ORLANDO - At a morning session introducing many to the window-less Server Core installation option in the forthcoming Windows Server 2008, Microsoft product manager Andrew Mason made it official: Windows Virtualization Services (code-named "Viridian") will become the ninth role available for the trim server option, joining Internet Information Services 7 announced last Monday and other common, unattended role such as DNS server, DHCP server, and Active Directory Application Mode (now called AD LDS).

This addition may be both welcome and extremely important for enterprises working to create homogeneity of services where heterogenous (OS-specific) applications are deployed. Now SUSE Linux and other systems can be hosted by servers that don't need to waste space managing Windows printer and display drivers, such as DirectX and Direct3D, when they're not ever going to be used there anyway.

Monday's announcement referred to IIS7 as the seventh Server Core role. Yes, we're keeping count, and no, you're not asleep. There is indeed an eighth role, and based on the graph we saw this morning, Windows Media Services is that #8 role. This will enable an unattended server to stream media, even though it's not necessary for that server to display or play that media locally.

Mason also confirmed that there are no plans at present for Server Core to run on Itanium-based servers, and from the sound of his statement, that doesn't look likely to change. As he explained it, the key application server role option will not work on Server Core, for reasons it seemed he would explain if he could. That fact may be the sole reason (or excuse) for Server Core's omission on Itanium.

Server Core reduces the footprint of the OS from about 5 GB in WS2K8 to 1.5 GB, and based on recent tests, will reduce the number of patches admins may need to employ by 60% over Windows 2000. The reason there is very simple: There's no need for admins to patch files that simply aren't there.

The implication there is simpler still: There may be fewer security flaws in a system where fewer opportunities for such flaws exist.

Server Core-based systems may be administered through a tool called Windows Remote Shell, though as Mason revealed this morning, this is by no means a full-featured tool. Essentially it's a kind of relay service for a complete command or call to a script. The standardized WS-Management protocol will be supported as an option.

Though it wasn't news to anybody in the crowd, the sad fact that PowerShell will not run on Server Core was repeated. The .NET Framework requires a GUI, Mason explained again, and PowerShell requires the .NET Framework. While there's considerable support for the movement to "component-ize" .NET to disable its graphics requirement and thus enable PowerShell to run there, we learned yesterday there may be some opposition to that idea for security reasons.

Though he could not speak for Microsoft, one of its best friends at these conferences, Windows IT Pro contributing editor Mark Minasi, told BetaNews he suggests Microsoft not go down that road. Adding .NET to the Server Core mix would expand its attack surface, he believes, vastly increasing the possibility for outside attacks by expanding its programmability.

However, as we learned this morning, many of the scripts Server Core does run - including some of the so-called "unattend files" - are based in VBScript, the unmanaged local interpreter whose relative security reliability was proven in 2000 by the proliferation of the "ILOVEYOU" virus.

BETA CAPSULE Server Core

An installation option built into the upcoming Windows Server 2008 that omits graphical services and most libraries, in favor of a stripped-down, command-line-driven system. It's not unlike an upgraded version of DOS.

Typically, a Server Core-based server is designed to be administered remotely. The new System Center Operations Manager, along with other tools, can present a graphical adminstrative panel for a Server Core machine. During installation, Server Core is set up so that the server performs one of nine roles (likely more by RTM), so it serves its purpose well when left unattended.

Now, a DNS or DHCP server or an auxiliary domain controller can be a dedicated server "box" with its own discrete, uninterrupted role. It can be a separate machine, or it can be a virtual server. Since it runs little or nothing else, its "attack surface" is reduced to a bare minimum - you can't take advantage of a buffer overflow problem with Windows Explorer, when there's no Windows Explorer. What's more, a Server Core system can be a rather spartan piece of equipment - maybe an older server, or a blade. This could drastically reduce both up-front cost and total cost of ownership.