dimitrifrom31 Posted August 31, 2009 Share Posted August 31, 2009 I thought it was just some kind of accident but I had same problem 3 times this week on 3 different game servers, installed on 3 different machines : suddently the server is no longer answering, i receive the TCA notification by email, it gets restarted but dont come online again. I connect to the Remote desktop, starts the server manually with a bat using exactly same command line as used by TCA and it works fine... Only solution I found so far was to make a copy of the server files, reinstall it then delete the new gameserver folder and use the old files > it then works but its using Exactly the same files as before... And today kind of same problem but ways more annoying, a game server that was working fine for months stopped responding, I tried to connect to remote desktop but wasnt able to. In HLSW I could see 6 servers of that machine were not responding so I rebooted it. All servers were getting back online 1 by 1 and when it came to a particular server I could see it on HLSW for a second then pinged at 600+ and stopped responding. Idk if it was using 100% CPU cuz remote desktop was totally stuck, I disabled that server, started it manually with a bat and it then worked fine... Same thing, I reinstalled it, then deleted new install and used old files and it was working again. If you got any idea about what the cause could be (must be something to do with the TCA service I assume) and how I could prevent it from happening again that would help me. Link to comment Share on other sites More sharing options...
studeggle Posted August 31, 2009 Share Posted August 31, 2009 I would look at the services folder (inside monitor inside tcadmin folder) this contains the apps and configs that start each game. The service in windows actually points to those not directly to the game. Then those point to and start the game. If you have the wrong file permissions setup, such as games running under a windows admin account (the current default) it’s possible someone or there mod is messing with these files. It could also be possible that the spot on your hard drive where these files are located is dying you may want to perform a thorough disk check with whatever program you use. (I hope not windows scandisk ) Lastly I'd look at putting in a ticket and getting Luis feedback on the situation Link to comment Share on other sites More sharing options...
dimitrifrom31 Posted September 1, 2009 Author Share Posted September 1, 2009 I will check my disks altho i doubt 3 hdd are failing the same month. using Ariolic disk scanner, probably not the best, what would you recommend? About permissions its all by default and it works fine at reinstalling so should not be that. Thx for your help, if the problem happens again I will submit a ticket but wanted to know if this was some kind of common issue that could happen or if I had a cfg problem or w/e. Link to comment Share on other sites More sharing options...
studeggle Posted September 1, 2009 Share Posted September 1, 2009 I use spinrite, it is very thorough the only bad thing is its not a windows app. It has its own boot and will take the system offline until completed. The file permision was about the fact that game exploits and/or mods can alter files and if you use default permisions then every one of your game servers has full access to your systems hard drives. So you're just hoping that there are no exploits in the games you host or at least that they are not exploited. Hence the reason many of us go in and create user level accounts and set each service to use them, thereby locking any compremise to the game files that are compremised. Link to comment Share on other sites More sharing options...
dimitrifrom31 Posted September 1, 2009 Author Share Posted September 1, 2009 I got a tool with its own boot aswell, may try it later as it requires server offline for atleast 2 hours... Ariolis did not return any error. Im thinking about creating a windows user per TCA service, I tried using the group users but the service was instantly stopped after start. I tried with the group "users with power", worked fine altho I was wondering what was the best for security. To which group do you assign the windows users created for TCA? Thx Link to comment Share on other sites More sharing options...
studeggle Posted September 1, 2009 Share Posted September 1, 2009 Steps to tighten security on TcAdmin 1. Create a user on windows (I use the clients user name) and set password to never expire and can’t change. Do not grant remote desktop privilege this is not needed and just adds an additional account someone can use to try and crack into your box with. 2. Assign that user to the “users” group actually should happen by default. 3. Go to the client’s base folder. (The one with their name) and right click and select properties. 4. Select the securities tab and go to add. 5. Add the user you just created and give them full access to that folder, sub folder and files. 6. IMPORTANT: Go to your tcadmin folder and select monitor and services (default install: C:\Program Files\TCAdmin Control Panel\Monitor\Services) right click the corresponding services folder and assign permissions like above. 7. Now go to your services window and select properties on the corresponding service. 8. Go to the log on tab and select “this account” instead of local system account. 9. Enter the login credentials you just made and save. 10. Restart the service. It is now running with the restricted access that will ensure any exploit remains confined to the game server that is exploited. 11. Repeat the process for each customer on that box, then proceed to your next box and repeat. Step 6 is important as the services actually point to and start a file from this folder so if the user account does not have access the service will tell you it starts then stops. I think technically it never actually started do to being denied permission. You can make this process a bit easier if you have lots and lots of clients per box by creating a user group “tcadmincustomers” (or some other if you wish) and simply giving that user group access to C:\Program Files\TCAdmin Control Panel\Monitor\Services then assigning all users you create to this group as well. But the down side is a game exploit could conceivable mess with all the service startup files so when they are restarted they won’t restart. This is repairable and would not actually affect the other customer’s game files just startup. So it’s just a case of more work now or possible more work later. I provided instructions for the tightest level of security. Use of power users, administrators, or other high level accounts, to run a game server means that the game has all the permissions that a user at that level would have. Given the number of published exploits in game servers and the number of patches this represents a somewhat serious security breach, but by the same token no system is entirely secure. Simply the more work you put forth ahead of time the less likely you are to have a breach. Link to comment Share on other sites More sharing options...
