Host Server Installation
From Nwnx
|
|
Selecting the Host Operating System
Bioware has released the Neverwinter Nights dedicated server for three platforms: Windows, Linux, and MacOS. Of the three, on carefully selected hardware the Linux server appears to be the most stable. However, at least one third party application required for a CoPaP compliant server runs only under Windows, limiting your choice to a Windows platform.
Of the available Windows platforms, Windows 2000 seems to be the most stable version on which to host a server. Windows 2000 Server is probably the most preferable, with Windows 2000 Professional being an acceptible substitution. Windows 95, 98, XP, and Server 2003 are not recommended. In this guide I will be using Windows 2000 Professional.
Installing the actual operating system is beyond the scope of this document. Adequate information can be found elsewhere on the steps needed to install Windows. Here we will focus only on the things that can be done to add stability and avoid problems.
Once the base installation is complete, you'll want to assign a static TCP/IP address to your new server. You'll also need to add static DNS and possibly WINS addresses to complete your configuration.
Patching Windows and Securing the Server
Before your new server is ever on the unprotected Internet you will need to install all the patches. On Windows 2000 Professional, this could take a long time and require a lot of bandwidth. It's absolutely imperative to complete this step as the average lifespan of an unprotected Windows machine on the Internet is only a few minutes before it is likely to be compromised.
Once the server is patched, it's safe to put it on a protected subnet behind a trusted firewall. Attaching the server to the Internet without a firewall is definitely not recommended. New Windows exploits are constantly being found and your server will likely be compromised eventually. I highly recommend Juniper Networks firewalls, but I'm biased since I work for them. A properly configured Linux or BSD system also makes a good firewall, as well as a host of consumer level devices from companies such as D-Link and NETGEAR.
Disabling Automatic Updates
Now that the server is patched, you'll want to disable auto-updates. While this seems contrary to a good security policy, it's a needed step to provide some additional stability. If auto-updates are on, the server will download large patches on its own, usually at the most inconvenient time. This could have a serious effect on your bandwidth when you would least like it to happen. In addition, Windows patches are often known to break third party applications, and it's always better to test a new patch during a maintenance window (preferably on a test server) prior to implementing it on the live machine.
Note that it is even worse to disable automatic updates and then never manually check for new security fixes. A happy Windows machine is a fully patched machine. Run Windows Update periodically to find new updates and apply them after properly testing.
To disable automatic updates, open the Windows Control Panel and select the Automatic Updates icon. Deselect the first check box telling Windows to no longer keep your system up to date automatically.
Disabling Unnecessary Services
The default installation of Windows turns on a variety of services that are unnecessary for a Neverwinter Nights server. Several of them have the potential to consume a considerable amount of resources at times. It's usually a good idea to disable a few of them.
Open the Windows Control Panel and select the Administrative Tools icon. From there, select the Services icon. I disabled the following services under Windows 2000 Professional:
- Automatic updates
- Computer browser
- DHCP client
- Print spooler
There may be others that are safe to disable. Please add them here if you have successfully disabled them on your own server.
Disabling Dr. Watson
Dr. Watson is a software utility included with Microsoft Windows that is used to help detect, decode, and log errors that are encountered while Windows or Windows programs are running. Unfortunately, Dr. Watson has the ability to pop up a window when it is activated, thwarting the ability of an application to automatically detect that it failed and recover on its own. Your best best is to disable Dr. Watson completely.
On Windows 2000 Professional, disabling Dr. Watson is an easy task:
- Click Start, then Run, and type regedit.exe in the open box. Then click OK.
- Locate and click the following registry key: HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AeDebug
- Delete the AeDebug key.
- Restart your system.
Optional: Installing the Cygwin SSH server
What is Cygwin? From the Cygwin home page:
- "Cygwin is a Linux-like environment for Windows. It consists of two parts:
- A DLL (cygwin1.dll) which acts as a Linux API emulation layer providing substantial Linux API functionality.
- A collection of tools, which provide Linux look and feel."
