I update this article periodically to keep it current. The principles never change though.
This article was first written in April 2016 and it’s still very relevant. I’ve kept it updated with the inclusion of new technologies and best practices.
Who should read this? Those who are responsible for small business IT systems.
Do things the right way.
When staff ask why things aren’t as simple or easy as they’d like, you know their expectations of business IT resources are inconsistent with reality. Perhaps they’re using email as a CRM or their desktop as their filing system. Either they need to adjust their expectations or you need to adjust the IT systems to meet their expectations. Start here. Solve the issue of expectations and everything else falls into place.
You’ll want at least two IT policy documents; a general IT policy document and a security policy document. These two documents give a scope for expectations. Staff should be obligated to read these documents and agree to them. The objectives of the policy documents are to ensure staff know what they can and can’t do. They also guide you (the IT person) on what the business expects in terms of your work-load and responsibilities. Policies also assist in staff termination for situations where business resources have been misused.
Switches and routers.
This is the back-bone of the network. Make sure you use good quality parts. Use Cisco or HP enterprise level equipment. Any Cisco switch with gigabit speeds on all ports is a good option but 10 gigabit speeds are affordable and easily acquirable and consider the value of PoE especially if you have IP phones or IP cameras. Don’t get sucked into this idea that WIFI is an acceptable replacement for Ethernet – not yet. It’s shared media, still new technology and not as reliable as Ethernet. One day we will surely change to WIFI for workstations but that day is not today. Keep your network devices up to date with firmware.
When using an Active Directory Domain: The DHCP and DNS services should be run on and controlled by the Domain Controller. This is to ensure the AD Domain Controller has full functionality, the DNS and reverse DNS work as intended and that the workstations work as expected.
When using a Workgroup: Consider using the router (Internet gateway) as the DHCP server. If the server goes off-line for whatever reason, you will want (at least) Internet access and you’ll only get that if you have an IP address. The DHCP servers should hand out two DNS server addresses; the first is the internal server and the second is an external server such as 18.104.22.168. Therefore if the internal server is off-line, the workstations will go to the second option and will work fine surfing the net.
Workstations and portable devices.
Make sure to use good quality workstations. Go with mid-range or enterprise grade workstations from Dell or HP. Make sure all workstations are connected to the network via Ethernet. Wifi is for guests and mobile devices (phones and tablets) and NOT workstations. A rule of thumb is “if you do word processing on the device, plug it in”. Some laptops require a hub or dock to use the Ethernet so there are no excuses. Laptops should be able to connect to both but only for convenience. Laptops are often used in board rooms and meeting rooms and it’s nice that they just work. But for day-to-day work, plug an Ethernet cable into the device. Good brands for laptops are Dell, Apple and Lenovo. Make sure you use the enterprise grade gear and not their home-grade (consumer grade) gear. Spend upwards or $1.5k Australian on a laptop. Any less and you are getting home-grade gear. Depending on your responsibilities within the business, you can either manage all workstations software installations yourself or designate one staff member as your deputy system administrator. This means staff ‘can’ install things if you’re not around (good for business continuity). The deputy, knowing they’re the only one who knows administrative credentials, is compelled to use it sparingly.
Portable devices should have their hard disks encrypted and periodically backed up. There are plenty of options for backups including cloud-based backup solutions as well as backing up to network shares. A lost device should not be stressful (who has access to our company data?) but more a matter of insurance and/or new purchase order.
The primary server should run either Linux with Samba4 or Windows server 2016 but don’t get Microsoft Exchange or any kind of email or collaboration server hosted internally. Use Office 365 or Gmail for Work. Again, if you’re not already using a hosted solution such as 365 and Gmail, do it now. No excuses unless the business is so secretive they have no option but to host their own. There is nothing worse than troubleshooting mail servers and nothing more unnecessary given the options of SaaS. For the record, Samba4 is mature enough to host Active Directory to the point where you get group policies and can manage it from AD Users and Computers. And the workstations wont know the difference. Windows Severs are fine too.