dimitrifrom31 Posted September 1, 2009 Author Share Posted September 1, 2009 ok, and thx for the time you spent on that nice guide. Altho after following your 11 steps (and I did everything properly as I had already played with those stuffs and am familiar with them) the service timed out at starting. So I will try the second solution with the TCA group and see how it goe this way. Link to comment Share on other sites More sharing options...
studeggle Posted September 1, 2009 Share Posted September 1, 2009 Make sure it is "full control" you are giving. I had timeout a couple times and when I went back and checked they didn't have full control checked. (Although I could have sworn I did) Link to comment Share on other sites More sharing options...
dimitrifrom31 Posted September 1, 2009 Author Share Posted September 1, 2009 ye i gave full control, will try to figure out whats wrong, I tried on a "test service" and now I cant even change its log account or start/stop it. Must be something wrong somewhere, just need to find what. Link to comment Share on other sites More sharing options...
dimitrifrom31 Posted September 1, 2009 Author Share Posted September 1, 2009 ok, got it working, seems that it was some windows mystery and a reboot fixed it. Im now trying to automate the max I can and so far I was able to create a new user, assign him to a premade tcagroup which has total control of TCA\monitor\Services. Give full control to the created user over his user files folder. What I wasnt able to automate : Give full control to the user over TCA\Monitor\Services\his_service_id (thats why I gave full control over all services to his group instead) cuz for that I would need a variable like %TCASERVICEID% Remove the remote control permission to the user (still have to do it manually) Start the service with the user account (still have to do it manually) Here is my install script if any1 is interested : net user %serverip%_%serverport% %serverport% /add /passwordchg:no net localgroup tcagroup %serverip%_%serverport% /add net accounts /maxpwage:unlimited cacls %userfilespath-notrailingslash% /e /g %serverip%_%serverport%:f net user creates a new user called serverip_serverport with password serverport net localgroup assigns him to the tcagroup I created manually net accounts removes the password expiration cacls gives user full control over his files. Link to comment Share on other sites More sharing options...
studeggle Posted September 1, 2009 Share Posted September 1, 2009 Sweet I may just use that. Word of cation though Windows is anything but bug free so you might want a more complex password then just the server port (especially after posting it here) as your reling on windows to keep the account locked out from remote access. Just a thought I know I'm a security nut Link to comment Share on other sites More sharing options...
dimitrifrom31 Posted September 1, 2009 Author Share Posted September 1, 2009 ye i just posted this as an exemple, you can set password to something more complicated like %serverip%%serverport%%serverip%%queryport% and btw when u create new users this way they cannot log onto the remote desktop (I just tried and got an error saying that only users belonging to the "remote desktop" group could start a RD session. Im now looking for a way to automate the "start service as" login and password. Found some stuffs like http://weblogs.asp.net/avnerk/archive/2007/05/08/setting-windows-service-account-c-and-wmi.aspx but idk how to deal with it so I opened a support ticket hoping Luis can give a hand on this. I also browsed TCA\Monitor\Services\InstallFiles and I assume something can be done with the TCAdminService.exe.config Link to comment Share on other sites More sharing options...
studeggle Posted September 1, 2009 Share Posted September 1, 2009 Yep, I know on the no login. But as I said your reling on windows then. Plus oh so helpfull windows has told the user that yes they are using valid credentials they just have to deal with permision issues. Thakyou for sharing I have played with the variables and gotten one I like. Which for those coping is the best way to go, tcadmin has lots of variables so customize it to fit you. Link to comment Share on other sites More sharing options...
