IT Solutions for Small Business

Our goal is to make your company more profitable (however you measure profitability), by providing cost-effective IT solutions to many of your organization's fundamental challenges. Allora partners provide technical solutions for small to mid-sized businesses of virtually every type: from office environments, to manufacturing facilities, to retail storefronts. Our IT solutions are refined by many years of practical application in the real world; they are flexible, yet reliable.


The positive effect of computer networking on employee productivity, critical data retention, and overall savings on IT budget, are well established throughout industry. Allora builds reliable computer networks, based on any combination of Windows, Macintosh, and Unix/Linux devices.


Email is also an indispensable business technology, both within an organization, and as an economical and effective method of reaching customers. Websites, if nothing else, are cheap advertising; but a well-designed web application can qualitatively change your company's operations. Allora provides a full-featured set of hosting solutions for email, websites and webapps.


Allora can also integrate your telephone system with your network or web presence, either to inform you about your callers, or simply to save money on long distance. We also provide cloud IT solutions via hosted Small Business Servers.

Articles

As part of our company philosophy we encourage our customers to learn more about IT infrastructure by reading the following informative articles - saving you time and money:

One of the most unpleasant and fairly frequent problems for a PC user is losing data for one of these reasons:
  • accidental deletion
  • a glitch of an Operating System
  • virus infection (cryptolocker )
  • hard drive error
Recoverrey of deleted files or damaged files can be done through several routes:

Most natural and obvious path: recovery from a Backup

The only drawback here is a potential time gap between the last backup and the last modification of a deleted file in need of recovery. Quite often recent modifications are lost thus a user must repeat a certain amount of work. Even if it's an hour this can be very frustrating.

Windows’ previous versions tool.

This utility first saw life with Windows Vista release. It's not always engaged out of the box though. In order to ensure that it's active a user should go through a few simple steps. Here's a screen-cast for Windows 7. Other operating system work similarly. Please note that this functionality does consume a certain portion of your hard drive for storing shadow copies of your data. Unlike Backup there's a much better chance of catching the latest version of a missing file.

Cloud synchronization of data folders

If you're working online and your folder with a missing file synced with a cloud such as Google Drive or Dropbox then it's just a matter of logging to this cloud via a web-browser and restoring it through a dedicated interface ("Manage versions" under G-Drive for instance). There's a slim chance that the latest modification didn't complete its synchronization prior to deletion because of slow bandwidth and/or large file size. 

Recovery of deleted files with 3rd party utilities

Here we'd discuss a scenario where no pro-active steps mentioned above were taken or it wouldn't deliver the latest version of a deleted file.

Thanks to the very structure of a hard drive and its file system it is possible to restore a freshly deleted file. Each file consists of a set of zero's and one's which are written in certain mapped areas of a hard drive. When you delete a file the system marks the file as deleted in its catalog but the data itself is left intact until another file gets an assignment to that space and its data overwrites the previous zero's and one's. This is very important to understand because each event of writing data increases the risk of overwriting the data that belonged to an accidentally deleted file. Ideally no further activity should occur on the drive with a missing file. This is not very difficult at all if you have multiple partitions on the drive and the deleted file is NOT on the partition where OS resides. If it's not the case it's best to shutdown your computer immediately. A hard shutdown would further improve the odds of keeping your data intact however it could easily damage the Operating System itself and therefore we can't advise this route. From here there are two options: extracting the hard drive and plugging it to another computer for recovery of deleted files or loading a special recovery OS from a USB stick or CD.

There are many programs that would handle this job, here's to name eighteen: https://www.lifewire.com/free-data-recovery-software-tools-2622893 We'd focus on Recuva by Pirisoft as the most user-friendly. We'd also mention @Active products by L-Soft that provides a variety of tools for backup and data recovery, including much more serious scenarios such as partition damage.

Once you load Recuva it will offer a list of file types for recovery: video, images, music, archives or all files. If you remember the exact folder where the missing file resided it'd expedite the process considerably otherwise a scanning process could take hours depending on the drive size and the amount of files. Upon completion of scanning Recuva would display a list of deleted files and chances of recovery. If your file is marked as green then the file's data isn't damaged at all and its full recovery is guaranteed. Orange marks partially damaged data and Red is really bad news. At this stage the only recovery option left is sending the hard drive to a special center however the odds are still very miniscule as discussed here. Solid State drives scenarios are even more complex.

