More network security for small business...Domain Server the answer?

[InlineFive]

OK, a small business I am now working for (with six computers) needs more network security. Even though they have six computers they have a staff of about 40 (of the younger crowd). Now they are trying to find a solution to keep prying eyes out of important data. I am only familiar with P2P and I'm not sure how I could get the people who need to have access to this information have their own account and everyone else be guest with ease for the users. Is a Windows Server 2003 Basic server the answers for this problem? Since I think it would be very inconvenient to set up a user account on all computers, not to mention having data strewn all over (being at least 15 users who need to get this data). 😕

Thank you for the input!

-Por

EDIT: How does licensing work for this? All clients use WinXP Pro. Do I need to purchase new licenses for them?

 

[groovin]

yes, some sort of domain in which you could enforce policies and user/group rights would be the answer.

windows 2k3 or samba are good choices.

 

[mikecel79]

Might want to also look into Small Business Server 2003. It comes with Win2k3 Server , Active Directory, VPN, and Exchange 2k3 server all in one package. The premium version also includes SQL and ISA serverIt's easy to manage (lots of wizards) and fairly cheap for what you get. Of course the downside to this is it makes future expansion more difficult.

 

[InlineFive]

 

[InlineFive]

Originally posted by: groovin
yes, some sort of domain in which you could enforce policies and user/group rights would be the answer.

windows 2k3 or samba are good choices.

It would have to be Win 2k3 since I know SAMBA can't do all this stuff.

Originally posted by: mikecel79
Might want to also look into Small Business Server 2003. It comes with Win2k3 Server , Active Directory, VPN, and Exchange 2k3 server all in one package. The premium version also includes SQL and ISA serverIt's easy to manage (lots of wizards) and fairly cheap for what you get. Of course the downside to this is it makes future expansion more difficult.

How is future expansion more difficult with this? And I have been reading in a manual and it seems like Active Directory could be a potentially useful feature. However we have no need for VPN as of right now (unless Managers want to work at home 😉) but it's good to know that it's there.

For VPN does it have to be plugged directly into the WAN and not into a router? Can it firewall itself?

-Por

EDIT: I just found about the Window2k3 Server Trial for download. Would there be a drastic difference between Small Business and Enterprise?

 

[mikecel79]

How is future expansion more difficult with this?

Future expansion becomes more difficult because SBS has a limit of 75 CALs on it. Also you can't add another SBS server into your domain. The first SBS server is your one and only domain controller for AD.

For VPN does it have to be plugged directly into the WAN and not into a router? Can it firewall itself?

The premium version of SBS includes ISA server which is a firewall. You can also configure your router to forward the correct VPN ports to your SBS machine.

 

[InlineFive]

Originally posted by: mikecel79

How is future expansion more difficult with this?

Future expansion becomes more difficult because SBS has a limit of 75 CALs on it. Also you can't add another SBS server into your domain. The first SBS server is your one and only domain controller for AD.

For VPN does it have to be plugged directly into the WAN and not into a router? Can it firewall itself?

The premium version of SBS includes ISA server which is a firewall. You can also configure your router to forward the correct VPN ports to your SBS machine.

I see. Thanks for the clarification. I'm downloading a trial (only 28 hours to go...:clock: ) which I will install on a segment of my home network to experiment with.

-Por

 

[InlineFive]

Originally posted by: mikecel79

How is future expansion more difficult with this?

Future expansion becomes more difficult because SBS has a limit of 75 CALs on it. Also you can't add another SBS server into your domain. The first SBS server is your one and only domain controller for AD.

For VPN does it have to be plugged directly into the WAN and not into a router? Can it firewall itself?

The premium version of SBS includes ISA server which is a firewall. You can also configure your router to forward the correct VPN ports to your SBS machine.

Sorry, another question. Will a domain server work properly plugged into a standard router (with clients attached to router also) with the router controlling the WAN? Will I need special hardware? And if I wanted net filtering I can setup a DNS server, no?

-Por

 

[Sianath]

You can add other servers to your SBS domain if you want more DCs (or just member servers). The only restriction is that you can't have more than one SBS machine.

