Installing Windows 2000 for WWW Service

Written by Chatchawan Wongsiriprasert.

1 Software

You need software to run the server. This is the software list.

1.1 Windows 2000 Professional Edition.

We need to reduce cost Windows 2000 Server is too expensive for us. Anyways,with profressional edition, we are limit to 10 concurrent connections (if I understand Microsoft EULA correctly. I am not native English speaking) That fine for this work. I reserved 1 connection for administrator (ssh), 1 for connect to MQSeries server, 2 for future use. That left 6 for client accesses by WWW which can be controlled by apache MaxClients and MaxRequestsPerChild directive.

1.2 Apache 1.3

Someone argue me to use IIS becase the ease of use of ASP (I don't agree with him). Moreover, I tried of reading EULA. I don't sure that Microsoft allow me to use IIS with the Win2K professional edition. I use old version of Apache because Apache 2.0 is too new ( at least for me ) to use in the productive machine. Moreover,this is low traffic server (according to above topic), so the speed advantage of 2.0 is not buy me much.

1.3 PHP 4

Becase the choice of Apache over IIS , so I select PHP as a development tool.

1.4 MySQL 3.23

Due to the cost, MSSQL Server is out of the choice. This left MySQL and PostgreSQL. The database required for this host is just to store small data for PHP script. The database is very simple so PostgreSQL ability to handle more complex SQL is no use and also the same for it concurrent access performance. Moreover, MySQL has native Win32 but ProgreSQL has only cygwin port for Win32.

1.5 Cygwin

I need sshd server the best one is Cygwin sshd. Moreover, cygwin provide some useful tools such as bash which is much better than cmd.exe, rxvt which replace standard sloppy Windows console (I found that the nice setting for rxvt is rxvt.exe -vb -sr -sl 2000 -bg "#EAE3AE" -fg black -fn "Lucida Console-18" -e /bin/bash --login -i).Another tool from cygwin that useful for this server is cygrunsrv.exe which allow you to run cygwin application as Win32 service. If you come from Unix world as me, don't forget to install cygwin to every Windows machine you have a touch.

1.6 TighVNC

You can not run Windows without GUI. The best free Windows GUI remote access tool is TightVNC. But VNC protocol is insecure, you need to 'tunnel' the VNC protocol through ssh which is very easy.

1.7 Dimension 4 Time

It seems that there is no ntpdate (also dig) in cygwin but I don't miss it much. ThinkMan Dimension 4 Time is greate for this work on Windows.

1.8 Fport

The less port you open, the more secure of your host. On unix you can use lsof to list opened ports and application that open them, for Win32 you need Foundstone, Inc. fport to do this work.

2 Security

  1. Always check for Windows Update
  2. Read Windows 2000 Installation Security Checklist
  3. Don' forget to disable DCOM. For Windows 2000SP4,
    Run, Dcomcnfg.exe., Choose the Default Properties tab, then unchecked Enable DCOM checked box. Restart your computer.
    See Microsoft Security Bulletin MS03-026 for more detail.
  4. Read HOW TO: Configure TCP/IP Filtering in Windows 2000 and permit access to only TCP/22 (sshd) and TCP/80 (http).
    Unfortunately, filter UDP will prevent your DNS and NTP from working. So, you must make a choice, disable DNS or disable UDP filter.
    I choose UPD filter, so DNS and NTP can not be used on this host.
    For DNS, I put all domain names that I use in %SystemRoot\system32\drives\etc\hosts, add cron script on another FreeBSD machine to look for any change in the IP and mail me for the change. After that I modify the hosts file by hand.
    For NTP, precise time is not critical for this machine , so I do a weekly time syncronization by hand and eyes.
  5. Run mysqld and vnc only on 127.0.0.1 and use ssh for tunnelling.
    For example, use the folowing command on your desktop to access nthost.yy.zz (assume your desktop is Unix or it has cygwin installed)
    ssh -C -L3307:127.0.0.1:3306 -L5901:127.0.0.1:5900 xxx@nthost.yy.zz
    Now you can use port 3307 on your local host to access mysql in nthost.yy.zz. -C will compress the traffic between 2 hosts.
    This is the same for default VNC port 5900.

3 Services

For apache and mysql, the installation is very easy, just use the installation program.
For PHP, You need to modify apache configuration file to load PHP module. Use full Win32 package not Win32 installer. You need php4apache.dll for running PHP as apache module which only exists in Full Win32 package.
For sshd, read SSHD Setup
Home

The document theme copy from FreeBSD Handbook
For questions about this documentation, e-mail <cws@miraclenet.co.th>.
Last update : $Id: install_nt.html,v 1.8 2003/11/13 01:56:52 cws Exp $