Today we are reviewing Group Policy in Windows.  One thing to keep in mind is that if you are on a computer that is connected to a domain, then you need to be aware of how both Local and Domain settings are configured.  Configuring settings in both can have unintended consequences or conflicts, and so it’s best to manage as much from the domain level as possible.

Since we are focused on business environments with domains, we will be working with Group Policy on a test server with Active Directory installed and configured already.  To open the Group Policy Manager you can either select it from the Tools menu in the Server Manager, or by going to the Administrative Tools in the control panel.  For reference, if you need to access a system’s Local Policy you should open the Run command and type gpedit.msc

The first thing you might have noticed is that there are a number of objects created in addition to the defaults.  This is the best way to handle the organization of Group Policy.  If you just go in and edit the default template then you can end up forgetting where a particular setting was configured, and this can also complicate applying policies to multiple objects in different ways.  For example, if you want all domain admins to have specific drives mapped that users don’t have access to, then create separate objects for each and configure the settings accordingly.  Then you can assign the policies separately and very easily.  If you have remote access configured in some manner, don’t include this in the default or mapped drive configurations.  Create a separate object for that and apply it as needed.  This way you can easily locate specific settings any time you need to manage your domain.

So, let’s look at a few settings that should ALWAYS be configured as follows.  First, let’s create a Group Policy Object and call it “Global-Security.”  Make sure to link it properly for your configuration, but in a simple environment the default setting is best. Now right-click the object and choose Edit to open the Group Policy editor.

Drill down to the User Rights Assignment section, and you will see a setting called “Allow log on locally.”  Double-click it to open the editor, select “Enabled,” and add the built-in Administrators group and click “OK.”  Next, select “Deny log on locally” and add the Guest account and the Guests group.  This configuration adds a little extra security to your domain because you are explicitly excluding the Guest account’s log in permissions.

Next, choose Security Options on the left.  Look for the Administrator account status, double-click to open the editor, and set it to “Disabled.”  You should already have another account that is designated with the necessary privileges to manage your domains and servers, even if they aren’t the same account.  You should also first verify that none of the services running are using the Administrator account.  Locking down this account is a standard requirement for any level of security.  Next, do the same thing for the Guest account setting.

The last setting we’re going to cover is the UNC Hardened Access setting.  Microsoft released bulletin MS15-011 in February 2015 with instructions for configuring this policy that includes an explanation of the issue.  You can Google the bulletin number if you’re interested in learning more about it.  If you have a complex environment you should read the bulletin before doing this so that you understand the settings involved, but if you only have one server with a handful of workstations the following settings are the best choice.

Drill down on the left to the Network Provider section, and you will see the Hardened UNC Paths setting.  Double-click this to open the editor, and click Enable.  Scroll down so that you can see the Show button.  Click the Show button and enter in the Value Name field:

\\your domain name\*

In the Value field you need to enter three settings separated by a comma as follows:

RequireMutualAuthentication=1

RequireIntegrity=1

RequirePrivacy=1

Click OK twice to save the settings. 

The last thing we need to do is ensure that our settings won’t be ignored in the event of a conflict with other policies.  Close the Group Policy editor so that you are back at the Group Policy Manager.  Right-click the object you just configured and choose Enforce.  This will prevent any other policies that you configure from overwriting these settings during the boot and logon processes.

Thank you for watching!  I hope this helps you better understand how to interact with Group Policy, and now that you’re familiar with this be sure to look through all the settings you can set.  Knowing how to use Group Policy properly will help you better manage your networks and keep them more secure.
Employees come, and employees go.  Turnover is a natural part of the business life-cycle.  But, choosing to let an employee go isn’t usually an easy decision, and the actual process of doing so is complicated.  There is paperwork to be done, taxes to be calculated and paid, company property may need to be returned, and the company’s security to preserve.  And with the onset of our digital world, there are a myriad of things that require your IT vendor(s) or staff to be focused on as part of this process.  This all adds up to a coordinated effort on the part of multiple people in multiple departments just to execute one decision made by one person.

employee terminationFirst and foremost, this means that the IT department needs to be notified when an employee is terminated.  The situation will dictate when this notification is appropriate; sometimes it may be better to have the IT department on standby for further instructions while other times notification won’t be needed until after the employee is notified.  Either way, the IT department MUST be a part of the process to help preserve and protect company property and infrastructure.  When your IT department isn’t included you can end up with security holes in your infrastructure that could be accessed by a disgruntled employee, or you could lose valuable information if an employee deletes data from a computer or data store.