 

[Southerner]

Sounds like you should go out and buy Minasi's Mastering Windows 2003 Server before your installation. It'll make a difference if you can do it right the first time. If you're *good*, then you'll take the opportunity to do things like make sure regular backups are done (and stored off-site) and insure all data is stored to the server so it's backed up (think reirect Desktop, My Documents, and the Application Data folders to point to the server when you build user accounts). Maybe experiment a bit with RIS so that automated deployments of a standard desktop can be done...

I did this with a client with 22 desktop machines and lots of down-time. Since moving to AD and deploying a standard desktop, trouble calls are now like once every 2 months. I'd be pissed if they weren't on a service contract. 🙂

I'd also recommend *against* SBS -- it's non-standard, and little things like tweaking Exchange won't work on SBS the way it does on the real version of the application. I'd just stick with standard Server instead.

 

[InlineFive]

Originally posted by: Southerner
Sounds like you should go out and buy Minasi's Mastering Windows 2003 Server before your installation. It'll make a difference if you can do it right the first time. If you're *good*, then you'll take the opportunity to do things like make sure regular backups are done (and stored off-site) and insure all data is stored to the server so it's backed up (think reirect Desktop, My Documents, and the Application Data folders to point to the server when you build user accounts). Maybe experiment a bit with RIS so that automated deployments of a standard desktop can be done...

I did this with a client with 22 desktop machines and lots of down-time. Since moving to AD and deploying a standard desktop, trouble calls are now like once every 2 months. I'd be pissed if they weren't on a service contract. 🙂

I'd also recommend *against* SBS -- it's non-standard, and little things like tweaking Exchange won't work on SBS the way it does on the real version of the application. I'd just stick with standard Server instead.

I was actually planning on getting RIS setup once everything else is working. 🙂 Another newbie question, what does Exchange do? I know what VPN does and they don't need that right now. And I think Active Directory would be a bit useless for six computers, one server and about eight printers. 🙂 Or maybe I am wrong there.

-Por

 

[mikecel79]

Originally posted by: Sianath
You can add other servers to your SBS domain if you want more DCs (or just member servers). The only restriction is that you can't have more than one SBS machine.

Your right. I knew you could add member servers but I didn't know about DCs. But I believe you will need Win2k CALs also to cover if you were hitting the other servers. I don't think your SBS licenses will cover authenticated access to another Win2k server.

 

[mikecel79]

I'd also recommend *against* SBS -- it's non-standard, and little things like tweaking Exchange won't work on SBS the way it does on the real version of the application. I'd just stick with standard Server instead.

How is it non-standard? It includes Windows, Exchange, SQL, and ISA. All are standard Microsoft applications. It does work slightly differently but 95% of what applies to Exchange and Windows applies to SBS. For a small company (like the one mentioned) it's MUCH cheaper to go with SBS than buying all of them separately.

 

[mikecel79]

I was actually planning on getting RIS setup once everything else is working. Another newbie question, what does Exchange do? I know what VPN does and they don't need that right now. And I think Active Directory would be a bit useless for six computers, one server and about eight printers. Or maybe I am wrong there.

Exchange is Microsoft's E-mail and Collaboration platform. Read more about it here.

For 15 users over 6 computers it's worth it to me. It makes sharing files and printer between users and machines much easier. Also users can roam between machines without worrying if their user acocunt it setup on a machine or if the passwords match on each machine.

 

[mboy]

U really don't want to run an AD 2k3 domain with only 1 domain controller anyway. Altho 6 clients is pretty small, I would still want another DC just in case. Spread the roles out a bit.

 

[mikecel79]

Originally posted by: mboy
U really don't want to run an AD 2k3 domain with only 1 domain controller anyway. Altho 6 clients is pretty small, I would still want another DC just in case. Spread the roles out a bit.

Having another DC is always good and always recommended for disaster recovery. However in an environment this small a good backup strategy will probably do as well if they can afford the few hours downtime it would take to restore.

In a lab I have seen a single Win2k DC running on a PIII 866 with 512MB able to handle 300+ client connections easily. And this was with Exchange installed in the domain.

 

[InlineFive]

Originally posted by: mikecel79

Originally posted by: mboy
U really don't want to run an AD 2k3 domain with only 1 domain controller anyway. Altho 6 clients is pretty small, I would still want another DC just in case. Spread the roles out a bit.

Having another DC is always good and always recommended for disaster recovery. However in an environment this small a good backup strategy will probably do as well if they can afford the few hours downtime it would take to restore.