Virtualisation is ideal. System updates, maintenance and testing all works best when snapshots and machine level backups can be completed before work begins. Such tasks on physical servers is more difficult to recover from.
Ensure servers have automatic updates configured, automatic antivirus configured, backups configured and that logs are working. If possible, send server logs to a central log server.
Don’t host your website on a server within your network. The web server is a likely target for hackers before lateral movement, so put it somewhere else and make it their problem. Or put it in a cloud environment that you control such as AWS or Azure. Either way, make sure there is no VPN between the web server and your office network unless you need one (there are plenty of reasons to need a VPN but wait for that requirement before creating a VPN between the two networks). Use SSH and/or SCP to manage the content of your website and not FTP. A website framework such as WordPress is fine but make sure to lock it down. You don’t want to get it defaced by hackers. Keep it up-to-date and backup the database.
Use SSL by default for your websites. There is no excuse any longer for using HTTP. SSL certificates are free if you use the (well respected) Lets Encrypt service and there will be others doing the same thing. They will give you as many certificates for your websites as you like. Then you can redirect your HTTP visitors to HTTPS. It won’t be long before browsers try HTTPS to reach a site before HTTP.
AGIX is a Linux services business but we still believe in the “right tool for the job” and therefore there is a place for Windows computers. Workstations (laptops and desktops) should be either Windows 10 or OSX (latest) at the time of writing this. Always update major versions (such as from Windows 8 to Windows 10) after others do. Give new technology a few months to settle before you move to minimise teething problems. Servers should be either Windows servers or Linux running Ubuntu or Redhat. Other distributions are fine but a sensible start. The important thing is how long the software is supported for. The longer the better. So opt for the long term support version of the operating system.
Keep software up to date on all system that allow it including routers, firewalls, access points, printers, phone systems, workstations, server, smart phones and IoT (Internet of Things).
If you have a Windows Domain, managing printers is easy. If you have a Workgroup, you’ll need to manually install printers on each workstation. This is another reason to switch from a Workgroup to a Domain. Avoid using a workstation as the printer server. It can be done but comes with issues. That workstations needs a static IP address which means it’s treated differently from other workstations and that’s not idea. Further, you need to keep that computer running and reboots will potentially effect all staff. Do it right and use a Windows Domain with Printer sharing configured properly.
Linux CUPS printing is fantastic but rarely used in small businesses.
Accounting packages such as Myob and Quickbooks have cloud-based offerings which will save the business time and money. The benefits of a cloud solution are that you don’t have to share files between the accountant and book keeper, you can use it on any workstation and the backups are handled by ‘someone else’. Xero is another great option.
Backup everything daily. Include your server(s) configuration and data. Make sure you have your routers configuration backed-up too. Make sure you have documentation off-site along with the backups. You can use cloud services for backups but use it in conjunction with USB backups or tapes. Cloud backups take too long to restore from in a disaster. Use at least 3 USB disks making sure there is always one off-site. For example, on your way to work: you have one at home (or wherever is safe), one in the car with you on your way to work and the other plugged into the server. In case of a fire, you have to leave without carrying anything so you’ll be happy to know you have at least one disk off-site. Test your backups regularly. Have one staff member pick a document (their choice at random) for you to restore. Make sure they (the business) signs off on this as the policy. All documents should be expected to be on the server (data storage) before the end of the day – either in the staff members home drive or common drive but not on the staff members workstation. Workstations don’t have the luxury of multiple hard disk which your server does (make sure of it) and workstations don’t get backed up.
Remove whatever antivirus that comes with your workstation and install something that will inform you of detected threats. Use the same antivirus software on all workstations and laptops. Good AV companies will give you a portal to use allowing easy viewing of licenses and on which machines those licenses are being used. Remember you can’t trust a system that’s had a virus on it.