dimitrifrom31 Posted September 1, 2009 Author Share Posted September 1, 2009 about the uninstall script I recommend you to use this : net user %serverip%_%serverport% /delete RMDIR /S /Q "C:\documents and settings\%serverip%_%serverport%" Cuz I noticed everytime you create a new user it also creates its profiles files into doc and settigns, thats about 25MB "only" but after a few months it can be a mess. Link to comment Share on other sites More sharing options...
dimitrifrom31 Posted September 2, 2009 Author Share Posted September 2, 2009 Luis linked me there : http://clients.tcadmin.com/knowledgebase.php?action=displayarticle&catid=15&id=37 ive just asked him if there was a way to automate the second method but the first method of that article can be a first easy step to a more secured system for those who still use default settings. Link to comment Share on other sites More sharing options...
dimitrifrom31 Posted September 19, 2009 Author Share Posted September 19, 2009 thios should make it fully @echo off&setlocal enableextensions for %%* in (.) do set serviceid=%%~n* if not defined serviceid set serviceid=%CD:\=% netsh firewall add allowedprogram "%gameserverexe%" %serverip%_%serverport% ENABLE net user %serverip%_%serverport% %serverport% /add /passwordchg:no net accounts /maxpwage:unlimited cacls %userfilespath-notrailingslash% /e /g %serverip%_%serverport%:f cacls "C:\Program Files (x86)\TCAdmin Control Panel\Monitor\Services\%serviceid%" /e /g %serverip%_%serverport%:f echo (<?xml version="1.0" encoding="Windows-1252"?><configuration><appSettings><add key="RunAs.Account" value="%serverip%_%serverport%" /><add key="RunAs.Password" value="%serverport%" /></appSettings></configuration>) > "C:\Program Files (x86)\TCAdmin Control Panel\Monitor\Services\%serviceid%\RunAs.config" sc stop %serviceid% sc config %serviceid% obj=%serverip%_%serverport% password=%serverport% Link to comment Share on other sites More sharing options...
urMom Posted November 23, 2009 Share Posted November 23, 2009 I would prefer that the TCAdmin Monitor Service run under a different user context as well.. in fact, I would prefer that any new services it creates would inherit the same user context, so that at least the services on the host would be jailed from the rest of the file system. However, without digging all too deep, though I enabled a user the Log On as a Service Right, it needs a right to start the game services themselves. Even with the same service account, it cannot start the game services when running as a user.. In general, I want to jail the monitor service to run as a user, and need more info to rig that. Ideally, it could only start services with the same service account.. though I can also see the need to start others if these folks are creating different user accounts per client. Link to comment Share on other sites More sharing options...
dimitrifrom31 Posted November 23, 2009 Author Share Posted November 23, 2009 I would prefer that the TCAdmin Monitor Service run under a different user context as well.. in fact, I would prefer that any new services it creates would inherit the same user context, so that at least the services on the host would be jailed from the rest of the file system. However, without digging all too deep, though I enabled a user the Log On as a Service Right, it needs a right to start the game services themselves. Even with the same service account, it cannot start the game services when running as a user.. In general, I want to jail the monitor service to run as a user, and need more info to rig that. Ideally, it could only start services with the same service account.. though I can also see the need to start others if these folks are creating different user accounts per client. check your folder permissions (ACL's) Link to comment Share on other sites More sharing options...
nhouck Posted December 11, 2009 Share Posted December 11, 2009 I am having exact same problem. I thought it was a box issue, but it's now happening on two boxes. Rebooting did not fix either box. 1. New servers installed seem to randomly not respond in HLSW or via the game (can't connect), but somehow show as working in TCA status? Or sometimes they do not show working in TCA either. 2. Starting server with .bat file works perfectly with same game files and command line as copied from TCA. 3. Move the server to new box with TCA and it works fine. If anyone knows what's going on here please share your thoughts. This just randomly started on a server box that has been up for 2 years and never had an issue. Not very many games on it either, like 10 on one box and 2 on another box which is brand new. Link to comment Share on other sites More sharing options...
