Small Business Server
Master Your Domain: Build a Corporate Network at Home
Matt Clapham and Jesper Johansson
At a Glance:
- What's so cool about SBS?
- Managing maintenance and updates
- Networking, Active Directory, and security
- New features in SBS 2003 R2
We're hardcore IT guys at heart, and we want well-managed, smooth-running computers—not only at work, but at home as well. We're willing to put some time into making that happen. We're
also privacy and security geeks. We like running things ourselves to retain the desired level of freedom and control.
We wanted an affordable solution that would provide easily shared resources (files, calendars, printing, and so on) to benefit all family members. We wanted an integrated solution that was familiar to us so we didn't have to cobble together a smattering of independent pieces. We wanted a flexible solution that could be expanded upon to do new things later. Enter Microsoft® Windows® Small Business Server 2003 R2 (SBS R2).
SBS R2 is based on Windows Server® 2003 SP1, but with a number of enhancements and additions that make it an ideal base platform for a home network server. From providing secure communications and seamless single sign-on, to storing pictures and serving up a Web page for family and friends, SBS R2 can handle it all. For a typical home network, the server doesn't even need to be terribly powerful. Any reasonably modern system with a fair bit of RAM (at least 512MB) and hard disk space (80GB or so) will do.
The whole premise of using a server in the home makes us sound pretty geeky, but there are actually some really good reasons to do so, apart from the innate coolness factor it will garner you at neighborhood parties! For instance, all the other parents may know the difference between a knuckleball, a free throw, and a field goal, but how many of them have a centralized backup system for their home network?
With SBS, and particularly with the R2 release, we have fundamentally changed our approach to home networking. SBS actually makes it possible to use at home many of the same techniques that we currently employ on much larger corporate networks. In addition, it gives us a safer, smaller, and more predictable environment to test products that we would otherwise not get to experiment with as IT professionals.
Maintenance and Updates
One prime area where SBS R2 can be useful is in maintenance and updates. Much of our maintenance routine is automated and centralized, just like a well-run corporate network. The daily performance and patch status reports help us easily keep an eye on the whole setup. SBS also includes a very comprehensive and useful backup feature that wraps a wizard around the built-in backup functionality of Windows Server 2003 and also turns on a couple of other niceties, such as the Shadow Copy feature. This feature is a versioning mechanism for file shares that keeps track of old versions of data files and allows users to recover older versions of documents, even accidentally deleted ones. It is highly useful as a reliability feature and saves time in having to restore files from backup. Figure 1 shows a screenshot of the dialog used to retrieve the old versions.
Figure 1** Shadow Copy Allows You to See Old Versions of Folder or Document **
In addition, the wizards and checklists in SBS make typical configuration tasks, like adding user accounts, file shares, and backups, a snap. There are a few simple questions to answer and the task is done. Frankly, in some cases, the wizards add functionality that we sorely miss in the standard editions of Windows Server 2003. For example, SBS comes with a highly useful Change IP Address wizard. To fully appreciate this wizard you need to realize that a single SBS server runs Dynamic Host Configuration Protocol (DHCP), DNS, Active Directory®, and Windows Internet Name Service (WINS). To change the IP address of the server you have to update settings in all those services. The wizard does it all for you! Even for an industrial-strength server, with only one or two of those infrastructure services, the wizard would be handy!
Common Computing Environment
One feature that really makes SBS worthwhile is Active Directory. Using Active Directory we can allow users to have the same accounts and settings in multiple places. For example, we both have three or four computers at home (they really add up after a while). Being able to maintain a single user account across all of them is very useful for the whole family. As long as the applications are installed everywhere, the entire family can move across computers and have everything just work.
Using Active Directory, we also get Group Policy. By default, SBS comes with policies that make standardizing desktops a cinch. Both of us also have a couple of policies for custom settings though. We typically use one for settings that we want on the SBS server only and one for settings we want on the clients. This allows us to easily respond to various contingencies. For example, after the "Sony rootkit" fiasco in late 2005, Matt added a policy to turn off Autoplay on all of the computers.