In a lab I have seen a single Win2k DC running on a PIII 866 with 512MB able to handle 300+ client connections easily. And this was with Exchange installed in the domain.

This would prove useful. They have an old P3 500Mhz with 256MB of memory laying around that might do the trick. However depending on how resouce intensive the OS is in terms of HDD space I might need to upgrade the 10GB hard disk. For at least a dozen users and a guest account how much HD space would I need? And having space for RIS would be excellent too. In terms of backup what is the easiest route?

And the more that I look at it it seems that Active Directory is the way to go in terms of file security.

-Por

 

[mikecel79]

This would prove useful. They have an old P3 500Mhz with 256MB of memory laying around that might do the trick. However depending on how resouce intensive the OS is in terms of HDD space I might need to upgrade the 10GB hard disk. For at least a dozen users and a guest account how much HD space would I need? And having space for RIS would be excellent too. In terms of backup what is the easiest route?

That would be fine to run AD on for such a small company. However I would look into something with more redundancy than that. Maybe something with dual PSUs and at least RAID 1. 10GB would be more than enough for the OS and AD. The AD database would be under 50MB.

As for backup I would go with some sort of tape drive attached to the machine. Get something like a SDLT drive that can do a full backup one night and incrementals for the week all on a single tape.

 

[InlineFive]

Originally posted by: mikecel79

This would prove useful. They have an old P3 500Mhz with 256MB of memory laying around that might do the trick. However depending on how resouce intensive the OS is in terms of HDD space I might need to upgrade the 10GB hard disk. For at least a dozen users and a guest account how much HD space would I need? And having space for RIS would be excellent too. In terms of backup what is the easiest route?

That would be fine to run AD on for such a small company. However I would look into something with more redundancy than that. Maybe something with dual PSUs and at least RAID 1. 10GB would be more than enough for the OS and AD. The AD database would be under 50MB.

As for backup I would go with some sort of tape drive attached to the machine. Get something like a SDLT drive that can do a full backup one night and incrementals for the week all on a single tape.

Any good (cheaper) servers out there that can meet this specification? And we already have a Seagate Travan TapeStor? drive and a 20GB tape in one computer. Paired with some backup software would this be adequate?

-Por

 

[Abzstrak]

Originally posted by: PorBleemo

Originally posted by: mikecel79

This would prove useful. They have an old P3 500Mhz with 256MB of memory laying around that might do the trick. However depending on how resouce intensive the OS is in terms of HDD space I might need to upgrade the 10GB hard disk. For at least a dozen users and a guest account how much HD space would I need? And having space for RIS would be excellent too. In terms of backup what is the easiest route?

That would be fine to run AD on for such a small company. However I would look into something with more redundancy than that. Maybe something with dual PSUs and at least RAID 1. 10GB would be more than enough for the OS and AD. The AD database would be under 50MB.

As for backup I would go with some sort of tape drive attached to the machine. Get something like a SDLT drive that can do a full backup one night and incrementals for the week all on a single tape.

Any good (cheaper) servers out there that can meet this specification? And we already have a Seagate Travan TapeStor? drive and a 20GB tape in one computer. Paired with some backup software would this be adequate?

-Por

just mirror the drives in the OS, thats fine... for a small company I don't feel redundant power supplies are all that necessary, just have an extra on hand to swap with if the first one dies. Get a UPS too ;-)

as far as backup, that drive should be fine, but you should have a standard tape rotation and multiple tapes. Probably about 20 tapes for a 1 year rotation.... historical backups are very important.

 

[InlineFive]

Originally posted by: Abzstrak

Originally posted by: PorBleemo

Originally posted by: mikecel79

This would prove useful. They have an old P3 500Mhz with 256MB of memory laying around that might do the trick. However depending on how resouce intensive the OS is in terms of HDD space I might need to upgrade the 10GB hard disk. For at least a dozen users and a guest account how much HD space would I need? And having space for RIS would be excellent too. In terms of backup what is the easiest route?

That would be fine to run AD on for such a small company. However I would look into something with more redundancy than that. Maybe something with dual PSUs and at least RAID 1. 10GB would be more than enough for the OS and AD. The AD database would be under 50MB.

As for backup I would go with some sort of tape drive attached to the machine. Get something like a SDLT drive that can do a full backup one night and incrementals for the week all on a single tape.

