Explanation: Your firewall is the first line of defense to your business. This device can distinguish between good and bad traffic. Your firewall will then block bad traffic from ever reaching your network.

Without a firewall, anyone is allowed inside your business.

Action Steps: Obviously, purchase and deploy a firewall. Some suggestions include the Cisco ASA (most advanced), SonicWall TZ (being somewhat tech-savvy is required), and the Cisco Meraki (most user friendly, but requires an annual subscription).

Things to Consider: If you can find a firewall that features IDS/IPS (Intrusion Detection/Prevention System) or DPI (Deep Pack Inspection) it would exponentially increase the effectiveness of your firewall. These are next-generation technologies that give the firewall the ability to go beyond traditional block/allow conditions and apply logic on traffic that isn’t clearly defined as “bad” or “good”.

Explanation: The need for an anti-virus in today's environment goes without saying. However, debate remains on whether servers should have an anti-virus/anti-malware installed on them. Historically, installing an A/V software on a server usually led to more problems than it solved. The A/V software would normally remove files it shouldn't, interfere with line-of-business applications, and so on. Today, with real-time scanning driven by AI and cloud-based algorithms this is largely a non-issue.

Action Steps: Purchase an anti-virus! Preferably one that markets compatibility with servers to avoid issues. Here at ITA we use WebRoot and have been rather happy with their performance, price, and support. In years past we used and would also feel comfortable recommending them as well. We changed to WebRoot due to their ability to offer a management console that suited our workflow of supporting multiple clients and locations.

Things to Consider: Make sure to consult any of your software providers for exclusions that should be added prior to installing the anti-virus product. Likewise, if you run Hyper-V you should look at this article for a list of exclusions you should add when installing an anti-virus product on a Hyper-V server.

Explanation: Nearly 1 in every 2 small businesses that experience a significant data loss will not reopen their doors. Backing up critical data is essential and so many businesses neglect this task. Even worse, many small businesses will setup backup and never touch them again for years until the day they are needed. This is another recipe for disaster. Backups need constant attention to ensure reliability.

Action Steps: If you're on an extremely tight budget, you can install the "Windows Server Backup" role and perform full system backups without spending a dime. However, as soon as possible purchase a solution such as Acronis. You'll have much more consistent success and gain access to features such as "Application Aware Backups" that will allow you to restore SQL Databases, Mailboxes, Active Directory Objects, without restoring the entire server.

Explanation: It is not enough to simply have backups of your data sitting on a drive somewhere in your office. If your building burns down, a broken pipe floods the server room, someone breaks in and steals your server, you’re left in a very difficult situation. A disaster recovery solution ensures your data is securely backed up offsite in addition to your local backups.

Action Steps: The “poor man’s” version is simply rotating two external HDDs between your office and perhaps your home. This often results in backups being a week or more old offsite and most small businesses would not survive losing a week’s worth of data. The best approach is to pay a service such as Acronis to perform cloud backups of your data.

Explanation: Some small businesses have local backups of their data, fewer have the data also backed up offsite. Never have I personally seen a small business have a business continuity solution, so you’re not alone. Business continuity means if your building burns to the ground and you lose your server, you can activate a cloud-hosted server and have people working the next day.

Some small business owners will say they would have bigger issues to contend with if the building burned to the ground than getting people back to work the next day. If this is you, then perhaps a business continuity solution isn’t necessary. However, if your customer service representatives are unable to answer phones for a week means the end of your product. You need to invest in a business continuity solution.

Action Steps: Like implementing a backup or disaster recovery solution, business continuity can usually be provided by the same vendor. In our case, we also use Acronis to provide business continuity to our clients. There are several vendors who provide this service and would recommend you get a demo from three separate companies to evaluate who may best suit your needs.

Things to Consider: If you do end up implementing a business continuity solution, most of the time you are required to have some type of VPN to that vendors datacenter. Make sure you work through how this would be accomplished by remote workers using their company or personal laptops. Likewise, make sure you test your business continuity solution at least once a quarter. Too often we have seen the cloud servers have a problem simply turning on in an emergency.

Explanation: Security patches are a basic part of IT maintenance. Microsoft frequently and often with haste releases security patches to fix security exploits. Automating this process is a necessity to ensure updates labeled as critical security fixes are installed immediately to prevent your business from being a victim of an attack.

Action Steps: There are several windows patching software programs available, easily found with a simple search on Google. While we can't offer any specific recommendations due to the solution ITA uses is an in-house product we developed ourselves. We can however advise whatever solution you choose; it should have automatic reporting on the overall success of patches. Automatic alerting if a critical update fails and finally, the ability to postpone major updates that are known to cause problems on the day of their release.

Explanation: Auto-Play and Auto-Run are two features that try to make the user experience better by automatically opening and playing media on USB flash drives when they are plugged into a computer. While Microsoft had good intentions, this feature was immediately exploited by hackers and infected USB drives will easily compromise your entire network.

