Bryley Basics: Current PC configuration for office use

/in , /by

Recommended configuration

We recommend brand-name PCs (HP is our preference, but Dell is also a US-based company with good products) with Intel processors and these minimum features:

  • 8Gb (or more) of RAM
  • A 250Gb (or larger) fixed-disk drive
  • DisplayPort video with two monitors

We typically deploy Windows 8.1 (or downgrade to Windows 7 upon request), but Windows 10 is slated to be released this summer.  Microsoft Office 2013 is the current version; Microsoft Office 2016 will be available in late 2015.

Favored options

We like these options:

  • SSDs (Solid State Drives) – SSDs are memory-only drives with no moving parts, which makes them durable and fast. They speed-up the boot process and work well for those that store large files.  Though they have dropped in price, they still add about $100 to the price of most PCs, but pay-off for high-end users.  (We don’t always quote these because of their higher price, but the boot-up speed is significantly faster.)
  • Ultrabook – Ultrabook is a thin, light, durable, high-end sub-notebook with reasonable battery life. Combined with a docking station, it’s a great, mobile alternative to a desktop computer.  Due to their sleek physique, most do not have internal DVD drives and have few external ports.

Most of our staff have an Ultrabook with a docking station, which works well for the field technicians and account executives.  Many of our newer PCs have SSD drives.

PC Refresh Schedule:  We recommend developing a PC-refresh schedule, one that meets the budget and objectives of the organization.  For example: Bryley Systems replaces at least one PC each quarter, which gives us a maximum replacement-PC cycle of about four-and-½ years for our 18 employees.

Recommended Practices: Licensing Microsoft professional software

/in /by

This is a multi-part series on recommended IT practices for organizations and their end-users.  Additional parts will be included in upcoming newsletters.

Microsoft software licenses can be categorized by their function:

  • User-oriented applications – Microsoft Office, Visio, Project, etc.
  • Operating systems – Windows, Windows Server, Windows Mobile, etc.
  • Server-based applications – Exchange Server, SQL Server, SharePoint, etc.
  • Access to server-based apps – Client Access Licenses (CALs); user or device

Microsoft offers these methods for purchasing licenses from outside vendors, arrayed from least expensive to most expensive:

  • Original Equipment Manufacturer (OEM)
  • Open Volume Programs (OVPs)
  • Fully Packaged Product (FPP)

Original Equipment Manufacturer

OEM is sold preinstalled on a hardware device, like a PC or a server.  It is a non-transferrable license that must be retired when decommissioning the hardware device.  For example:  Most Original Equipment Manufacturers (Dell, HP, etc.) provide OEM Windows 8.1 licensing with their new PCs; these licenses end when the PC is retired or no longer functional.

Open Volume Programs

OVPs are volume-purchase options for transferrable licenses that can be either perpetual or subscription-based.  (A perpetual license lives forever, but does not include version upgrades; subscription-based licenses provide version upgrades, but require periodic payment.)  Open Volume Programs include:

  • Open Business – For-profit, commercially oriented companies
  • Open Government – Local, state, and federal agencies
  • Open Charity – Non-profit, charitable organizations
  • Open Value – Subscription-based licensing

OVPs requires an initial, minimum purchase of five licenses to establish an Open Volume license agreement; these agreements have a two or a three year term.  With a valid Open Volume license agreement, additional licenses may be purchased in any quantity during the agreement term.

Fully Packaged Product

FPP (also known as Retail) comes packaged with documentation and installation media and is transferrable.  Many small organizations purchase FPP licenses at their local retailer or online to enable licensing for Microsoft Office and similar products.

Licensing rules

Basic rules-of-thumb:

  • Purchase one server and one server-application license for each server, whether virtual or physical.
  • Purchase one CAL for each user or device that accesses the corresponding server application. For example:  Microsoft Exchange Server requires one Exchange Standard CAL for each user.
  • All new-installation licenses must be Full, rather than Upgrade, licenses; less-expensive Upgrade licenses can only be used to update existing Full
  • When transferring a FPP or OVP license, it must be first removed from the former platform before being installed onto the new platform.

Some exceptions to these rules:

  • One Windows Server Data Center edition license permits the licensing of unlimited, virtual Windows Servers on one physical host.
  • SQL Server Enterprise and SQL Server Standard can be licensed by processor core, rather than by CAL, for mission-critical applications.
  • One Exchange Enterprise Add-on CAL also requires one Exchange Standard CAL; however, not all users require an Exchange Enterprise Add-on CAL.