So, what does your IT department really need to be doing about an employee termination?  First, all access an employee had to company resources should be locked down.  This can be done by changing passwords or disabling user accounts, whichever is appropriate for the situation.  Second, preserving information should be paramount.  Computers may need to be imaged with a forensic tool such as FTK Imager (a free tool from AccessData), email accounts need to be backed up or archived in Exchange, and any cloud storage accounts need to be reviewed.  That last point may require gaining access to the account(s), which can be easy or difficult depending on how the employee set things up.  And, backing up computers may mean getting them back from the employee, which isn’t always easy if the situation is tense.  Third, email accounts need to be given to someone else in the company that can take over where the former employee left off.  This can be done by simply giving the current employee a way to access the email or an automated response can be set directing everyone to the new person.  In some cases, it may be best to delete the email account and create an alias under the new person, but only after backing up the old account first.  And last, the company needs to take steps to delegate responsibilities properly.  If this isn’t done sales could be lost or meetings could be missed, which leaves the company looking bad or worse.  This may not require the IT department to facilitate, but sometimes technical help is needed to get those in the company that pick up the responsibilities access to what they need out of the old employee’s files or accounts.

This is starting to sound like an awful lot of effort, but some steps may not be necessary every time.  For instance, forensic images take a long time to make.  It’s not something that requires a person’s full attention the entire time, but if there is any question about illegal activity or a future lawsuit over proper compensation and wages then preserving evidence will go a long way to helping the company through the ordeal.  However, this cannot be done after-the-fact, it can only be done at the time the employee first leaves.  Once someone else is using that computer the evidence is tainted and won’t carry as much weight, if any, during litigation.  But, if there isn’t any concern about future litigation or previous illegal activity then a forensic image may not be necessary.  And, most companies these days do a decent job of limiting their employees’ use of unapproved products and services, so things like random cloud accounts aren’t usually a big issue.

Ultimately it’s up to the person or people in charge to decide how to handle a given situation, but every company should have a standard set for how to deal with employee terminations, and in the world we live in this must include the IT department in the process.  Whatever procedures are decided upon should be well documented, and every manager or person with authority should know them and be able to reference a single standard template.  Without good policies and procedures in place that include the IT department a company could end up losing face in the eyes of their customers and partners or leaving itself open to an extensive amount of damage.
VPNs are becoming an integral part of operating almost every business in every industry in today’s fast-paced telecommuter world.  Whether the need is to connect all your branches to the home office’s resources or allowing your salesforce and project managers to access company resources remotely, a VPN is the way to keep everyone connected to your centralized resources.  So, what is a VPN?  How to set up a VPN? How do you choose the right configuration?  What options are available and why would one be better than another?  Read on to find out!

At its core a VPN is a tunnel through the internet from point A to point B that shields the data being sent and received from public access and scrutiny.  There are two basic types of VPNs, a Site-to-Site VPN and a Client/Server VPN.  A Site-to-Site VPN connects two or more separate physical locations, such as branches of a bank or retail chain, to the main internal network of a company such as the internal network at the headquarters of a company.  This allows everyone in a branch, while in the office, to access company resources that are housed at the headquarters as if they were physically at the headquarters location.  There are clear benefits to leveraging a VPN for this purpose.  Keeping data stored on centralized servers and allowing access through folder shares over a VPN allows for a more streamlined security system that is easier to manage, and backups are guaranteed to include the most important company data since the data is centralized on servers at the main office.  The drawback to a Site-to-Site VPN is that it only allows access to centralized company resources if the employees at the remote location are in the office.  Employees that travel constantly or work from home would not have access to the VPN-available resources.  A Client/Server VPN addresses the issue of traveling and remote individual workers.  This type of VPN allows individual users to connect to centralized company resources no matter where they are; all they need is an internet connection and their laptop or mobile device to be configured for the VPN.

