Post banner
Threat Stack 3 Min Read

Just Enough Windows Server

— A special Thank You to Jose Bañez, Threat Stack Security Solution Engineer, for editing this blog post.

If you’re like me, you grew up using a Windows PC in school, but eventually made the jump to Macs. In my career, the same shift happened: Initial brushes with corporate IT were Windows-based, but as I got corporate MacBooks, I encountered the Bash shell, remote servers, and all the Linux that comes along with it.

While Linux typically rules the world in terms of servers on the web, Windows Server is still going strong in the back office and in enterprise data centers. A lot has changed since the early days of Windows NT. With the recent introduction of the Threat Stack Agent for Windows Server, I thought it would be helpful to provide a quick overview of how most admins are managing Windows Server in the wild. It’s by no means official, but here’s what I learned.

Windows Server Core vs. Nano

It’s easy to forget that Windows Server comes with a GUI. Since Windows Server 2008, performance-conscious admins could eschew the GUI by using the Server Core installation option. Starting with Windows Server 2016, Microsoft introduced an even more minimal option called Nano Server, which is optimized for cloud and container deployments.

Windows 10, ftw

Starting with Windows Server 2016, Microsoft began developing Windows Server alongside Windows 10. That means many core components (for example, the Windows Kernel) share similar code. The idea is to simplify updates and patching, but of course these processes can be complex.

WSUS for patching

Patch Tuesday is indeed still a thing. If you’re looking to manage and patch vulnerabilities for Windows boxes of any size and shape, Windows Server Update Services (WSUS) is the way to go. If your Windows footprint is small, it should be relatively straightforward to run once it’s set up.

At a certain point, you’ll hit limitations: A single WSUS server can typically support 100,000 clients. If your environment is this large, then you don’t need to keep reading this post.  😉

Chocolatey for package management

While Linux has apt-get or yum, Windows Server has choco. Chocolatey is a community-developed package manager for Windows (not a Microsoft product). While you could use it to deploy the Threat Stack Agent for Windows Server, it’s important to note that we don’t officially support automating agent deployments via Chocolatey. It’s a great tool though, and you should definitely give it a look.

Windows Event Viewer

Linux admins look at the logs often as the first step when diagnosing or monitoring Linux events.  The equivalent in the Windows environment is the Event Viewer:

The out-of-the-box view separates the logs into groups such as Windows Logs and Applications and Services Logs. Windows Logs are further separated into Application, Security, Setup, System, and Forwarded Events. When performing investigations, one should look in System, Security, and Application in Windows Logs. Creating a Custom View* can be more useful for specific investigations. (*If you receive an error message “MMC has detected an error in a snap-in and will unload it.”

Process Explorer and Tailing Log Files

Several utilities can be very helpful when investigating issues on Windows systems. One such utility is Process Explorer. It shows detailed information about running processes including what files or directories each one has open. The latest version allows you to submit a file signature directly to VirusTotal.

Windows has no equivalent to the Unix/Linux tail command. One workaround is to use Notepad++ and install the DocMonitor plugin.

Windows Versions and Build Numbers

It is not always sufficient to know that the system is running Windows 2012 R2. It may be necessary to find out the version and build number of the Windows system on which you are working because patches and solutions may be specific to a version or build number. To find the version and build number, complete the following steps:

  1. Click on the Search button.
  2. Type “About”.
  3. Scroll down to the Windows specifications.
  4. Note the Edition, Version, and OS build information.


That’s it! If you’ve invested heavily in tooling for your Linux footprint, but have “just a few” Window Server instances you need to continue maintaining, this blog post can point you in the right direction. (We didn’t even talk about PowerShell!) And if you’re a Threat Stack customer and want to see what an install entails for our Windows Server agent, visit our docs for a walkthrough or reach out to your account team.