nhouck Posted December 11, 2009 Share Posted December 11, 2009 Just tried to delete one of the servers on the new box and got this error, something obviously up with the services / .net stuff: An error occurred while uninstalling the service: Microsoft ® .NET Framework Installation utility Version 1.1.4322.573 Copyright © Microsoft Corporation 1998-2002. All rights reserved. The uninstall is beginning. See the contents of the log file for the c:\program files (x86)\tcadmin control panel\monitor\services\tc02405751237840407116174\tcadminservice.exe assembly's progress. The file is located at c:\program files (x86)\tcadmin control panel\monitor\services\tc02405751237840407116174\tcadminservice.InstallLog. Uninstalling assembly 'c:\program files (x86)\tcadmin control panel\monitor\services\tc02405751237840407116174\tcadminservice.exe'. Affected parameters are: assemblypath = c:\program files (x86)\tcadmin control panel\monitor\services\tc02405751237840407116174\tcadminservice.exe logfile = c:\program files (x86)\tcadmin control panel\monitor\services\tc02405751237840407116174\tcadminservice.InstallLog Unable to create an instance of the TCAdminService.ProjectInstaller installer type. System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. The inner exception System.Xml.XmlException was thrown with the following error message: The root element is missing.. An exception occurred during the uninstallation of the System.Configuration.Install.AssemblyInstaller installer. System.InvalidOperationException: Unable to create an instance of the TCAdminService.ProjectInstaller installer type. The inner exception System.Reflection.TargetInvocationException was thrown with the following error message: Exception has been thrown by the target of an invocation.. The inner exception System.Xml.XmlException was thrown with the following error message: The root element is missing.. An exception occurred while uninstalling. This exception will be ignored and the uninstall will continue. However, the application might not be fully uninstalled after the uninstall is complete. The uninstall has completed. An exception occurred while uninstalling. This exception will be ignored and the uninstall will continue. However, the application might not be fully uninstalled after the uninstall is complete. Link to comment Share on other sites More sharing options...
dimitrifrom31 Posted December 11, 2009 Author Share Posted December 11, 2009 Just tried to delete one of the servers on the new box and got this error, something obviously up with the services / .net stuff: An error occurred while uninstalling the service: Microsoft ® .NET Framework Installation utility Version 1.1.4322.573 Copyright © Microsoft Corporation 1998-2002. All rights reserved. The uninstall is beginning. See the contents of the log file for the c:\program files (x86)\tcadmin control panel\monitor\services\tc02405751237840407116174\tcadminservice.exe assembly's progress. The file is located at c:\program files (x86)\tcadmin control panel\monitor\services\tc02405751237840407116174\tcadminservice.InstallLog. Uninstalling assembly 'c:\program files (x86)\tcadmin control panel\monitor\services\tc02405751237840407116174\tcadminservice.exe'. Affected parameters are: assemblypath = c:\program files (x86)\tcadmin control panel\monitor\services\tc02405751237840407116174\tcadminservice.exe logfile = c:\program files (x86)\tcadmin control panel\monitor\services\tc02405751237840407116174\tcadminservice.InstallLog Unable to create an instance of the TCAdminService.ProjectInstaller installer type. System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. The inner exception System.Xml.XmlException was thrown with the following error message: The root element is missing.. An exception occurred during the uninstallation of the System.Configuration.Install.AssemblyInstaller installer. System.InvalidOperationException: Unable to create an instance of the TCAdminService.ProjectInstaller installer type. The inner exception System.Reflection.TargetInvocationException was thrown with the following error message: Exception has been thrown by the target of an invocation.. The inner exception System.Xml.XmlException was thrown with the following error message: The root element is missing.. An exception occurred while uninstalling. This exception will be ignored and the uninstall will continue. However, the application might not be fully uninstalled after the uninstall is complete. The uninstall has completed. An exception occurred while uninstalling. This exception will be ignored and the uninstall will continue. However, the application might not be fully uninstalled after the uninstall is complete. did u try to go to the service settings, click on save and then restart it? Link to comment Share on other sites More sharing options...
nhouck Posted December 11, 2009 Share Posted December 11, 2009 That one I just manually cleaned up and otherwise the box seems to be working now. (btw, do not reinstall tcadmin monitor and then forget to do software update on it, it will not start your servers, found that out the hard way) Anyway I'm still getting this error on the other box where the game is running and can be queried and get status from inside tcadmin, but ppl can't connect to it and hlsw can't connect. There is no firewall / ipsec or none of that, and it has been working fine for 2 years. At a loss. There are some servers on box running just fine, only new ones seem to have this issue. Link to comment Share on other sites More sharing options...
RaMMz Posted December 20, 2009 Share Posted December 20, 2009 Hi, I'm having a little problem using a single user account for a server, the problem is that the server can't load VALVE Anti-Cheat when the service is loaded as the user, but when I try to load the service as local system, the VAC loads. Help! btw, thanks Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.