How to set a PC for un-attended 24/7 Data Acquisition?
john_s
Posts: 369
We plan to collect data from multiple sensors and make the results available for us and the end-user via IE or Mozilla. The whole system must operate 24/7 with no intervention from a human operator.
I came up with a short list of setup requirements that I place for discussion/expansion:
- PC to silently ignore any restart requests (other than after sudden loss of power)
- Antivirus updates should be transparent and do not require restarts
- the system should never try to update/change ANY of its pre-loaded software
- OS should never display annoying "warning" messages of ANY kind
The big question is:
- how to set up a Win7 or XP based PC to run kind of "optimized" for this particular purpose?
Thnx,
John
I came up with a short list of setup requirements that I place for discussion/expansion:
- PC to silently ignore any restart requests (other than after sudden loss of power)
- Antivirus updates should be transparent and do not require restarts
- the system should never try to update/change ANY of its pre-loaded software
- OS should never display annoying "warning" messages of ANY kind
The big question is:
- how to set up a Win7 or XP based PC to run kind of "optimized" for this particular purpose?
Thnx,
John
Comments
http://www.parallax.com/Store/Microcontrollers/PropellerDevelopmentBoards/tabid/514/ProductID/710/List/0/Default.aspx?SortField=ProductName,ProductName
Perhaps in my next project :-)
However, this time it's all about reliable setup of a dedicated PC to collect data from wireless sensors.
You are not going to be able to do anti-virus updates without occasional restarts.
I think it's possible to disable Windows Update, but it's impossible to prevent all warning messages and it's impossible for Windows to ignore restart requests.
Windows XP and 7 are not designed to function as a reliable server while Linux is designed that way and often used exactly that way.
I wish I had a choice but it has to be Win
Sooooo ... I'd like to hear from people using Win OS on their suggestions on how to minimize the damage.
No problems with updates.
It has to be Windows OS - other than that it's open for discussion
If this is the only purpose of the machine, then antivirus software would be redundant. Don't install it and you won't have problems!
With XP you can disable all the annoying balloon popups from the registry... are those the ones that concern you? (can write up the instructions if you need, just shout)
About the updates, you can disable automatic updates, so again no updates or automatic reboots. Might be useful to manually login and run the update once a month or so just in case.
Within the machine BIOS you can set it to always poweron (ie. boot up) whenever power is cut then restored.
XP cannot simply be set (AFAIK) to ignore restart requests. But why would they occur? If you have removed AV software and disabled updates, then is there any other software on this machine which is critical to your data acq. that might seek updates and reboot the machine? Any unused software should be uninstalled of course. -- In any event, but closing the outgoing traffic with the firewall, then no software would be able to download updates, and thus one assumes not reboot the machine...
All the above with one important..> Provide a proper firewall configured to only allow port 80 access to the iis server and nothing else! When you need to manually run the windows update, you will also need to temporary enable outgoing traffic from the machine (to the windows updates servers, or just the whole net for the few minutes it takes), then when finished set the firewall back to only port 80/http in. Its been a while, but I am sure you can find a fine collection of free and simple XP firewalls around... Used to be a good free one call Softperfect personal firewall. That would do the job. I think gfi (used to be called sunbelt) have something too.
I think that just about covers it..
The manufacturer of wireless nodes provides its own software with gateway hardware that takes care of the internet access. I plan to implement it as is.
OK - no AV. But what about access to Internet from that machine? Will it compromise security (i.e. get infected) ?
I'd appreciate it a lot! Would be nice to follow some written instructions from your own experience.
Any thoughts on how the all above mentioned differs when using win7 versus XP?
Depends on the sites you connect to, and ultimately what you download and execute on that machine. If you are only connecting to legitimate software update sites (for stuff you have already deemed safe and installed, ie the Windows update service), you have nothing to worry about. If you are browsing lots of random sites, searching for the next killer resistor sandwich, and perhaps downloading stuff to view offline, then you might consider some protection!
When you allow outbound access to the internet from that machine for downloading updates, sync'ing time, etc..,That does not allow some "bad guy" to enter your machine and do stuff. You need to interact to allow that, or leave all your firewall ports open and leave windows file sharing enabled... Of course that should have been added to the list of things to do (disable windows file sharing and also remove all the user accounts except the one admin account you use - and make sure it has a strong password. Also, ensure the default Guest account is disabled or removed.. see control panel/ users )
...this site explains it well: http://www.howtogeek.com/howto/windows/disable-notification-balloons-in-xp/
Not used win7.
-- Some other links for "hardening" your xp
http://www.ghacks.net/2007/02/14/harden-xp-by-disabling-services/
http://www.softwaretipsandtricks.com/windowsxp/articles/445/1/Protecting-XP-from-intruders
http://www.softwaretipsandtricks.com/windowsxp/articles/454/1/Harden-XP-Part1
You will find many more (no doubt) with a search engine. Basically removing unpassworded user accounts, closing all unneeded services and unneeded ports is the most important, and ensure the machine is firewalled so nothing can get in (except the web traffic)... except maybe allow the machine outbound on UDP port 123 to enable it to keep the time sync'd, if that is important for your logging.
Well said - will do!
