The biggest benefit of running a server in a small business is that many resources are centralised, which makes them easier to use, manage and secure.
 

Remote access

The old adage of the 9-5 office day is gone. More and more people want flexibility in their working hours and working places in order to spend more time with family or pursue non-working activities. Not to mention that there will be times when things go wrong while you’re not in the office. In both scenarios, being able to remotely access your server is a boon to your workers and administrators.

Remote Web Workplace

Remote Web Workplace (RWW) is set up by default. The RWW web site can be accessed from remote locations by pointing a web browser (preferably Internet Explorer) to https://<external_address_of_server>/remote. Note that the prefix of the URL is HTTPS — an SSL-encrypted session must be established to RWW in order to ensure that the data transferred between the server and your browser is not able to be intercepted.

By default, all users have access to RWW. If you wish to revoke access for any given user, simply remove them from the Remote Web Workplace Users group.

VPN connectivity

Like most tasks under SBS, there’s a wizard under the SMC that can be run which takes all of the difficulty out of setting up a VPN. The Remote Access Wizard is accessible under the Internet and Email category.

In general, the first major decision that you’ll need to make when setting up your VPN is how IP addresses are assigned to your remote end-points. Using DHCP is your best practice and, if you’re not using SBS as a DHCP server (ie. you have an external DHCP service running), you can configure SBS to use that server to allocate addresses. Of course, there’s always the option to use a static range of IP addresses for assignment.

After supplying the externally-accessible, fully-qualified domain name and completing the wizard, ensure that the users who need to be able to establish connections to the VPN are members of the Mobile Users group. You’ll also need to ensure that the client connection manager software is installed on each workstation that needs to connect to the VPN. The software can be accessed via the RWW web site, which is useful if you are at a remote site and requiring access on a system that has never been attached to your LAN (although the security ramifications of doing this probably should be considered). Alternatively, a floppy disk with the connection manager software can be created using the Create Remote Connection Disk wizard.

Finally, don’t forget to consider the impact that any firewall or router may have on your provisioning of your VPN. If your server sits behind a router, firewall or NAT gateway, port 1723 needs to be forwarded to your SBS and VPN passthrough must be enabled.

RPC over HTTPS

If email access is the only form of remote access that is required, end users can use RPC over HTTPS to directly communicate with Exchange via the internet. Historically, native RPC should not be used over the internet because it can be used to send execution commands to systems, which could lead to security vulnerabilities. However, by encapsulating RPC traffic in HTTPS, some semblance of authentication and authorisation can be used to filter out the malicious traffic.

RPC over HTTPS can be enabled or disabled via the Internet Connection Wizard. Once enabled, you’ll need to log on to the RWW site with Administrator credentials, then click on the Additional Links box to the right, followed by the ‘Configure Outlook via the Internet’ link.

If the latter link does not appear, fire up regedit on the server and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SmallBusinessServer\RemoteUserPortal\AdminLinks, then locate the RPC key and change the value to 1.

Remote Desktop

The last method for remote access that you should consider is allowing Remote Desktop Protocol (RDP) connections for administrative purposes only. However, if you choose to do this, you should change the port that RDP is listening on for external connections. If your server sits behind a NAT gateway, this is simple enough to achieve using the port-forwarding features of your router.

However, if your server is directly connected to the internet, you’ll need to change the value of the HKEY_LOCALMACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber key to a new, random number. The default port for RDP is 3389, but changing this to a different port will minimise the probability of a malicious user being able to connect to your server via RDP.

Software updates

The benefits of having a Windows Software Update Services (WSUS) server running on SBS are two-fold — not only can you ensure that all systems on your network are up to date by using a simple-to-use console, but you can also save internet bandwidth, since workstations will download their updates from your server instead of from Microsoft.
Installation of WSUS 3.0 is fairly straightforward on a regular Windows Server 2003 system, but there are a few caveats to be aware of when performing an installation on SBS. The biggest issue that can be encountered is that updates fail to synchronise with SBS Servers after the WSUS Configuration Wizard has been run.

Before installing WSUS, you’ll need to download and install:

• Microsoft .NET Framework 2.0
• Microsoft Management Console 3.0
• Microsoft Report Viewer 2005
  

The other prerequisite for WSUS 3.0 is IIS 6 — which should already be installed on all SBS installations. Once all prerequisites have been met, download WSUS 3.0 from Microsoft and commence the installation.

The first couple of steps of the installation are relatively straightforward. Specify the location where you want your updates stored and (unless you have reason to do otherwise) where you’d like the instance of SQL Server 2005 Embedded Edition that WSUS uses.

On the ‘Web Site Selection’ screen, ensure that you don’t accept the default option and that you ‘Create a Microsoft Windows Server Update Services 3.0 Web site’. This is to ensure that WSUS doesn’t conflict with your Sharepoint services installation. Before clicking on next, write down the URL that client computers need to use to access WSUS.

After the installation of WSUS has completed, the WSUS Configuration Wizard launches. Each step in this wizard is relatively straightforward — but be sure not to change the Sync Schedule from the default option (Synchronise Automatically). If the Synchronise Manually option is selected, the portion of WSUS that updates SBS cannot be run.

The final step involves configuring all client workstations to check the WSUS server for updates. Thanks to Group Policies, you don’t have to go around to every workstation and make configuration changes. If you are running the RTM version of SBS 2003 (ie. not the R2 version), you can download the Group Policy Management Console (GPMC). Once installed, the shortcut to GPMC can be found in the Start Menu under Administrative Tools.