SBS also includes an e-mail server (Microsoft Exchange Server 2003), so we have our own private e-mail addresses for friends and family. Because we operate the servers ourselves, we don't have to pay for the privilege or be subjected to on-screen advertisements. This can be a bit tricky to get working from your home environment though, and you'll likely need to purchase a domain name.
SharePoint® is all the rage in corporate networks these days. SBS includes a simple SharePoint site called http://companyweb. This can be easily adapted into a family info center where everyone can share upcoming events, plan trips, or report computer problems to the "helpdesk." The Geek-in-Chief (in our case, us) can even sign up to receive alerts from help desk submissions and solve user problems right away. SharePoint has a vibrant community with tips, tricks, and improvements that make it quite useful for knowledge management. Microsoft has even released a plethora of SharePoint templates to use in customization.
SBS also makes for a very nice file server, allowing you to quickly and easily share documents, pictures, music, and video within your home network. Additionally, you can connect a printer to the server and share it with everyone quite easily. One caveat is that many home-use printers do not come with Windows Server 2003 drivers. Their drivers would work, if they were not explicitly designed to not install on Windows Server 2003. If you have one of those you need to install it on one of the clients instead. SBS can still publish the printer for you though.
When we're on the road or at work, we use the SBS Remote Web Workplace (RWW) to check our private mail and calendars or access our home desktops. RWW is one of the amazingly cool features in SBS. Forget about the pay-for-play solutions that require you to install software on your computer and then tunnels your connection through some third-party you may not trust! RWW comes in the box and gives you remote access to e-mail and computers. It is one of our favorite features of SBS. Gone are the days of not having access to the files or e-mail from your home computer. Just connect to the secure sockets layer (SSL)-enabled RWW and access what you need.
Keep in mind here that for RWW, and actually other Web sites and e-mail as well, you need a hostname that you can find on the Internet. If you have a static IP address that is easy, but if you have a dynamic IP address, you need to use one of the dynamic DNS services that map your hostname to your IP address. This is not that difficult, but it is an extra step you need to consider. We use this approach ourselves, and once set up, we pretty much forgot about it except for the occasional IP address change. There are several services available including DynDNS and ZoneEdit.
How many home PCs are actually backed up regularly? Sadly, very few. SBS includes a wizard (of course) for the built-in Windows backup tool that configures and schedules jobs to run at regular intervals. Just connect (via USB2 or IEEE 1394) a large removable/external hard drive and point the backups there with the configuration wizard. Then all the data stored on the server—and by extension users' data via redirected My Documents, roaming profiles, SharePoint, and e-mail—will get backed up on the schedule you define. You can even use two drives and keep one off-site in a safe deposit box. Barring unforeseen problems, backup becomes a "turn it on and forget it" scenario, as long as your USB drives are reliable.
Are you worried about protecting your children online? ISA Server 2004, included in SBS R2 Premium Edition, can be configured to disallow visits to certain Web sites and block unapproved programs from communicating over the Internet. There's even a huge list of third-party plug-ins for ISA Server to block various types of inappropriate content at the network edge. In fact, ISA Server is infinitely extensible to those who take the time. For instance, before the WMF update was available earlier this year, Jesper blocked all WMF files from getting into the network by using the firewall.
10 Tips for Deploying SBS
- Back up your important user data first. Purchase an external USB2 or IEEE 1394 (Firewire) hard drive and use it to back up important data from all your client systems. Afterward, you can use this drive for migrating data to the server and eventually it will become your backup drive for automatic server backups.
- Plan your network design. Take a look at the whitepaper "Understanding Your Network" on TechNet online (the link can be found in the "Additional Resources" sidebar) and choose the deployment scenario that best fits your home network design.
- Plan your external connectivity. If you want to set up your own Web site or receive external e-mail at your server, register a domain name. You might need to sign up with a DNS registration service like ZoneEdit or DynDNS if your Internet provider uses dynamic IP addressing.
