I update this article periodically to keep it current. The principles never change though.
Who should read this? Those who are responsible for business IT systems.
Do things the right way.
When staff ask why things aren’t as simple or easy as they’d like, you know their expectations of business IT resources are inconsistent with reality. Perhaps they’re using email as a CRM or their desktop as their filing system. Either they need to adjust their expectations or you need to adjust the IT systems to meet their expectations. Start here. Solve the issue of expectations and everything else falls into place.
You’ll want at least two IT policy documents; a general IT policy document and a security policy document. These two documents give a platform for expectations. Staff should be obligated to read these documents and agree to them. The objectives of the policy documents is to ensure staff know what they can and can’t do. They also guide you (the IT person) on what the business expects in terms of your work-load and responsibilities.
Switches and routers.
This is the back-bone of the network. Make sure you use good quality parts. Use Cisco or HP enterprise level equipment. Any Cisco switch with gigabit speeds on all ports is a good option and consider the value of PoE especially if you have IP phones. Don’t get sucked into this idea that WIFI is an acceptable replacement for ethernet – not yet. It’s still shared media, still new technology and still not as reliable as ethernet. One day we will surely change to WIFI for workstations but that day is not today. Finally, use the router (Internet gateway) as the DHCP server. If the server goes off-line for whatever reason, you will want (at least) Internet access and you’ll only get that if you have an IP address. The DHCP servers should hand out two DNS server addresses; the first is the internal server and the second is an external server such as 22.214.171.124. Therefore if the internal server is off-line, the workstations will go to the second option and will work fine surfing the net.
Workstations and portable devices.
Make sure to use good quality workstations. Go with mid-range or enterprise grade workstations from Lenovo or HP. Make sure all (yes all) workstations are connected to the network via ethernet. Wifi is for guests and mobile devices (phones and tablets) and NOT workstations. A rule of thumb is “if you do word processing on the device, plug it in”. Laptops should be able to connect to both but only for convenience. laptops are often used in board rooms and meeting rooms and it’s nice that they just work. But for day-to-day work, plug an ethernet cable into the device. Good brands for laptops are Lenovo, Sony, Apple, HP and Toshiba. Make sure you use the enterprise grade gear and not their home-grade gear. Spend towards $1.5k Australian (or more) on a laptop. Any less and you are getting home-grade gear. Allow staff to install software on their computers themselves. Before you run for the hills, consider this – you can designate one staff member as the deputy system administrator. This means staff ‘can’ install things if you’re not around. The deputy, knowing they’re the only one who knows that password, is compelled to use it sparingly. If all goes bad, they are as guilty as a puppy sitting next to a pile of poo.
The primary server should run either Linux with Samba4 or Windows server (whatever version you like) but don’t get Microsoft Exchange or any kind of email or collaboration server hosted internally. Use Office 365 or Gmail for Business. Again, if you’re not already using a hosted solution such as 365 and Gmail, do it now. No excuses unless the business is so secretive they have no option but to host their own. There is nothing worse than troubleshooting mail servers and nothing more unnecessary given the options of SaaS. For the record, Samba4 is mature enough to host Active Directory to the point where you get group policies and can manage it from AD Users and Computers. And the workstations wont know the difference. Windows Severs are fine too.
Virtualisation is fine. There is no security reason not to use it. Just make sure any DMZ is properly configured. But given that I recommend (below) not to host your own services, this shouldn’t be an issue.
Don’t host your website on a server within your network. The web server is the primary target for hackers so put it somewhere else and make it their problem. Or put it in a cloud environment that you control such as AWS. Either way, make sure there is no VPN between the web server and your office network. Use SSH and/or SCP to manage the content of your website and not FTP. A website framework such as WordPress is ok but make sure to lock it down. You don’t want to get it defaced by hackers. Keep it up-to-date and backup the database.
Use SSL by default for your websites. There is no excuse any longer for using HTTP. SSL certificates are free if you use the (well respected) Lets Encrypt service and there will be others doing the same thing. They will give you as many certificates for your websites as you like. Then you can redirect your HTTP visitors to HTTPS.