All the best with this, from someone who has been there before. In my case it was over 10 years ago, so windows 98 and/or NT basically. I always remember the windows 49.7 day bug... a patch was released to fix it, but it just goes to show the sort of thing that can cause you to lose hair...
http://support.microsoft.com/kb/216641
If I was to do this again today, I would be finding the oldest Windows that can work with your application software set. If it can run on it, I would look seriously at something like XP embedded, which has much of the junk stripped out. Give your system heaps of RAM to delay issues due to memory leaks, and watch the system memory usage creeping up over time to estimate how long you have before you're likely to hit disk swapping and related issues. If possible consider doing a scheduled reboot every week, or month, or at a time that would tie in with your end user. You can add a UPS which helps with uptime but also the controlled shutdown.
Don't forget to keep your time synced using an NTP server, which can also handle daylight savings adjustments etc. Perhaps windows does this automatically these days as I have not noticed it being as big an issue as it used to be (wandering clock getting minutes out of sync over extended time).
good luck
tubular
Yet seriously - I see nothing wrong in going this way for just plain data collection. However, this new system must use new PC, and as such will come with software written just months ago and and must be windows-7 based. If it was my choice I would still operate a DOS bbs with few scripts written to receive some plain ASCII and store it in .CSV files for further analysis. And that's exactly what I did in the past.
As far as memory leaks - what memory leaks? :-)
I can see that in our office XP based systems on a daily basis, when after sitting "idle" or overnight the system refuses to even shut down next morning.
However, the reality is that I'm way behind novelties (as I never even saw Vista or haven't touched Win7), so I have NO clue on what to expect from those .. And I expect the worse - from both hardware and software behaviour when left to run unattended.
Thanks for your support,
John
p.s. btw, no worries about loosing my hair - I lost it already :-)
So far I found this ... but I have NO clue why these are recommended (see below)
Summary of outbound rules:
Allow UDP 53, TCP 53 to [DNS server of your choice]
Allow TCP 80, TCP 443 to go.microsoft.com
Allow TCP 80, TCP 443 to wpa.one.microsoft.com
Allow TCP 80, TCP 443 to crl.microsoft.com
Allow TCP 80, TCP 443 to wwwtk2test1.microsoft.com
Allow TCP 80, TCP 443 to wwwtk2test2.microsoft.com
Allow TCP 80, TCP 443 to 64.4.11.160/32
Allow TCP 80, TCP 443 to 64.4.0.0/18
Allow TCP 80, TCP 443 to 65.52.0.0/14
A computer needs to know the numbers (not the name) to connect to the parallax website, so it first uses the dns service to find out the numbers.
You could likely (though not necessarily) browse the parallax website using http://67.104.29.61 instead of the "easier for human to remember" http://www.parallax.com
-- So, excluding the fact that the last 3 rules you listed might be of concern (as we don't know what those IP addresses are), the rest seem ok. Although, as previously suggested on this thread, you might be better to close ALL outgoing ports if you do not need to have microsoft doing automatic updates, and don't need the webserver sending you email stats or whatnot.
Turn of the automatic updates, then periodically do it manually if you are concerned about a serious cyber threat. At that time, manually open the firewall, do the updates, then close the firewall again. simple.
...You have to consider what that serious cyber threat is likely to be... with all your ports closed and perhaps no "life threating" or "super valuable" data on this server, who is really going to spend the hours/months/years breaking in? Is it really worth more effort to keep it updated when it works perfectly well as it is. Sometimes the update "mania" leads to more problems and stresses than it solves. XP is well matured now.. I suspect it would be a safe bet to install it once with the latest patches/service packs, then close the firewall inbound and outbound completely (with the exception of port 80 inbound for the webserver), turn of the microsoft update service and file sharing services, then forget about that pc leaving it to collect its data 24/7. Your protection is further supported if this machine is behind some kind of NAT device (ie, you have a local ip address at the PC, rather than a public one).
probably likely that setup programs will try to contact the mothership during or just after install. Microsoft also requires connections for the licence authentication etc...
Anyhow, once all is setup and running, you can safely delete all those rules.
If a program desperately needs to connect at a later time (say you login to that machine and try a manual update of something), you will likely just get another popup requesting it, which you can choose to except, deny, or ignore.
Yes and yes..
Might need your help here..
NAT device - what is it?
Local IP address at the the PC - is it the same as static IP?
For example if you were used to the networking in xp pro worked then you have to use win7pro.
Remote desktop is a lot better in win7pro than it was in xp pro,plus you can connect to xp remotes.
Since a full linux install is not an option heres links to get some linux functionality on windows if you need to.
http://www.cygwin.com/
http://www.webdevelopersnotes.com/how-do-i/install-apache-windows-7.php
keep in mind I'm just making suggestions to different options and/or possibilities..
Hope this helps..
-dan
Basically you set up your (if you have one)router on the internal network to take outside requests and forward to an internal ip address.
For example HTTP or port 80 requests would be forwarded to the ip address of the computer handling those requests.
How you do this depends on you specific router/software setup.
No doubt someone else here can give a better explanation/more details if needed, just ask.
-dan
Thanks for tips on win7 and reason to go with 7pro version.
One question - seems like doing linux under windows umbrella kind of defy the whole reason of jumping into linux, or doesn't it?
Back in the good old days it was used for small or simple linux programs. It was a way of gaining some Linux API functionality with out the headache of setting up a full linux install.
Now days if you need access to features of another os its probably easier to use something like virtual box or virtualPC and run the other os from there.
-dan