My life, my software, and everything else
Do you need a home server? Yes, if you want the convenience of an always-on media server, instant access to your printer from any computer in the house, a dedicated machine for downloading and uploading large files, and a development web server that can be used to host an intranet within your home (or for testing a website outside the home).
A home server is often the heart of a home automation system, which allows control of lights via X10 (and can be set up to do this via a text message). Since it is always on, it can be used for folding and other distributed computing projects. And finally, it can be used as a secondary wireless router – you can let your guests use a more restricted and "sandboxed" network without letting them get into your personal files.
I had my dad's old laptop lying around that I am unable to sell (it was originally purchased through a grant), so I decided to turn it into a server. Why a laptop? Hmm...
Of course, there are also some disadvantages:
I used my DreamSpark license of Windows Server 2003. Server 2003 is an excellent server OS that's designed for use on a server, obviously. Microsoft also released an operating system called Windows Home Server that's, well, designed for home servers (and is based on the core of Windows Server 2003)... but if you don't have that either, you can pull it off using a copy of Windows XP Professional. (Home Edition has crippled networking, permissions, and Remote Desktop support, and is thus not recommended.)
I won't be setting up a domain controller – that would drive my family crazy – but I will be setting up a file, print, and HTTP server, as well as remote access from both our network and the Internet. The latter requires some security precautions as well as router configuration, which I'll outline below.
Whether you're using an old laptop, an old desktop, or a brand-new slimline PC designed for use as a home server, you must keep in mind the following.
Although nearly all laptops – and even some desktops – have wireless networking capabilities, using it as a server's primary network connection is strongly discouraged. Why? Well, it's a less reliable connection, does not support wake-on-LAN, and is usually slower. It's also susceptible to interference.
Although the whole point of a server is having an always-on machine, letting the beast sleep during times of non-use is important (more on this below). In order for it to wake up, you need to allow it to wake on network activity... which is not possible when using a wireless connection.
It's recommended that you place your home server near your router – but remember to keep priorities first. If your router is in the basement somewhere but you want a print server, you will need to keep your home server within reach of the printer's cable.
Set your server's computer name to something meaningful, and reboot afterwards. YOUR-GW0435432534534, LYOSHABL-PC, and GATEWAY-LAPTOP are excellent examples of BAD names: don't use names like these! Remember, this is a server. You can name it after a character in a movie, or just pick something random, but try keeping it one word, with no punctuation, and easy to remember. Some ideas I can think of off the top of my head are GEEKBOX, NOOKKINHOME, BORG, and NEO.
You will want to set up your server with a static IP address. Say what? A static IP address is simply one that will never change; most IP addresses on a home network are dynamic and can change from time to time.
You need to pick an address outside of your router's DHCP range, which is 192.168.1.100 to 192.168.1.149 on my router. (Thus, I picked 192.168.1.50). Once you've chosen your address, go to Control Panel > Network Connections, right-click on Local Area Connection (or whatever you're using to connect to the network) and click Properties, click "Internet Protocol (TCP/IP)", and click the Properties button. Fill out the IP address, subnet mask (usually 255.255.255.0), default gateway (your router's IP address, 192.168.1.1 in my case), and set your preferred DNS server to the same value as your default gateway. (If you need the gateway information, open a command prompt and run "ipconfig /all" before attempting to set up a static IP.)
Now that you have a static IP address, you can set up the other goodies easily enough. First off, port forwarding. Your router acts as a basic NAT firewall, since it takes one external IP address and splits it up into as many as 254 internal IP addresses (or more, with subnets). One of these can be "forwarded"; it makes perfect sense to port-forward the server, which will allow inbound access to various ports needed for things like an HTTP web server, remote FTP server, Remote Desktop from outside the home, and so on. You will need to open up each port in Windows Firewall as well as forwarding it in your router.
You want to set up Remote Desktop right away. Much of the other configurations outlined here can be done via Remote Desktop, so you don't have to keep the laptop in the same room. Simply go to Control Panel > System, click the Remote tab, and check the box. Then, double-click "Windows Firewall" in Control Panel, click the Exceptions tab, and check the exception for "Remote Desktop." Then, if you want remote access from outside the home, forward TCP port 3389 in your router's control panel.
Since your external IP address is susceptible to change at your ISP's discretion, you are strongly advised to get a free account at http://dyndns.com. This will give you your own domain name, and once your router is configured to update their server with your IP address, you're set. (If worst comes to worst and your router does not support Dynamic DNS updating, don't worry: you have a highly-customizable server that's always on, and you can install one of many auto-updating scripts.)
