Originally Posted by jjad
In what form is gui a security risk? is it because it has extra services, or is it because the gui invirement?
My take, purely from a logical standpoint and NOT from an experience standpoint is that the short answer is "both."
A "hardened" server has all the unnecessary services (for the server to do it's job, not necessarily to assist us in doing our admin jobs) removed. This allows the server to run more efficiently without spending nanoseconds performing services that are not necessary for it's own functioning, and removing services that might allow others to login or to break the login security. And, from a purely security standpoint, having no gui makes it a lot more difficult for someone to poke around in the operating system. Having a gui means there are icons visible and clickable whereas having no gui would make it where they'd not only have to know the commands to access those same functions, but also the proper options and syntax thereof - even (& especially) if they broke the admin UID & PW (they'd have to know Linux commands)!
I have a Ubuntu 8.10 server running at home. It is not necessarily hardened, but it's got no keyboard or mouse or monitor connected, and no gui. I'm accessing all management functions via PuTTy from my XP Pro desktop. This is not just for security and efficiency purposes, but because I just don't want to have to have space for another keyboard or monitor or mouse. Further, I'm looking to move the server out of our office and put it in another location, locked up with nothing but a UPS and a fan, somewhere that it can vent without heating up the room or house. At this moment, having the 5 HDDs in it requires a hefty (& loud) fan to keep it cool, and it makes our little office (3 workstations, 1 server, router, dsl modem, all-in-1 printer, TV, laptop, and various cell phone and pocket-pc equipment) about 10 degrees warmer than the rest of the house. Adding another monitor (all the others are LCD flat screens but I only have a CRT left for the server if I were going to connect one) would only make it that much warmer.
Like pljvaldez said, a home server (which ours happens to be) might be easier to admin and control with a GUI & monitor/kybd/mouse, and the only security would be to protect yourself (& your family) from yourself (& your family). And, your only concerns are your own.
However, in a professional environment, you would definitely want a professional installation, which means hardening the server as much as possible and making it as secure and reliable as possible. Your only concerns in this situation are to protect your employer/client not only from themselves, but from any possible disaster (testing any or complete disaster recovery is only acceptable BEFORE a disaster strikes, never during - & "disaster" is any breach of security, loss of data, or data leak).
On a home server, you're only liable to yourself. On a professional installation, you (the installer/admin) are liable for all of it, including your employer's/client's loss of productivity due to disasters for which you failed to provide quick and complete recovery plans, methods, and procedures.
I'm sure others will have more direct and to-the-point answers, but that was how I logically figured I'd address the question which I have asked myself at home and would ask myself in a professional environment - even if I was hiring someone else to create the infrastructure.