After loading GPMC, expand the branches corresponding to your forest and domains, then right-click on the Default Domain Policy and select Edit. Then expand Computer Configuration > Administrative Templates > Windows Components > Windows Update. Double-click on the Configure Automatic Updates setting and enable it (and customise how automatic updates should behave if you wish). Now, click on the Next Setting button and enable the Specify Intranet Microsoft update service location setting. Finally, enter the URL that you wrote down during the installation of WSUS in both the fields in the dialog box. Once entered, you can click OK.

Once your workstations update their group policy settings, they will contact the WSUS server and send an inventory of what updates are currently installed. Once WSUS has synchronised with Microsoft’s update server, it will determine what updates are required (if any), allowing you to approve, download and automatically install each update as it is released.

Group policies

As demonstrated above, group policies are perfect for rolling out settings to all (or a subset of) workstations on your network. For just about any setting under Windows that you can think of (including core applications such as Internet Explorer), there is a group policy setting that is available to customise.

The group policies themselves are stored within Active Directory and can be seen under the Group Policy Objects container in GPMC. Each policy can be linked to any number of Organisational Units (OUs) within your domain. Each policy has two sections — one for Computer settings and one for User settings. When a workstation boots up, all of the computer settings contained in group policy objects that are linked to the OU that the computer resides in (along with the policies that are linked to parent OUs) are applied. Likewise, the user settings that are contained in group policy objects linked to the OU that the user is a member of (plus parent OUs) are applied once that user logs on.

Mapping network drives and printers

Even though it is a relatively trivial task to do, many end users encounter difficulty mapping network drives and printers. Traditionally, administrators write short batch-file or Visual Basic scripts and use the Profile settings for each user account to execute these scripts upon login. While this traditional approach works in most cases, you cannot use these methods to install printer drivers on Vista workstations due to the enhanced security features in Vista. In addition, you can save the effort of having to manually type in the location of a script in each user’s account properties by using group policies.

To configure login scripts via group policy, load up or create a new policy within GPMC and navigate to User Configuration > Windows Settings > Scripts (Logon/Logoff). If you double-click on the Logon setting and then click on  the Show Files button, an Explorer window opens showing the directory that should contain any batch file or VBS script that you create for that specific policy (note that each group policy object has a unique location for the logon scripts defined for that policy).

Mapping network drives is simple — you can add the following line for each share that you want to map to a batch file:

net use x: \\server\share

If you’d prefer to use a Visual Basic Script, the following syntax will achieve the same result:

Option Explicit
Dim objNetwork, objAppl
Set objNetwork = CreateObject(“WScript.Network”)
Set objAppl = CreateObject(“Shall.Application”)
objNetwork.MapNetworkDrive “X:”, “\\server\share”
objAppl.NameSpace(“X:”).Self.Name = “User Friendly Name”

Due to tighter security provisions under Vista and Windows Server 2008, printer drivers cannot be installed by regular users and the above script will not work. Windows Server 2003 R2 has an additional Print Management Console that needs to be used in order to deploy printers to Vista workstations, but this component did not ship with SBS R2 for compatibility reasons. At the time of writing, there are still a number of compatibility issues between Vista and SBS 2003, and the official best practice is to manually install printers under regular user accounts using User Access Control privilege elevation.

Version control

Though typically used by developers for managing source code, version control systems can hold a valuable place in a small business network as a document-management system. The main advantage to using version control systems as opposed to storing documents on a regular file system is that end users can access older versions of any document in a relatively easy manner.

Subversion is becoming one of the more prominent open-source version control systems and is simple to use across a multitude of platforms including Windows, Mac OS X and Linux. Subversion works by hosting a repository database on the server. When a file is first added to a repository, it is copied to the server, and the revision number for the repository is incremented to ‘rev1’. If someone else then checks out the original file, opens it, makes some changes, saves and then checks the file back in to the repository, only the changes to the file (in most cases) are committed to the database and the revision number is incremented again (this time to ‘rev2’).

Because only the changes to a file are committed to the database after changes have been made, the amount of disk space that is consumed is significantly less than what you would have if you kept every single revision of a file stored on a regular file system.
While Subversion is an open source project, CollabNet provides an integrated binary installer for Subversion which can be downloaded from here. You have the choice of accessing Subversion via two daemons — the native SVNServe daemon that runs on port 3690, or through the Apache Web Server (running on port 80 by default) using the WebDAV protocol. Keen readers will note that if you install the Apache Web Server, its default port will conflict with IIS, which is essential to the smooth running of SBS. As such, if you install the Apache (MOD_DAV_SVN) component, you’ll need to edit the httpd.conf file located in the httpd\conf directory under where you installed Subversion in order to change the port that Apache uses. The best practice though is to not worry about installing the Apache component and just sticking with using SVNServe.

After installation, you can create a repository from the command line by typing:

cd  <repository_path>

svnadmin create <repository_name>

Next, edit the conf\svnserve.conf file located under your new repository’s directory and uncomment the following line in order to set up the password database:

password-db = passwd

Next, edit the passwd file located in the same directory that svnserve.conf lies in and add users as per the comments. Once you’ve saved your changes, add svnserve.exe to the list of exception in Windows Firewall and start the SVNServe service.

The easiest manner for Windows clients to access data contained in the repository is to use TortoiseSVN, downloadable from http://tortoisesvn.net/downloads. Once installed, you can check out a working copy of the repository by loading up Windows Explorer, right-clicking and selecting the Check Out option. The URL of your repository will be svn://<server_name>/<repository_name>.

The manual for Subversion can be found here.