Action Steps: Fortunately, this is easy to fix. On Windows 10 devices, open your settings. Search for ‘AutoPlay Settings’ in the search bar. Toggle the option for ‘AutoPlay for all media and devices’ to off.

If you’d like to do this on a group policy level for your entire organization. Use this group policy:

Computer Configuration > Administrative Templates > Windows Components > AutoPlay Policies > Turn Off AutoPlay

Change the policy from “Not Configured” to “Enabled” and set the drop-down to “All Drives”.

Explanation: The day has arrived where a password is simply not enough. Multi-Factor Authentication is something we all need to implement wherever possible. Setting aside all the bad habits users exhibit (I’m looking at that sticky note you have taped to your monitor). MFA is needed simply due to the frequency and quite frankly ease of cracking passwords on nearly any platform, not just Microsoft Windows. MFA is the only thing that will exponentially decrease the change of an account breach. So much it will be highly unlikely any small business with MFA implemented would ever suffer from a compromised account.

Action Steps: I’m not going to lie, implementing MFA is a complex topic. The design alone requires quite a bit of thought and planning. Which methods will be used? SMS Text verification, Email verification, Biometric? If you choose SMS Text Verification, what happens if a user forgets their phone at home? After the design is complete, you’ll have to choose a vendor who provides MFA services. ITA uses Microsoft Azure AD exclusively for our clients and have been rather happy with its flexibility and user experience.

Ultimately, it is highly recommended you contact an IT Consultant to help you implement MFA.

Explanation: If MFA is not implemented into the environment, strong password requirements are a must to prevent accounts from being compromised regularly. While unpractical, Microsoft’s new baseline is a minimum of 14 characters, changed every 3 months, cannot be the last 10 passwords used, and must contain at a lowercase, uppercase, symbol and/or special character.

Action Steps: You can easily enforce these requirements using group policy if your small business has a domain controller. All these policies can be found under:

Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy

Things to Consider: You may also want to implement our Password Construction Guidelines in your employee handbook. You can download that policy by clicking here.

Explanation: Too often employees are told to turn off the Windows Firewall for troubleshooting purposes. While not ideal, turning it off temporarily isn’t the real issue. The real threat is the firewall not being turned back on after the problem is resolved. We have commonly seen servers who have had their firewall turned off for months, only to find out someone didn’t turn it back on when the server got infected.

Thus, it is recommended that the Windows Firewall is forced on through group policy so employees must go through proper channels to have it turned off. Likewise, it is recommended to force the default action for incoming connections.

Action Steps: Configure the following GPO settings in your environment to force the Windows Firewall to be on for all three network profiles and block incoming connections by default.

Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security

Set the Domain Profile, Private Profile, and Public Profile to ‘On’.

Set the “Inbound connections” to “Block (default)” for the Domain Profile, Private Profile, and Public Profile.

Explanation: Installing an anti-virus and then forgetting about it is a mistake. Too often an anti-virus will classify line-of-business applications as threats. Likewise, several Windows Server roles have a list of exclusions that must be added to the anti-virus software to run properly.

Additionally, the settings of the anti-virus software should be inaccessible by users. Too often users are told incorrectly to turn-off or disable the anti-virus software for troubleshooting purposes. The problem is that too often once the issue is fixed the anti-virus software isn’t turned back on and now you have an unprotected workstation.

Action Steps: Speak with each of your software vendors and ask for the anti-virus exclusion list. Add each of these exclusions to your anti-virus software.

Take an inventory of all server roles and look up their anti-virus exclusion list. For example here is the list of exclusions for the Hyper-V server role.

Explanation: Many issues can be prevented by simply auditing your server’s event logs. Everything from hardware failure to security breaches. Auditing simply identifies the important logs from the mundane logs. Whereas, alerting then compiles that information and send you a report on the things you need to review. Both elements are crucial for the proper health and security of a server environment.

Action Steps: Research and implement a third-party software solution to perform event log auditing and alerting. A good place to start would be SolarWinds Event Manager. SolarWinds also has plenty of other crucial tools such as network monitoring, which will consolidate the amount of vendors/software you need to run your IT infrastructure.

Explanation: Often a controversial topic, returning workstations to the login screen after being idle for so long is crucial for many reasons. First is security, no user should be able to sit behind the boss’ desk while she is out for lunch and use her computer. Likewise, without this crucial policy it is next to impossible to convince a court any single employee performed an action on their workstation. That employee will easily take the defense that it could have been anyone because their workstation was open for anyone to use.

Action Steps: Decide on how long a workstation should be idle before returning to the login screen. We find that 15 minutes has worked best for our clients. Then set the following group policy:

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Interactive logon: Machine inactivity limit