- Plan your server. It doesn't take much to run a decent SBS server for a home environment. You'll need at least 512MB of RAM, two hard drives (small operating system drive and larger disk for user data), one or two NICs, UPS battery backup, and the removable hard drive mentioned earlier.
- Plan the domain details. Choose a domain name for your Active Directory—in other words, your Windows domain name. Figure out how many user accounts you need and what they'll be called. Decide what role each user will have in the domain. Choose a naming plan for servers, clients, and other resources.
- Use the wizards as much as possible. The wizards in SBS are your friends and should be the first course of action for anything using built-in features. They'll save you much time and hassle.
- Upgrade clients. If possible, upgrade your client operating systems to Windows XP Professional. SBS really shines when it's the heart of your domain. Windows XP SP2 is our recommended baseline until Windows Vista™ is available. Home editions and Windows 9x simply cannot join the domain.
- Enhance or expand your server as necessary. One big benefit of SBS is that it can be expanded in just about any way a Windows system can, but we suggest you try to keep it to processes that can be run as a service. Otherwise, you'll need to log onto the server and run applications after every reboot.
- Read the performance reports. We regularly (about once a week) scan through the performance reports and resolve any recurring problems or trends.
- Engage the SBS community. SBS has a vibrant community of MVPs, enthusiasts, and operating partners. See the links in the "Additional Resources" sidebar for a number of online sources of information and support. If you get stumped or have a problem, post it to the newsgroup. Chances are someone else has experienced the same issue and has a fix or workaround for your situation.
You don't want your children up late playing with the computer? Set appropriate logon time restrictions for them! SBS can put tech-savvy parents in control of their children's computer usage.
On this note, beyond keeping all systems up to date, nothing is more important to securing your computers than not running them as an administrator all the time. Jesper has a great blog entry detailing why that is so important. An interesting story appeared in The Wall Street Journal in May 2005. Intel's CEO, Paul Otellini, mentioned he spends about one hour per week removing spyware from his daughter's computer. But what he missed was that if users aren't running as administrators then malicious software can't install (it can still run, mind you, but won't be able to leave a lasting impression on the system). Maybe if Intel's CEO had the great information on how to run as a non-administrator that is available at Aaron Margosis' blog (see Aaron's article in the August 2006 issue of TechNet Magazine, as well as his blog), he could spend that extra hour on the weekend with his daughter instead of with her computer.
SBS can make running as a non-admin a bit easier by giving people separate accounts for separate things. For instance, Jesper's oldest son wants to play certain older games that only run when you are logged in as an administrator. To make this work while maintaining security, he now has two accounts (both of which have extremely strong pass phrases). When he runs his games he knows to log on with the admin account, and when he wants to surf the Web he uses the more restricted standard user account. Spyware, rootkits, and other general badness simply will not install if you do not run as an admin. Should you need to make tweaks to a computer to allow a particular program to work as a non-administrator, it is relatively easy to use Group Policy to ensure that those tweaks are made properly on the right set of computers.
Now for the really cool part: you can give your spouse two accounts, and you can tell him or her not to surf the Web with one of them, and even if he or she forgets, you can set up ISA server to block all connections to the Internet (except for Microsoft Update) when any administrator tries to surf the Web. Now it really does not matter whether your users listen to you or not; they can't get to the Internet to do anything more than update the PC! It may cause some temporary friction with your spouse, but it will help prevent an infection that will cost you much more time later on.
What's New in R2
In its original release, SBS omitted one significant feature in the eyes of many people: an ability to control updates. In R2 we finally get Windows Software Update Services (WSUS) integrated with SBS. WSUS can be installed on SBS by following the handy "Understanding Your Network" whitepaper published by Microsoft on the topic (see the "Additional Resources" sidebar). However, SBS R2 doesn't just have WSUS, it has an SBS-ized WSUS! This one is fully integrated into the management console for SBS and comes with predefined policies for managing updates on an SBS network (see Figure 2). It even adds client and server patch status to the daily report. Now if any systems patches slip through the cracks because someone hasn't restarted in a while, it can be noticed and corrected much more quickly.
