Windows Server 2012 R2: Reducing The Attack Footprint Through Features On Demand


Windows Server 2012 R2, when deployed in core mode, provides the smallest installation footprint thus thwarting attacks via the GUI and other payloads not installed in this instance. Core mode is not for everyone, and while it is possible to add GUI functionality, some still prefer the familiarity of GUI utilization. With that being said, there are ways to reduce the footprint while allowing the GUI to stay in tact.

Features On Demand, available in Windows Server 2012 R2, addresses the attack footprint concern while leaving the GUI intact. When installing features on a Windows Server 2012 R2 deployment, payloads are retrieved from the server itself to install the required features. With these payloads available on the server, even though they may not be active, are still susceptible to malicious attacks.

To view what payloads are available, simply open a PowerShell window on said server, type and run:


After running the cmdlet, a report is provided detailing all the features available for installation. To remove the payloads for the features not utilized, simply enter the following:

Get-WindowsFeature | Where-Object InstallState -EQ "Available" | Uninstall-WindowsFeature -Remove -Restart

Once completed, all feature payloads will switch from Available to Removed.

Payloads can be restored via Windows Server 2012 R2 media provided via DVD, Network Share, and/or Windows Update on demand when installing said features.

Be sure to complete Migrating to Windows Server 2012 made available on Microsoft Virtual Academy to learn additional functionality in securing and enabling your deployment.