Printable View
Does anyone on here have any experience setting up IT for a new SMB? Needing guidance on security, remote access, backups, setting up email server, pretty much the whole chebang. The insurance policy is pretty hot on requiring certain tech security, weekly backups, annually reviewed written policies etc. It's way above my level to assist with.
FastTrack.
https://www.microsoft.com/en-us/fast...365/office-365
Office365 with security baselines & exceptions where necessary. ASR rules, MFA, Windows Update for Business etc. Here's how to set up conditional access properly: https://www.youtube.com/watch?v=OfT2s5tW5bc
How many seats?Quote:
Originally Posted by ik9000
Any regulatory/compliance/PCI to worry about?
I've got a couple dozen businesses in the 5 to 50 bracket on my book.
SFAIK only 2 seats at first, plus a couple of free lancers sporadically so 5 max for the time being say, all in different locations (no office atm due to everyone wfh).
re compliance forgive my ignorance, what do you mean? Obviously GDPR, beyond that I don't think there is any auditing as such (other than accounts which the accountant will sort out) until such time as they want to seek iso9001 or whatever that accreditation thing is. The insurance term they forwarded said this:
edit they also need help setting up emails - and are wondering if they can do that with office 365 but without having to have a centralised server. They seem happy to go 365 for general office software so it does sound like they're buying into the MS ecosystem rather than apple or unix.Quote:
ITS001 - Information Technology Security Requirement
It is a requirement that You:
a) have IT security procedures that include the operation of commercially licenced, purchased and supported firewalls and anti-virus software to protect against viruses, spyware or malware attacks.
b) have a written policy that addresses information security that includes requirements to encrypt all sensitive and confidential data which is reviewed and communicated to all employees at least annually.
c) back up Your critical and sensitive data at least weekly to a different secure location.
Failure to comply with this requirement may result in Us not paying the Your claim
First step is to write down the needs and priorities, then work up the requirement; high level bullet points rather than pages of jargon. Budget, is usually the first question. 'How much do you think it should cost?
Microsoft 365 Business can cover a lot of the virtual team bases. Standard subscription includes an Exchange mailbox with spam and malware filtering. Each license come with a terra byte of OneDrive which can cover the offsite and file sharing. Month by month billing gives flex in licensing for short term staff and freelancers.
SIP (voip) phone services can be very useful. Don't forget the DPO registration. Oh, and everyone needs good broad band too.
Does that exchange mailbox need a local server, or is it just a case of sending the domain email to make use of a cloud server?Quote:
Originally Posted by matts-uk
They want a file server they can remote into and have directories for each job, a store of technical and reference literature, a place to keep admin and accounts etc. Again is that feasible by cloud or is it necessary to set up a server with vpn access? Just using MS equivalent of dropbox might allow files to be shared but presumably lacks a filing structure or similar like you could do with a NAS or similar?
Cost they've come back with "no idea how much it should cost, no more than necessary, but no cutting corners if it invalidates insurance etc. Cloud based ok so long as secure and complies with GDPR etc, and can be easily backedup to physical media as required so if cloud goes down/hosting company insolvent etc information is not lost." It sounds like they're trying to get a feel for the budget implications as well. (It's probably worth mentioning they're a start-up so no prior history to draw on.)
Hi ik9000,Quote:
Originally Posted by ik9000
The MX Record for the SMB's domain is simply pointed to the cloud O365 Instance and that is configured to accept email for the SMB domain. https://docs.microsoft.com/en-us/mic...o365-worldwide. There will be no need for an on-premise email server if you go with O365.
Please note there are several versions of O365 for business use, O365 Premium includes policy management for defender which would cover off endpoint AV: https://www.microsoft.com/en-gb/micr...eading-hiatrep
Some other food for thought:
Use a good SMB firewall at the perimeter , ie https://www.broadbandbuyer.com/produ...hos-xs1z3csek/ , that one includes licenses for 3 years (TotalProtectPlus Recommended) just budget for the license renewal after the third year. There are other similar makes/models.
Implement a Zero trust model, by default nothing should be allowed in. If remote access is needed then set up VPN on the firewall, all connections in to the network should be via VPN no exceptions. If you absolutley must host an internal WebServer and have to publish it to the internet, then make sure it is up-to-date , patched and then publish via the WAF on the firewall.
Lock down the outbound traffic so that only required ports (ie HTTP, HTTPS, DNS, NTP) are allowed out and then only from the devices that need it. Beacons such as CobaltStrike can connect out to random defined ports, if the port is not allowed through the firewall it cannot be used. If you have a central DNS server (consider a sinkhole such as pi-hole), set DHCP to issue the IP of the central DNS Server and only allow DNS queries out through the firewall from the DNS Server.
Malware will use HTTPS for traffic, but a sinkhole such as pi-hole with some subscribed malware lists and the web filtering capability of the Firewall (you can set policy to block Porn, Gambling, Malware etc) should protect the SMB as much as possible.
