities, a 92% reduction in critical bulletins, and an 80% reduction in system reboots. The smaller-sized OS also means that more VMs can be put on a physical server, with potentially hundreds of VMs in a large physical server.

Smaller attack surface, fewer patches

The smaller Nano Server footprint, smaller attack surface, fewer patches, fewer reboots, and optimization for cloud and VM environments make it a great fit for manufacturing systems. The small footprint also allows vendors to optimize applications for one "application per server" environment, reducing testing requirements, simplifying installation procedures, and simplifying upgrade procedures. It allows vendors to introduce new versions of some applications without impact to other applications. All of these advantages are a strong incentive for vendors to start testing their applications on the Nano Server beta for delivery in 2016.

The removal of the GUI, remote desktop services, and MSI (Windows Installer package) significantly reduces the security attack surface and code size, but it also means that end users will need to learn new tools to manage server rooms. The new OS will be managed using Microsoft Windows PowerShell scripts (task automation software) and Microsoft Windows Management Instrumentation (WMI) tools.

Task automation for manufacturing systems

End-user system administrators should immediately start learning and using PowerShell and WMI to manage their current servers. They will find that they can automate many tasks that formerly had to be done manually, and they will reduce their administrative load in maintaining dozens of servers.

Overall, this is a move in the right direction for manufacturing systems. Reducing the need to patch, reducing the need to reboot, and optimizing for a VM environment helps us design systems with the 10-plus-year lifetime that is needed for manufacturing IT systems.

– Dennis Brandl is president of BR&L Consulting in Cary, N.C. His firm focuses on manufacturing IT. Edited by Eric R. Eissler, editor-in-chief, Oil & Gas Engineering, eeissler@cfemedia.com.

ONLINE extra

This posted version contains more information than the print/digital edition issue of Control Engineering.

At Home, search Brandl for more on related topics.

See other articles for 2015 at www.controleng.com/archives.

See other Manufacturing IT articles