Any good (cheaper) servers out there that can meet this specification? And we already have a Seagate Travan TapeStor? drive and a 20GB tape in one computer. Paired with some backup software would this be adequate?

-Por

just mirror the drives in the OS, thats fine... for a small company I don't feel redundant power supplies are all that necessary, just have an extra on hand to swap with if the first one dies. Get a UPS too ;-)

as far as backup, that drive should be fine, but you should have a standard tape rotation and multiple tapes. Probably about 20 tapes for a 1 year rotation.... historical backups are very important.

So would either two IDE hard drives in RAID-1 or one SCSI be better? And is Veritas BackupExecutive enough?

-Por

 

[Abzstrak]

So would either two IDE hard drives in RAID-1 or one SCSI be better? And is Veritas BackupExecutive enough?

-Por

Drives are unimportant, just know that SCSI's will probably last longer before failure, and are faster.... but they cost alot more Which ever you decide on make sure that you atleast mirror them.

Also, backup software is not important other than you need to know how to use it and be able to use it for disaster recovery. You do NOT want to be learning how to restore things properly during an emergency. As long as you can use it and its reliable, thats all that matters. The backup built in to win2k/win2k3 is enough for most people.

 

[mikecel79]

just mirror the drives in the OS, thats fine... for a small company I don't feel redundant power supplies are all that necessary, just have an extra on hand to swap with if the first one dies. Get a UPS too ;-)

Problem with mirroring the drives in the OS under Windows is that it does not mirror the boot sector of the drive. Mirroring in Windows is only good for data drives. A hardware RAID solution would be needed to mirror the boot sector.

As for not getting redundant PSUs look at it this way. The server you store your files on PSU just died. You have a client that you need to get a proposal out to ASAP but you can't get to the files now because the server is dead. Does the average user have the know-how to swap a PSU? Can they wait a few hours or days for you to get there and do it? Not likely. Is their customer going to want to hear excuses that your server is down? Nope. I know I wouldn't.

See my point? Redundancy is key to keeping your systems up and running.

 

[mboy]

Originally posted by: mikecel79

just mirror the drives in the OS, thats fine... for a small company I don't feel redundant power supplies are all that necessary, just have an extra on hand to swap with if the first one dies. Get a UPS too ;-)

Problem with mirroring the drives in the OS under Windows is that it does not mirror the boot sector of the drive. Mirroring in Windows is only good for data drives. A hardware RAID solution would be needed to mirror the boot sector.

As for not getting redundant PSUs look at it this way. The server you store your files on PSU just died. You have a client that you need to get a proposal out to ASAP but you can't get to the files now because the server is dead. Does the average user have the know-how to swap a PSU? Can they wait a few hours or days for you to get there and do it? Not likely. Is their customer going to want to hear excuses that your server is down? Nope. I know I wouldn't.

See my point? Redundancy is key to keeping your systems up and running.

I agree 1,000 percent (that is why I included mad redundancy on my new ERP server @ work.
A good admin could get around your scenario and have access to those files within 10mn, but why should one have to go thru that?

 

[Abzstrak]

Originally posted by: mikecel79

just mirror the drives in the OS, thats fine... for a small company I don't feel redundant power supplies are all that necessary, just have an extra on hand to swap with if the first one dies. Get a UPS too ;-)

Problem with mirroring the drives in the OS under Windows is that it does not mirror the boot sector of the drive. Mirroring in Windows is only good for data drives. A hardware RAID solution would be needed to mirror the boot sector.

As for not getting redundant PSUs look at it this way. The server you store your files on PSU just died. You have a client that you need to get a proposal out to ASAP but you can't get to the files now because the server is dead. Does the average user have the know-how to swap a PSU? Can they wait a few hours or days for you to get there and do it? Not likely. Is their customer going to want to hear excuses that your server is down? Nope. I know I wouldn't.

See my point? Redundancy is key to keeping your systems up and running.

we're talking about a network of 6 computers. I wasn't speaking of respeonse time, if its a down server it better be 60 minutes or less for anyone. The point in what I was saying is that for a small company with few computers, software mirroring and a single power supply are fine. Who cares if it doesnt mirror the boot partition? that takes 5 minutes at most to fix. a dead power supply? 10 minutes at most... The point is that the data is being protected against permanent loss, not temporary. You should always explain all the options to the client, but in this case I'd still recommend only software mirroring and a single powersupply as the most cost effective solution.