Why is it important for a Neverwinter Nights server? Cygwin provides many of the *nix style utilties on the Windows platform, making administration much easier for those who are more comfortable with *nix. More importantly, it provides a port of the OpenSSH server for Windows, allowing for secure command line and file system connections from hosts on the Internet. Since SSH is encrypted, it's a much more secure option than either Telnet or FTP. To install Cygwin and the OpenSSH server:
- Log in as Administrator or as a user with Administrator privileges.
- Create the following folder: c:\\cygwin
- Download Cygwin's setup.exe from the Cygwin home page and save setup.exe in c:\\cygwin.
- Click Start, then Run, and type: c:\\cygwin\\setup.exe.
- Select the option to install from the Internet, then select your closest mirror. When a selection screen comes up, click the View button to enable the "Full" view.
- Find the "OpenSSH" line and click on the word "skip" so that an X appears in Column B.
- Find the "cygrunsrv" line and click on the word "skip" so that an X appears in Column B
- Click Next to start installing Cygwin and OpenSSH. The size of the base Cygwin installation is fairly large, so this may take a while if you have a slow connection.
- Right click on My Computer. Select Properties, Advanced, and then Environment Variables. Click the New button to add a new entry to the system variables. The variable name should be CYGWIN and it's value should be "ntsec tty".
- In the same window, select the Path variable and click the Edit button. Append ;c:\\cygwin\\bin to the end of the existing variable string.
- Open a Cygwin window (by double clicking the icon) and a black shell opens. Type: ssh-host-config. When the script asks you if "privilege separation be used", answer yes. When the script asks you if it should "install sshd as a service", answer yes. When the script asks you for the value of "CYGWIN=", your answer should be "ntsec tty".
- While you are still in the Cygwin shell, start the sshd service with the following command: cygrunsrv --start sshd
- To stop the sshd service, open a Cygwin shell and type: cygrunsrv --stop sshd
To ensure that your new sshd service is working properly, you can test it from a Cygwin shell. Just type: ssh username@127.0.0.1 where username is a valid Windows user and it should start a local session.
If you want to allow remote access to your server from the Internet, you'll need to modify your firewall to allow TCP port 22 to reach your server.
Most *nix machines come with SSH (for shell access) and SCP/SFTP (for filesystem access) clients with their default installations. However, there are several free add-ons for Windows to access your new server remotely. For SSH shell access I highly recommend PuTTY. For filesystem access, both FileZilla and WinSCP are good alternatives. Refer to their respective home pages for download locations and usage information.
Optional: Installing TightVNC
What is TightVNC? From the TightVNC home page:
- "TightVNC is a free remote control software package derived from the popular VNC software. With TightVNC, you can see the desktop of a remote machine and control it with your local mouse and keyboard, just like you would do it sitting in the front of that computer."
If you're lucky enough to be running Windows 2000 Server, you already have Terminal Services and can provide remote access through it. However, Windows 2000 Professional users will probably want to set up TightVNC to have remove access to the graphical console. You may also want to install TightVNC if you want to allow cross-platform access from client machines running Linux or MacOS, or to provide web-based Java access to the console.
Download the application and install it. Once it is installed, select a strong password. You'll probably want to keep it on the default ports (TCP port 5800 and 5900). I typically instruct it to log off a user when they disconnect, though you may want to do differently since you will take a performance hit each time it logs off the user. I also usually enable the built-in HTTP server and disable concurrent connections, allowing only a single user to be logged in at a time.
Once the application is installed, you can point your TightVNC client at your server on TCP port 5900. Enter the password, and you now have full access to the Windows graphical console. If you would prefer not to install the client on your remote machine, you can instead point your Java-enabled browser to http://your.server:5800 to bring up the graphical console across the web.
Note that everything passed between the VNC client and server is unencrypted except for the initial password! Even the password exchange uses a relatively weak encryption cipher (56-bit DES). I consider VNC across the Internet to be a security risk. If you are willing to take this risk, you must allow TCP port 5800 (for the web client) and TCP port 5900 (for the VNC client) to reach your server through the firewall. If you're paranoid like the author, this risk is a bit excessive. I force users to tunnel their VNC sessions through SSH. Information on how to accomplish this is widely available through your favorite search engine.