Windows 7 / Getting Started

Configuring the Pagefile

By default, the pagefile is set as managed by the system. This behavior can be modified by disabling the automatic pagefile management and manually configuring a specific pagefile size. For example, the following disables the automatic pagefile management and sets the pagefile to 1GB minimum, 2GB maximum. In general, the default Windows settings for the pagefile should not be changed-do so only if given specific guidance by an expert or vendor of an application being installed. Notice the code in the following listing is using the Windows Management Instrumentation Command-Line (WMIC) environment, which opens up a lot of functionality. Some of the other commands you performed could have been done with the WMIC. After running the commands in this listing, you must restart the server for the changes to take effect.

C:\Windows\System32>wmic computersystem set
AutomaticManagedPagefile=false
Updating property(s) of '\\SAVTSTCORE01\ROOT\CIMV2:Win32_
ComputerSystem.Name="SA
VTSTCORE01"'
Property(s) update successful.

C:\Windows\System32>wmic pagefileset where name="C:\\
pagefile.sys" set InitialSize=1000,MaximumSize=2000
Updating property(s) of '\\SAVTSTCORE01\ROOT\CIMV2:Win32_
PageFileSetting.Name="C
:\\pagefile.sys"'
Property(s) update successful.

Configuring the Firewall

On a new Server Core installation, the firewall is enabled by default and blocking almost everything. You can turn off the firewall by using the following command, which opens up the ports and allows Remote Desktop, SNMP, and so forth. You can enable the firewall again by changing disable to enable.

Netsh firewall set opmode disable

You can configure the firewall elements using the netsh command and its various components. For example, to enable the Remote Desktop, use the following command:

C:\Windows\System32>netsh firewall set service
type=remotedesktop mode=enable

There is an easier way, however. The Windows Firewall MMC snap-in can connect to a remote machine, so let's try that approach as opposed to working out the hundreds of possible netsh commands. If you are configuring many servers, however, it would be worth creating a script with the netsh commands, or configuring the firewall using Group Policy. If you want to use Group Policy, the firewall is available as part of Computer Configuration, Windows Settings, Security Settings, Windows Firewall with Advanced Security. Right-click Inbound Rules and select a new rule, and you can use the predefined Remote Administration and Remote Desktop rules. It might not be practical to place the Server Core machines in their own OU for the application of the Group Policy, so you can use a WMI filter to check the OperatingSystemSKU of the server for the values 12, 13, and 14, which correspond to the Datacenter, Standard, and Enterprise Server Core installations, respectively. A sample WMI filter follows:

select * from Win32_OperatingSystem where OperatingSystemSKU=12
or OperatingSystemSKU=13 or OperatingSystemSKU=14

Before you try this, you get an error when you launch the remote firewall snap-in because the firewall you are trying to configure blocks remote management by default. So, you need one more netsh command to enable the remote management capability:

C:\Windows\System32>netsh firewall set service
type=remoteadmin mode=enable

Now let's manage remotely:

  1. Open a new MMC instance (Start, Run, MMC).
  2. From the File menu, select Add/Remove Snap-In.
  3. Select Windows Firewall with Advanced Security, and click the Add button.
  4. You are prompted to indicate whether the computer is the local computer or another computer. Check Another Computer, specify the name of your Server Core computer, and click Finish.
  5. Click OK to close the Add or Remove Snap-Ins dialog box.

Now configure the firewall remotely and enable exceptions as required.

Enabling Remote Desktop

Server Core contains the Remote Desktop component, which can be a useful way to manage a Server Core environment. But due to its mainly command prompt-based interface nature, there are less resource-greedy ways of managing a Server Core install.

To check the current state of Remote Desktop, use the scregedit.wsf script with the /ar /v switches, as shown in the following listing. In this case, by default, the Remote Desktop is disabled because the Deny Terminal Server Connections setting is set to true. You must be in the Windows\System32 folder to run the script:

C:\Windows\System32>cscript scregedit.wsf /ar /v
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.

System\CurrentControlSet\Control\Terminal Server
fDenyTSConnections
View Registry setting.
1

To enable Remote Desktop, use the /ar 0 switch:

C:\Windows\System32>cscript scregedit.wsf /ar 0
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.

Registry has been updated.

C:\Windows\System32>cscript scregedit.wsf /ar /v
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.

System\CurrentControlSet\Control\Terminal Server
  fDenyTSConnections
View Registry setting.
0

Additionally, by default, only connections from the newest Remote Desktop Protocol (RDP) clients that support the Credential Security Service Provider (CredSSP) are accepted, which allows the user's current credentials to be automatically passed to the target server. However, you can change this behavior using the /CS 0 switch with scregedit.wsf.

[Previous] [Contents] [Next]