We’re a Linux services business but we still believe in the “right tool for the job” and therefore there is a place for Windows computers. Workstations (laptops and desktops) should be either Windows 10 or OSX (El Capitan) at the time of writing this. Always update major versions (such as from Windows 8 to Windows 10) after others do. Give new technology a few months to settle before you move to prevent teething problems. Servers should be either Windows servers or Linux running Redhat, CentOS, Debian or Ubuntu. Other distributions are fine but that’s the order in which I recommend the choice be made. The important thing is how long the software is supported for. The longer the better. Keep in mind that Samba4 is comparable in terms of domain functionality to Windows servers. However, when it comes to printer sharing, Windows is the way to go. When there are less than 10 workstations, it’s not so bad to manually install drivers on each workstation. It’s when you have dozens to deal with that windows printer services comes into play. There is also the option to designate one workstation as the “printer server” and share printers from there. Make sure you’re workstations can be bound to the domain. Get the “pro” version of whatever you’re purchasing. Don’t go for the home-grade gear. That’s for home use.
Accounting packages such as Myob and Quickbooks have cloud-based offerings which will save the business time and money. The benefits of a cloud solution are that you don’t have to share files between the accountant and book keeper, you can use it on any workstation and the backups are handled by ‘someone else’. Xero is another great option.
Backup everything daily. Include your server(s) configuration and data. Make sure you have your routers configuration backed-up too. Make sure you have documentation off-site along with the backups. You can use cloud services for backups but use it in conjunction with USB backups or tapes. Cloud backups take too long to restore from in a disaster. Use at least 3 USB disks making sure there is always one off-site. For example, on your way to work: you have one at home (or wherever is safe), one in the car with you on your way to work and the other plugged into the server. In case of a fire, you have to leave without carrying anything so you’ll be happy to know you have at least one disk off-site. Test your backups regularly. Have one staff member pick a document (their choice at random) for you to restore. Make sure they (the business) signs off on this as the policy. All documents should be expected to be on the server (data storage) before the end of the day – either in the staff members home drive or common drive but not on the staff members workstation. Workstations don’t have the luxury of multiple hard disk which your server does (make sure of it) and workstations don’t get backed up.
Remove whatever antivirus that comes with your workstation and install something that will inform you of detected threats. Use the same antivirus software on all workstations and laptops. Good AV companies will give you a portal to use allowing easy viewing of licenses and on which machines those licenses are being used.
I recommend a Cisco router or even a pFsense device but not matter what gateway you’re using, make sure you’re controlling what can go in and out of your network. The outbound traffic is just as important to control as the inbound traffic. You don’t want to become a proxy for spammers and bot-nets. Ideally you’ll have no hosted services on your internal network such as websites and email. Those services should be hosted elsewhere and ideally by other professional organisations. I’ve discussed this above. In terms of outbound access control, consider restricting outbound web-surfing access to your proxy server only – at least everything will be logged. Your internal server should be a web proxy (http and https) and a DNS server. They don’t have to be on the same server but in a small business they can.
Web surfing Proxy.
Make sure you have a proxy in place for staff Internet use. Use Squid and ensure only the local-net can get to the Internet for web surfing. Also make sure you’re blocking executables coming in from the Internet (squid can easily do this). Staff wanting such files (perhaps add music and video files to the blocked list) should either ask you to add the target domain to a white list of get you to download and install whatever they’re trying to get. The big advantages you get from the proxy are; a) you control where web surfing originates, b) you control the files that can be downloaded, and c) you get log files. Squid will give you a retrospective view of web surfing activity.
Ideally use a domain rather than a workgroup. Samba 4 does this very well or use a Windows server if you’re more comfortable with Windows. It’s not a big deal if you only have a handful of users (such as 10 or less) but consider a domain for simpler control of workstation access.
When it comes to wifi, you have the choice of PSK or Enterprise. The difference being that PSK (pre-shared key) requires that every device uses the same passphrase to access the wireless network. Enterprise allows you to use domain users credentials to gain access. Radius is used in Enterprise authorisation. I recommend Enterprise authorisation because you can allow or deny someone access to the wireless network through the domain controller. If you have more than 10 staff, use the Enterprise option.
I recommend to use TeamViewer or VNC for workstations. For servers, use either RDS for Windows servers and SSH and/or VCN for Linux servers. TeamViewer is costly but works well. If you’re using SSH, VNC or RDS, consider locking down the source to a few trusted locations such as your office and home. Don’t allow access to VNC or RDS from just any location – lock it down. SSH should require a key rather than just a password.
There’s a few things to watch out for. If the business is low on money or simply tight, leave them for another IT service business to look after. Businesses like this are doomed. The ‘ideal’ business does exist and they are the majority. They buy good quality equipment, they do backups and accept that they take time and they realise that a little overhead from time to time is preferable to data-loss, being hacked and/or reputation damage. Do it the right way.