I update this article periodically to keep it current. The principles never change though.
This article was first written in April 2016 and it’s still very relevant. I’ve kept it updated with the inclusion of new technologies and best practices.
Who should read this? Those who are responsible for small business IT systems.
Do things the right way.
When staff ask why things aren’t as simple or easy as they’d like, you know their expectations of business IT resources are inconsistent with reality. Perhaps they’re using email as a CRM or their desktop as their filing system. Either they need to adjust their expectations or you need to adjust the IT systems to meet their expectations. Start here. Solve the issue of expectations and everything else falls into place.
You’ll want at least two IT policy documents; a general IT policy document and a security policy document. These two documents give a scope for expectations. Staff should be obligated to read these documents and agree to them. The objectives of the policy documents are to ensure staff know what they can and can’t do. They also guide you (the IT person) on what the business expects in terms of your work-load and responsibilities. Policies also assist in staff termination for situations where business resources have been misused.
Switches and routers.
This is the back-bone of the network. Make sure you use good quality parts. Use Cisco or HP enterprise level equipment. Any Cisco switch with gigabit speeds on all ports is a good option and consider the value of PoE especially if you have IP phones or IP cameras. Don’t get sucked into this idea that WIFI is an acceptable replacement for Ethernet – not yet. It’s shared media, still new technology and not as reliable as Ethernet. One day we will surely change to WIFI for workstations but that day is not today. Keep your network devices up to date with firmware.
When using an Active Directory Domain: The DHCP and DNS services should be run on and controlled by the Domain Controller. This is to ensure the AD Domain Controller has full functionality, the DNS and reverse DNS work as intended and that the workstations work as expected.
When using a Workgroup Domain: Consider using the router (Internet gateway) as the DHCP server. If the server goes off-line for whatever reason, you will want (at least) Internet access and you’ll only get that if you have an IP address. The DHCP servers should hand out two DNS server addresses; the first is the internal server and the second is an external server such as 188.8.131.52. Therefore if the internal server is off-line, the workstations will go to the second option and will work fine surfing the net.
Workstations and portable devices.
Make sure to use good quality workstations. Go with mid-range or enterprise grade workstations from Lenovo or HP. Make sure all (yes all) workstations are connected to the network via Ethernet. Wifi is for guests and mobile devices (phones and tablets) and NOT workstations. A rule of thumb is “if you do word processing on the device, plug it in”. Laptops should be able to connect to both but only for convenience. laptops are often used in board rooms and meeting rooms and it’s nice that they just work. But for day-to-day work, plug an Ethernet cable into the device. Good brands for laptops are Lenovo, Sony, Apple, HP and Toshiba. Make sure you use the enterprise grade gear and not their home-grade gear. Spend towards $1.5k Australian (or more) on a laptop. Any less and you are getting home-grade gear. Depending on your responsibilities with the business, you can either manage all workstations software installations yourself or designate one staff member as your deputy system administrator. This means staff ‘can’ install things if you’re not around (good for business continuity). The deputy, knowing they’re the only one who knows that password, is compelled to use it sparingly. If all goes bad, they are as guilty as a puppy sitting next to a pile of poo.
The primary server should run either Linux with Samba4 or Windows server (whatever version you like) but don’t get Microsoft Exchange or any kind of email or collaboration server hosted internally. Use Office 365 or Gmail for Business. Again, if you’re not already using a hosted solution such as 365 and Gmail, do it now. No excuses unless the business is so secretive they have no option but to host their own. There is nothing worse than troubleshooting mail servers and nothing more unnecessary given the options of SaaS. For the record, Samba4 is mature enough to host Active Directory to the point where you get group policies and can manage it from AD Users and Computers. And the workstations wont know the difference. Windows Severs are fine too.
Virtualisation is fine. There is no security reason not to use it. Just make sure any DMZ is properly configured. But given that I recommend (below) not to host your own services, this shouldn’t be an issue.
Ensure servers have automatic updates configured, automatic antivirus configured, backups configured and that logs are working.
Don’t host your website on a server within your network. The web server is the primary target for hackers so put it somewhere else and make it their problem. Or put it in a cloud environment that you control such as AWS. Either way, make sure there is no VPN between the web server and your office network. Use SSH and/or SCP to manage the content of your website and not FTP. A website framework such as WordPress is ok but make sure to lock it down. You don’t want to get it defaced by hackers. Keep it up-to-date and backup the database.
Use SSL by default for your websites. There is no excuse any longer for using HTTP. SSL certificates are free if you use the (well respected) Lets Encrypt service and there will be others doing the same thing. They will give you as many certificates for your websites as you like. Then you can redirect your HTTP visitors to HTTPS.
We’re a Linux services business but we still believe in the “right tool for the job” and therefore there is a place for Windows computers. Workstations (laptops and desktops) should be either Windows 10 or OSX (El Capitan) at the time of writing this. Always update major versions (such as from Windows 8 to Windows 10) after others do. Give new technology a few months to settle before you move to prevent teething problems. Servers should be either Windows servers or Linux running Redhat, CentOS, Debian or Ubuntu. Other distributions are fine but that’s the order in which I recommend the choice be made. The important thing is how long the software is supported for. The longer the better. Keep in mind that Samba4 is comparable in terms of domain functionality to Windows servers.