Many residential ISPs block inbound traffic on port 80... in other words, preventing you from running a standard web server. My ISP does that. What can you do about it? Nothing, really, short of either asking them to unblock it (it's unlikely that they'll do it) or using a different port.
Think about it: is your pitiful 256kbps upload speed going to work for hosting a real web site? Probably not. The only reason you'd really need an HTTP server would be for your own purposes. Thus, your most feasible solution would be to run your HTTP server (I strongly recommend Apache) on a different port (I chose 1337; you can choose any non-standard port). Apache will even let you run two or more websites – one on port 80, accessible on your intranet, and one on port 1337, accessible to the world. All that you would need to do would be to enter http://yourname.dyndns.org:1337/ into your browser to force it to use port 1337 for communication.
In order to allow file sharing, you need to add this as a server role (Server 2003; it is added by default on a new installation), or enable it in your network adapter's list of protocols (XP). You will also need to allow file sharing through the firewall.
Sharing a folder is easy enough. What gets slightly tricky is authentication. If you are using Windows Server 2003, you must enable the Guest account by clicking Start > Run, typing "lusrmgr.msc" and hitting Enter, then opening the "Users" folder and enabling the account. This will allow everyone on your network to access the shares on your server without being prompted for a username or password.
Permissions are a different story. For every shared folder, you can control permissions in several ways. As a general rule, you want to go into Advanced Permissions options and UNCHECK the "allow inheritable permissions..." box, remove all entries in the list except Administrator (which should almost always be given full control), and then add the appropriate users and groups selectively. You should also avoid using the "deny" checkbox unless you know what you're doing, because "deny" directives override "allow" directives and this might cause issues with layered permissions.
Give Everyone read and write access if you literally want everyone on the network – including visitors that you allowed on your network. This can be useful in some cases, but can be a security or privacy risk in others.
This provides the highest security and flexibility, in that it allows Bob to access his own share but prevents other users from accessing. There are two parts to setting this up.
First of all, you need to create an identical user account on the server for every user. "Identical" here means that it has the exact same username and password. This can be done using lusrmgr.msc, and is pretty straightforward.
Then, you must allow each user access. From a "clean" slate, add each user by name and assign appropriate permissions. Do not add "Everyone" with higher rights though, because this will make adding individual users pointless. (You can, however, give read-only access to Everyone but allow a specific user Full Control.)
If you append $ to the name of any share, it will not show up when your server is being browsed. This doesn't increase security much, except for the "security by obscurity" principle, but it does avoid casual snooping.
On the Sharing tab, there is a "Permissions" button, which contains permissions that are combined with the permissions on the Security tab when the object is accessed remotely. In other words: if your share permissions only allow read access, as is the default, you will be unable to write to the folder or file even if you have allowed this in the Security tab. This is a frequent source of headaches and pulled hair for novice server users. Be sure to set share permissions to the HIGHEST level allowed for that share (i.e. if Bob has Full Control of a folder and Everyone has read access, set share permissions to Full Control so that Bob will be able to get full control of his folder).
Since the server is always on and you're opening ports in the router, care must be taken to prevent getting hacked or otherwise exploited. Just follow these rules of thumb.
DO NOT use "DMZ" mode on your router, as it will expose all ports on your server to the internet, unless you are using a software-based firewall other than Windows Firewall. Do not open ports that you will not use – if you don't want Remote Desktop access from outside the home, don't open the port for it!
An unsecured network is now more than just "oh, the neighbors will get some of my internet." It's more like "oh crap, the neighbors just got access to all of my backups and dumped a virus into the public share." Use WPA encryption – WEP is extremely simple to crack nowadays.
Especially if Remote Desktop is enabled, you want to ensure that all accounts with remote access have strong passwords. Read my article on choosing a good password for more information about "strong" passwords. Do not allow users with weak passwords to connect remotely – this includes the users you added for purposes of user-level access control above!
An always-on server can be configured to download updates automatically at 3 AM or something, and keeping it up to date is more important than keeping your desktop up to date because the server has more ports open to the internet. Automatic updates are free, and although most of us hate that annoying "updates are available for your computer" message, it's a non-issue on a server.
If your ISP allows email, you can configure your server to send an email (or even a text message straight to your phone) if something is amiss. Just use the Outlook mail API or something similar in your own program. That way, you'll be notified if the server is overheating or has switched to battery power.
In conclusion, a home server is a must for anyone who is somewhat tech-savvy and wants the convenience it provides. It doesn't have to cost you anything, either – an old laptop is perfect for this purpose.