Whether a VPN is configured for Site-to-Site and/or Client/Server functionality, there are a number of protocols to choose from.  These options include Internet Protocol Security (IPSec), Layer 2 Transport Protocol (L2TP), Point-to-Point Tunneling Protocol (PPTP), Secure Socket Transport Protocol (SSTP), and OpenVPN.  Off the bat, PPTP has been proven to be easily hacked and should NOT be used if at all possible.  IPSec uses existing internet protocols to establish a secure connection at both ends of the tunnel and encrypt the traffic.  L2TP creates a tunnel, but is usually combined with other protocols such as IPSec to secure the traffic over the tunnel.  SSTP utilizes Secure Sockets to establish the tunnel, and either SSL or TLS to secure the tunnel.  This is a newer option for Windows platforms only, and is usually preferred for its use of SSL/TLS certificates and the fact that port 443 is always open, so no additional ports need to be opened on a firewall to allow the VPN traffic through.  OpenVPN is an open-source design for establishing a free VPN server that uses SSL to secure the traffic.  This is done with SSL certificates that are either generated by an in-house CA server or with OpenSSL, which is included in the OpenVPN install.  Additionally, passwords can be set on top of the certificates to add an additional layer of authentication and security.

There are many hardware and/or software options available these days , ranging from free VPN server software such as OpenVPN to elaborate hardware/software systems such as Cisco’s various solutions.  So, why choose one over the others  (what's the best free VPN?) and what’s involved in making that choice?  First, decide if a Site-to-Site or Client/Server VPN is what’s needed, or both.  Open-source and commercial solutions usually support both types of VPNs, and both have pitfalls in the learning curve, but look for one in each category that offers what your situation requires.  Being open-source, OpenVPN is a free VPN server, but you’re pretty much on your own if you need any help seeking your answer to "How to set up VPN?".  Cisco requires investing in their hardware and software as well as client licenses for most devices to access the VPN.  The benefits to commercial solutions is the available tech support and the unified design which can make implementation and management feel easier, even if it’s not.

If you choose to go with a commercial solution then you are done with the initial decisions, and should next start learning that particular platform in preparation for the design and implementation stages.  Choosing to go with the open-source OpenVPN is not the end of the decision making. OpenVPNOpenVPN has been put out as a stand-alone software package that will run both ends of a VPN, and is compatible with many major platforms making it a great choice for homogenized and hybrid environments alike.  In addition, OpenVPN has been integrated into other software packages such as pfSense, Untangle, and IPFire, as well as hardware such as Netgate’s pfSense appliances and Ubiquity’s EdgeMAX products.  We’ve not had any experience with Untangle or IPFire, but on paper both look similar to pfSense.  We found Ubiquiti’s EdgeMAX products to be very difficult and slow to configure.  Additionally, appliances tend to have less power under the hood, meaning this could get expensive for environments with high traffic volumes.  However, pfSense differs in that it offers an almost all-inclusive package for implementing and managing a network, including OpenVPN, and is much easier to set up than Ubiquiti’s or Cisco’s equipment.  What makes it even better is that you don’t even have to buy Netgate’s pfSense appliances. You can round up a desktop computer, apply the pre-made pfSense image, and have far more processing power than most appliances and at a fraction of the cost.  If you’ve got an old desktop sitting in the corner it’s probably just right for the job, or for smaller jobs a Raspberry Pi can be had for around $50.  Just as commercial products are designed, pfSense is also scalable to an enterprise level making it a cost-effective and viable option for SMBs and large enterprises alike.  And with features like Active Directory integration and addons like Snort for intrusion detection and real-time traffic monitoring, pfSense is again a serious contender against commercial products like Cisco or Palo Alto’s monitored firewall services.

All-in-all, the choice of a free VPN server or a commercial system will come down to your budget, your need for 24/7 phone support, and in some cases vendor-restriction requirements.  If you’re in an environment that only accepts commercial products, then feel free to propose an open-source alternative but expect to be told: “No.”  For those that don’t have such restrictions, either leveraging OpenVPN on its own or integrated into pfSense is really worth serious consideration, no matter how small or large your environment is now or grows to be in the future.  And with pfSense being maintained and updated by a for-profit company, even the free versions are benefiting from more stable releases and timely patches that help keep your network safe as the years go by, and the user interface gets new features through version updates that streamline the management of your network.
As everyone now knows, securing a network is important.  Companies of every size and consumers alike have options for doing so, but for a long time securing a network was only an option for those that had significant resources to invest in such things.  As technologies have progressed decent security settings have become a standard set of features for every router and computer, but for small businesses this can seem like the limit of their budget.  Setting up robust firewalls or using monitoring services still requires a significant investment, and so most small businesses rely on the built-in firewalls and password options that come with their devices.  There are open source solutions like pfSense and commercial solutions like the ones offered by Sonic Wall and Zyxel.  So, which one should you choose?