Figure 2** Update Functionality of SBS R2 **(Click the image for a larger view)
Being built on Windows Server 2003, SBS R2 is an easily extendable platform for a home server. For example, Matt runs the TwonkyVision UPnP media server for his connected media devices and Kiwi Enterprises Syslog Daemon to collect network statistics from his router. Jesper uses Scorpion Software's Firewall Dashboard network usage statistics.
- Windows Small Business Server R2
- Windows Server Update Services
- SharePoint Templates and Applications
- SBS Community Site
- E-Bitz, Official Blog of the SBS "Diva"
- Understanding Your Network
Even the base Windows platform features can be utilized on SBS. Matt built an external Web site for his family using FrontPage® and hosts it from his server with IIS 6.0. He even added some monitoring jobs to SBS performance reporting system to track link-up time on his cable modem. One of Matt's friends installed Community Server 2.0 on his SBS setup to enable blogging! Jesper uses his home server to try out new enterprise products.
What's Still Missing
In case you couldn't tell already, we really like SBS, especially now that it has WSUS in the box. However, there are a few things you still need to know before you dive in.
SBS goes to great lengths to simplify, but it's still not for those who aren't willing to tweak it on occasion. It is far simpler to manage than other Windows Server 2003 editions, which are already not too bad as servers go. However, even SBS still requires a fair bit of skill, which explains why the SBS community is so vibrant! In fact, some of the areas in the Server Management Console actually link to the online communities.
SBS has three instances of various versions of SQL Server™ by default, all of them running as Local System. This is a security faux pas to us, but not a tremendous risk as long as you follow the handy checklist in securing the server and run the Configure E-Mail and Internet Connection Wizard (CEICW). In general, SBS is actually very good security-wise, and includes a great walkthrough on how to secure your system. We just dislike the number of SQL Server instances and the fact that they are difficult to secure beyond what CEICW does.
SBS includes a built-in software distribution mechanism that relies on logon scripts. It works well, but it requires users to be administrators. In fact, if you assign users to computers when you set up the computers, they will be administrators. For this reason, neither of us use this particular feature. As we said earlier, beyond keeping systems up to date, nothing is more important for security than to ensure that all users run as normal users, not as administrators. This is one of the few areas where we dislike the SBS approach. The best approach here is probably to start out with a domain-wide local administrative user, install all the applications using that user, and then ensure that all other users are running with low-privileged accounts.
SBS uses the built-in scheduling tool heavily for various items, such as backup. However, all the tasks run as the built-in Administrator account, which impedes disabling it in favor of using individual (domain) administrator accounts. In fact, many tasks in SBS, including installing R2, seem to require use of the built-in Administrator account. This violates the principle of individual accountability in security and is the other main gripe we have with the current SBS design.
Finally, SBS works really well with Windows XP Professional SP2 and to a slightly lesser extent with Windows 2000 Professional, but not with other client operating systems. That is not the fault of SBS in most cases, but rather the limitations in those operating systems. However, it means that while you can manage your Windows XP Professional workstations adequately, you cannot do the same with a Windows XP Home Edition PC, or Windows Media® Center Edition unless it's modified with an unsupported hack.
Running a well-managed home network based on SBS doesn't take much in either hardware or time. Matt spends less than one-half hour per week checking reports. Once it's up and running—see the "10 Tips for Deploying SBS" sidebar—an SBS R2-based home network pretty much takes care of itself, leaving plenty of opportunity to work on other things using computers, not spending a bunch of time fixing them. This is not without its drawbacks; your spouse may brag to your neighbors about how well your home network runs and next thing you know, the folks down the street want you to help them "make it work like yours!" Enjoy!
Matt Clapham, a Senior Security Technologist at Microsoft, is an active participant in the Seattle IT Security community and a member of the Risk Management team on an IT incubation project.
Jesper Johansson is a Principal Security Program Manager at a large online retailer and a contributing editor to TechNet Magazine. He holds a Ph.D in MIS and has over 20 years experience in computer security.
© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.