Keep software up to date on all system that allow it including routers, firewalls, access points, printers, phone systems, workstations, server, smart phones and IoT (Internet of Things).
If you have a Windows Domain, managing printers is easy. If you have a Workgroup, you’ll need to manually install printers on each workstation. This is another reason to switch from a Workgroup to a Domain. Avoid using a workstation as the printer server. It can be done but comes with issues. That workstations needs a static IP address which means it’s treated differently from other workstations and that’s not idea. Further, you need to keep that computer running and reboots will potentially effect all staff. Do it right and use a Windows Domain with Printer sharing configured properly.
Accounting packages such as Myob and Quickbooks have cloud-based offerings which will save the business time and money. The benefits of a cloud solution are that you don’t have to share files between the accountant and book keeper, you can use it on any workstation and the backups are handled by ‘someone else’. Xero is another great option.
Backup everything daily. Include your server(s) configuration and data. Make sure you have your routers configuration backed-up too. Make sure you have documentation off-site along with the backups. You can use cloud services for backups but use it in conjunction with USB backups or tapes. Cloud backups take too long to restore from in a disaster. Use at least 3 USB disks making sure there is always one off-site. For example, on your way to work: you have one at home (or wherever is safe), one in the car with you on your way to work and the other plugged into the server. In case of a fire, you have to leave without carrying anything so you’ll be happy to know you have at least one disk off-site. Test your backups regularly. Have one staff member pick a document (their choice at random) for you to restore. Make sure they (the business) signs off on this as the policy. All documents should be expected to be on the server (data storage) before the end of the day – either in the staff members home drive or common drive but not on the staff members workstation. Workstations don’t have the luxury of multiple hard disk which your server does (make sure of it) and workstations don’t get backed up.
Remove whatever antivirus that comes with your workstation and install something that will inform you of detected threats. Use the same antivirus software on all workstations and laptops. Good AV companies will give you a portal to use allowing easy viewing of licenses and on which machines those licenses are being used. Remember you can’t trust a system that’s had a virus on it.
I recommend Cisco and pFsense routers but no matter what gateway you’re using, make sure you’re controlling what can go in and out of your network. The outbound traffic is just as important to control as the inbound traffic. You don’t want to become a proxy for spammers and bot-nets. Ideally you’ll have no hosted services on your internal network such as websites and email. Those services should be hosted elsewhere and ideally by other professional organisations. I’ve discussed this above. In terms of outbound access control, consider restricting outbound web-surfing access to your proxy server only – at least everything will be logged. Your internal server should be a web proxy (http and https) and a DNS server. They don’t have to be on the same server but in a small business they can.
Virtual Private Networks (VPNs)
Use a strong VPN technology such as OpenVPN or IKEv2. Never use weak VPN technologies such as PPTP as they are past their time. Ensure that only staff that need to have VPN access are permitted to use it.
Web surfing Proxy.
Make sure you have a proxy in place for staff Internet use. Use Squid and ensure only the local-net can get to the Internet for web surfing. Also make sure you’re blocking executables coming in from the Internet (squid can easily do this). Staff wanting such files (perhaps add music and video files to the blocked list) should either ask you to add the target domain to a white list of get you to download and install whatever they’re trying to get. The big advantages you get from the proxy are; a) you control where web surfing originates, b) you control the files that can be downloaded, and c) you get log files. Squid will give you a retrospective view of web surfing activity.
Ideally use a domain rather than a workgroup. Samba 4 does this very well or use a Windows server if you’re more comfortable with Windows. It’s not a big deal if you only have a handful of users (such as 10 or less) but consider a domain for simpler control of workstation access.
When it comes to wifi, you have the choice of PSK or Enterprise. The difference being that PSK (pre-shared key) requires that every device uses the same passphrase to access the wireless network. Enterprise allows you to use domain users credentials to gain access. Radius is used in Enterprise authorisation. I recommend Enterprise authorisation because you can allow or deny someone access to the wireless network through the domain controller. If you have more than 10 staff, use the Enterprise option.
I recommend to use TeamViewer or VNC for workstations. For servers, use either RDS for Windows servers and SSH and/or VCN for Linux servers. TeamViewer is costly but works well. If you’re using SSH, VNC or RDS, consider locking down the source to a few trusted locations such as your office and home. Don’t allow access to VNC or RDS from just any location – lock it down. SSH should require a key rather than just a password.
There’s a few things to watch out for. If the business is low on money or simply tight, leave them for another IT service business to look after. Businesses like this are doomed. The ‘ideal’ business does exist and they are the majority. They buy good quality equipment, they do backups and accept that they take time and they realise that a little overhead from time to time is preferable to data-loss, being hacked and/or reputation damage. Do it the right way.