First, it’s important to understand what open source really means.  In a standard business model companies make software and hardware, which costs money, with the end goal of making more money than they spent, i.e. profit.  That profit can end up in any number of places, but one that is important to the continued success of any company is to maintain the product through customer service, technical support, and maintenance and development.  This is the benefit of commercial solutions.  However, companies must protect their intellectual property, and so are not always willing to let others see some or all of the source code behind their software.  This can lead to slow development of features and patches, and with only so many developers working on a product detection of bugs and security flaws can be lacking.  Open source software is freely distributed, usually donations are accepted to help maintain the project, and anyone that wants to volunteer to work on something for that project can.  The benefits to open source are the reverse of commercial solutions, with faster updates and patching at the expense of little or no unified tech support.  There are usually message boards devoted to a project like an open source firewall, but this is not direct and dedicated tech support.

pfSense sports a robust feature set and can be configured simultaneously for DNS, DHCP, Routing, Firewall, VPN, High Availability, Load Balancing, Traffic Shaping, Captive Portal, UTM server, Intrusion Detection, Intrusion Prevention, Proxy server, and Web Content Filtering.  This means that anyone can have large network security only for the cost of the hardware it runs on.  Second, the hardware requirements are quite low.  A pfSense server can be created from one of the old computers a small business usually has sitting in the closet.  A few low-cost upgrades might be in order such as RAM or dedicated network cards, but otherwise that old computer is ready to go as-is.  Being open source router pfSense might seem like a great option but for the lack of tech support, but Netgate has closed the gap with their pfSense Gold package.  For $99 a year you can have tech support, access to ongoing resources and training videos, an actual manual, and a backup service for your pfSense instance(s).  That’s not a bad deal at all, and is well worth it for novices and experts alike.

Digging into the nuts and bolts, the configuration options are extensive.  The open source firewall options on pfSense can be configured for granular access control, and the VPN offers IPSEC or L2TP security and will even integrate with Windows Active Directory.  The intrusion detection and prevention offers standards like IP blacklisting and Snort-based packet analysis, and there is an emerging threats database that can be enabled.  The only drawback to the IDS/IPS is that these are free addon packages, but if you want the most current updates on-the-fly you will have to subscribe and pay for them.  The list of addon packages for pfSense is lengthy as well.  Catagories include security, network management, monitoring, services, system, routing, and miscellaneous.  Most of these are self-explanatory but services refers to adding functions that are not necessarily for networking, such as data backups or cron scheduling.  Miscellaneous packages are just that, and out of this category the Notes and Sarg packages are the most notable.

Since Netgate’s acquisition of the pfSense project, they have also started designing and selling their own hardware appliances with pfSense integrated on-chip.  Instead of buying a computer and having to deal with hardware maintenance and upgrades, you can buy whichever model suits your company’s needs and still get all of the features pfSense offers.  Also, included with the purchase of any model is a 1 year membership to pfSense Gold.  With prices starting at $150 for a passthrough box, this is a great option if you are implementing a new network or segment.  Some may find the lack of control over the hardware to be a drawback, while others will find these appliances to be a cheaper and easier way to implement routing and security.

On the commercial side of firewalls (pun intended), Sonicwall, Zyxel, and Cisco all offer reasonably prices solutions for small businesses.  The Cisco ASA line has long been a standard for VPN and firewall routing, and the others offer much the same in terms of features.  You get the same basic features in any of these products:  firewall, VPN, routing (in some), and usually some basic logging functions.  The main issue is that while these products do a pretty good job of securing a network (if configured properly), they don’t usually offer the extensive configuration options or robust logging without spending a lot of money.  Prices for what a small business would need will range from $150-$500, which isn’t too bad.  Still, the Netgate products are just a better sell of price vs. features, and from a tech perspective having the more robust intrusion prevention and detection that pfSense offers is a must.  Most small businesses shouldn’t and won’t spend what it takes to get that from a commercial solution.

Having an open source option that has also been reasonably commercialized puts network security squarely in the hands of everyone.  Now there’s no reason that any small business should ever be able to use high costs or a lack of available options to excuse a lack of security.  And, if you still feel that open source firewall isn’t the way to go there are reasonably priced commercial solutions that will get the job done too.
© 2018 - Allora Consulting