Tuesday, November 01, 2011

Using your Home Server for more than Storage, Backup and Remote Access

Back in 2006, I was without power for 4 days in November.  It was cold, but I had friends, and an offline Small Business Server 2003 R2.  Of course I ran everything out of my house, why wouldn’t I?  Being offline my server started sending NDRs and I didn’t have access to anything, as it was all offline.  While I had been toying with adopting the cloud for the amount of spam I was getting, this pushed me over the edge.  It was at that time I decided to adopt the cloud.  My email and most things that I own are all hosted in various cloud services so if the power goes out at my house, my stuff keeps running. 

Trust me, I did a cost benefit analysis and in order to keep things running for me at home, I’d have to pay for hosting services anyways, and given I was running a “business class” server, I was forced into “business class” prices.  I am not a business, I am a consumer.

However, there are certain things that I don’t trust the cloud for, and hence I want my own cloud storage that I run and have total control over.  Enter Windows Home Server stage left. Home Server has been my personal cloud storage location since 2007, I now run WHS 2011.

Enter Cloud computing.

My Windows Home Server is perfect device to do computing for me, and it can just chug away on it all the time.  The one draw back is that there is only one account “Administrator” that has total access to the server.  this obviously isn’t good computing practice, so let me show you how to create a working account that you can have do things for you.

First step, let’s create a new user account on the server.  We’ll do this using the normal Add User Wizard in the dashboard.  I’ll call the user Working User.  I gave the user access to the shared folders it needed access to (where I can interact with Working User’s storage), and nothing more.  I didn’t even give this user remote access.

Now, by default all users created don’t have access to log into the server, we need to grant this permission.  This will make the user a standard user on the server, so it will have access to do things the same as a standard user would have access on a client PC (running applications, a /user folder with full control, and access to those folders you gave it.  it won’t be able to mess with the OS or install things.  PERFECT!

  1. On the server console, click Start, then Run, and type in gpedit.msc to edit the local policy on the server
  2. Expand down Local Computer Policy, Computer Configuration, Windows Settings, Local Policies, and click on User Rights Assignment
  3. Scroll down the list on the right until you find Allow log on locally and double click to open the property page
  4. Click the Add User or Group… button and type in the username that you created in the first step inside the Add User Wizard. Allow Log on Locally Properties Page
  5. Click OK and then OK again and close the local group policy editor.

Now this Working user has access to log in to the server locally.  Of course it can’t do any administration of the server as it’s not a member of the administrators group.

Next I want to use something as this user, say the command prompt.  I simply use a command line like the following: C:\Windows\System32\runas.exe /USER:SERVER\Working /savecred "C:\Windows\System32\cmd.exe"

The /savecred will save the credentials you typed in as Working User (alias “working” in the above) and will remember it for future runs.  I actually just created a shortcut with this command in.  Now that you have a command prompt open, anything you run from this command prompt will run as the Working User.  So you can load up any application and have it work in the context of this non-administrative user.  So if you do hit something that wants to modify your system, you’ll get a UAC pop-up or an access denied (I haven’t hit anything like that yet in my set up).

Just be careful what you do, because there is no free Anti-virus for your server, and I highly recommend getting an anti-virus for your server if you plan on connecting this user up to the Internet to do anything directly on the server.  I have Antivirus on my system.


6 comments:

Itay said...

Sean,

Thanks for the article. Your comment on the antivirus catched my eye. Can you tell what product you use to protect your server and how satisfied you are with it?

Sean Daniel said...

I cheat. I work for Microsoft so I use their Forfront Endpoint Protection... It's simple and works on servers.

jamie said...

Sean,
Just curious which version you are running. 2012? I've been in the MS forums and people keep saying Forefront isn't supported on WHS2011.

Thanks,
Jamie

Sean Daniel said...

Hi Jamie,

Let's just say that being a Microsoft Employee sometimes has it's benefits.

Sean

John said...

Hallo Sean,
I’ve read your interesting post. One question about the “adjusted” user. Does the user still count as 1 of the 10 Home Server users which can be created?
Is it possible on WHS 2011 to create a local account to run some services and have read/write access to certain serverfolders?
John

Sean Daniel said...

Yes, it counts as one of the users. No it's not possible.