With regards to file share data there a few options:
1 - Putting an LTO drive in a fileserver and back up to tape. Make sure the tapes are changed daily/weekly (whatever data loss they can handle) and the "Directors" take the tapes home.
2 - Have a file server and use something like Azure Backup / Veeam https://docs.microsoft.com/en-us/azu...s-applications to backup direct to cloud.
3 - Sharepoint/OneDrive
4 - Host your file share in Azure/Amazon and use the associate cloud backup solution to protect it.
Anything backing up to cloud requires a good (fast if lots of data) Internet connection. Whilst cloud storage is generally quite cheap keep an eye on the costs and if you do go down the cloud route make sure access to the S3 Bucket/Storage Account is configured correctly. How often have you read in the news about an exposed S3 Bucket ? You really do not want that to be you.
When working with firewalls and O365 a good resource is: https://docs.microsoft.com/en-us/mic...o365-worldwide
Allowing 80 and 443 out to the internet covers off most services, but there are a couple of additional ones such as the UDP ports for Teams that need to be allowed through as well.
Box.com I have found to be a nice cloud storage system which integrated well with active directory and it's security groups. I assume you're are going to use a domain and all that jazz?
Also something they need to consider strongly that will be largely over looked it a business record management system. By system I don't mean technological I mean organisational. While you can probably get away with not considering its structure, how it should be implemented and managed is worth thinking about. If they Willy Nilly create folders it will become a mess and that will carry on for decades.
No, you don't *need* a physical server. Yes, you point the MX record at the Microsoft 365 servers...But there is a whole lot more to it than that.Quote:
Originally Posted by ik9000
When you buy into Microsoft 365 Business, you are buying a 'tenancy,' on Microsoft servers in Microsoft data centres, ready built to deliver identifable services to end users. It's not a million miles away from renting your own Windows VPS farm, installing Active Directory and server application software, then having a dev-ops team spend a couple years creating a web portal to integrate it all. You don't lose low-level access though as PowerShell still works. The service is extremely scalable from sole proprietor to large corporation.
One of the identifiable services is e-mail, sold to end users as an Exchange mailbox. However, don't lose sight of what you are actually buying, access to an Exchange server with (virtually) the same functionality you would have running your own Exchange server.
Another identifiable service is file sharing, in the form of OneDrive and SharePoint. Not perfect by any means but included in the subscription at no extra cost. Yes, you can have a folder structure. Granular permissions, not so much. For a 5 seat company it may be appropriate to simply dedicate a OneDrive account and share the signon credentials. End users mapping drives directly to VPN/NAS turns out to be, not that useful, not that reliable and less secure in practice.
Comes down to what they think they need. With respect to the insurance policy, I would think self-encrypting file-systems are more of a priority than a NAS. Does everyone have a device which supports BitLocker and is it turned on?Quote:
Cost they've come back with "no idea how much it should cost, no more than necessary, but no cutting corners if it invalidates insurance etc.
A dispersed 5 seat start up should be embracing Cloud First, IMO. By which I mean forget everything you think you know and turn the on-premises model on it's head. There is no central office, there is no comms room, there is no permiter, there is no IT department on the payroll. For instance, don't save to a NAS and back the NAS up to the Cloud. Save to the Cloud and back the Cloud presence up to a NAS instead.
My smallest 365 customers don't own anything as expensive as a NAS, even though I might like them to. All my 365 Business customers are subject to GDPR and a few have the more stringent compliance requirements of UKAS, FRC, SRA to worry about. Small companies servicing Government contracts may need Cyber Essentials certification and even if they don't, the checklist is a good place for any small business to start.
Whenever I've looked at Box they seem to sell products for more than the going rate. I tend to treat them with suspicision as a result.Quote:
Originally Posted by Kumagoro
anyone know any good guides on setting up sharepoint?Quote:
Originally Posted by matts-uk
Have you heard of Firewalla, are they any good? It looks like we'd be able to protect both sites for less than the cost of that sophos and no ongoing licenses to shell for either.Quote:
Originally Posted by GuruNot
https://www.techradar.com/uk/reviews/firewalla It needs a mobile phone to work it, which is a bit odd, but seems reasonably spec'd so far as my untrained eye can tell at least.
If you wont be publishing any internal web servers then you wouldnt need Web Server Protection and if your email is in O365 then you wouldnt need the Email Protection, that would reduce you to EnterpriseProtect or EnterpriseProtect Plus (with Sandstorm). You would need to assess what functionality you need.Quote:
Originally Posted by ik9000
https://www.sophos.com/en-us/mediali...rewallflna.pdf
Dont forget the Sophos Device is just an example, There are similar devices from other vendors such as Cisco, Watchguard, Fortinet etc
With regards to firewalla I am afraid I do not know enough about it to comment. I did some quick searching and the Content filtering does not seem to be as comprehensive as other devices, family protect is simply using OpenDNS but the software does seem to facilitate wildcard domain allows which is essential for cloud resources. One other thing with firewalla is the support arrangements, which seem to be purely community based, there is no telephone support or Support SLA's, you should bear that in mind.
Apologies that I cannot be of more help.