A good antivirus program will have special features to detect, block and recover from ransomware. Pay more and get something to goes it well. Search YouTube for videos where technicians demonstrate the effectiveness of different AV types against common ransomware viruses.
I recommend pfSense firewall routers but no matter what gateway you’re using, make sure you’re controlling what can go in and out of your network. The outbound traffic is just as important to control as the inbound traffic. You don’t want to become a proxy for spammers and bot-nets. Ideally you’ll have no hosted services on your internal network such as websites and email. Those services should be hosted elsewhere and ideally by other professional organisations. I’ve discussed this above. In terms of outbound access control, consider restricting outbound web-surfing access to your proxy server only – at least everything will be logged. Your internal server should be a web proxy (http and https) and a DNS server. They don’t have to be on the same server but in a small business they can.
Architecturally speaking, ensure your servers and workstations are segregated on different subnets. Having all devices on the same subnet limits access control options. For example, firewalling “lights out” services can’t be done at the network level if the devices you’re restricting access to are on the same network.
Make sure your firewall is “next gen” which means it can do more than just block and allow base don headers. You want something that can consider trends and patters.
Virtual Private Networks (VPNs) and Remote Workstations
Use a strong VPN technology such as OpenVPN or IPSec. Never use weak VPN technologies such as PPTP as they are past their time. Ensure that only staff that need to have VPN access are permitted to use it.
Consider something like Citrix (there are free alternatives) to allow remote work. VPN’s have a place – and will for a long time – but Cirtix-like methods are growing in popularity and can simplify things.
Web surfing Proxy.
Make sure you have a proxy in place for staff Internet use. Use Squid and ensure only the local-net can get to the Internet for web surfing. Also make sure you’re blocking executables coming in from the Internet (squid can easily do this). Staff wanting such files (perhaps add music and video files to the blocked list) should either ask you to add the target domain to a white list of get you to download and install whatever they’re trying to get. The big advantages you get from the proxy are; a) you control where web surfing originates, b) you control the files that can be downloaded, and c) you get log files. Squid will give you a retrospective view of web surfing activity.
Firewall devices such as Watchguard, Fortinet and pFsense can also “bump” SSL sessions to allow for better filtering. In other words, a workstation that would like to connect to a remote web server using HTTPS would have the secure session terminated at the firewall where the filtering happens – and then the firewall re-establishes the secure connection from the firewall to the target web server. It’s also called SSL/HTTPS interception.
When it comes to wifi, you have the choice of PSK or Enterprise. The difference being that PSK (pre-shared key) requires that every device uses the same passphrase to access the wireless network. Enterprise allows you to use domain users credentials to gain access. Radius is used in Enterprise authorisation. I recommend Enterprise authorisation because you can allow or deny someone access to the wireless network through the domain controller. If you have more than 10 staff, use the Enterprise option.
Use the current-best secure standards such as WPA2 at the time of writing this. However, WPA3 will soon become standard and introduces new security measures to protect your network.
Wifi services provided by Watchguard (and others) allow for discovering rogue wireless networks and automatically disrupt their availability. This helps prevent staff from using their own hotspots in the office.
Use long passwords for your wireless networks. That’s the real defense.
I recommend to use TeamViewer of Anydesk. For servers, use either RDS for Windows servers and SSH for Linux servers. TeamViewer is costly but works well. If you’re using SSH or RDS, consider locking down the source to a few trusted locations such as your office and home. Don’t allow access to RDS from just any location – lock it down. SSH should require a key rather than just a password.
If MFS/2FA (or multi-factor) authentication is an option, use it.
There’s a few things to watch out for. If the business is low on money or simply tight, leave them for another IT service business to look after. Businesses like this are stressful to work with. The ‘ideal’ business does exist and they are the majority. They buy good quality equipment, they do backups and accept that they take time and they realise that a little overhead from time to time is preferable to data-loss, being hacked and/or reputation damage. Do it the right way.