Licensing validation

Some validation guidelines:

  • OEMs should affix both a Genuine Microsoft Label (with hologram) and a Certificate of Authenticity (COA) that identifies the product and its license number to each PC with Microsoft Windows and to each server with Microsoft Windows Server.
  • Valid OEM and FPP packages always ship with a Genuine Microsoft Label and a COA; valid media DVDs should have an identifying hologram.

Check licensing validity at Microsoft’s How to tell website.

Licensing recommendations

Our recommendations:

  • The licensing method selected should match the needs and financial requirements of the purchasing party. For details, see Microsoft’s Software Asset Management
  • Purchase Microsoft licenses only from a trusted, Microsoft Certified Partner.
  • Avoid any licensing deals that look too good to be true; they probably are.

Second, consecutive year on MSPmentor® 501: 2015 Global Edition – Worldwide  

/in , /by

March 26, 2015:  Bryley Systems Inc. ranks 462 on Nine Lives Media’s eighth-annual MSPmentor 501: 2015 Global Edition – Worldwide Company Rankings, a distinguished list and report identifying the world’s top 501 Managed IT Service Providers.  (Managed IT Service Providers, or MSPs, provide their clients with outsourced IT management and functions, typically at a predetermined cost.)

Gavin Livingstone, President of Bryley Systems Inc., said: “We are thrilled and honored to be recognized, for the second year in a row, as one of the top 501 Managed IT Service Providers in the world!  All of the credit belongs to the Bryley team; a dedicated group of long-term employees who work together to meet the IT needs of our clients.  Our motto is Dependable IT at a Predictable Cost.”

Bryley Systems continues to grow: Welcomes George Butler to Service Team

/in , /by

GBakerMr. Butler has over 20 years of experience in IT infrastructure support, most recently as a Systems-Network Engineer for Baesis, Inc. of Northborough, MA. He holds a MSMgt (Applied Management) from Lesley University, Cambridge, MA and a BSBA from Nathaniel Hawthorne College, Antrim, NH.

Bryley Basics: Apps to scan business cards into your smartphone

/in /by

Melissa J. Perenson of ComputerWorld recently updated her review of seven apps in the article: “Tired of losing business cards?  With these apps, your smartphone can do the heavy lifting.

Business-card apps scan a business card via your smartphone’s camera; once scanned, the image is converted into text and then placed into the appropriate fields within a contact manager.  These apps are generally available for both Google Android-based and Apple iOS-based smartphones.

Of the seven tested, these were preferred:

  • ABBYY Business Card Reader – Free version and $9.99 full version
  • CamCard – Free version and full version from $2.99 to $11.99
  • WorldCard Mobile – Free version and $6.99 full version

CamCard’s free version worked well, but all others required the paid, full version to offer meaningful capability; it was also Ms. Perenson’s top choice.

Honorable mentions were given to ABBYY (easiest to navigate with most-accurate scans) and WorldCard (which provides International support with seven on-board languages).  Both were considered good, but not quite as good asCamCard.

Recommended practices – Part-7: Resource management via Active Directory

/in /by

This is a multi-part series on recommended IT practices for organizations and their end-users.  Additional parts will be included in upcoming newsletters.

Active Directory is an integral component of Microsoft Windows Server; it is a powerful utility to manage both end-users and shared resources on a network.

It can scale to match the needs of any organization, from small to Enterprise size.

User management via Active Directory was discussed in January 2015 Bryley Tips and Information at http://www.Bryley.com/Bryley-Tips-Information-January-2015/. Resource management is reviewed below.

Resources (servers, computers, folders, printers, scanners, etc.) should be located strategically to provide capabilities where needed.  They can be setup to support either groups of computers (IE:  all counter-based PCs in a retail store) or groups of users (IE:  all tellers at a specific branch office of a bank).

Resources are published within Active Directory to assign access.  For example, these are the basic steps to publish a new printer for a group of computers:

  • Create a new Group Policy within the appropriate Container*
  • Select the desired Computer Configuration settings
  • Setup Location Tracking (as needed)

*Active Directory uses Containers to provide segmentation and organizational structure; Containers are usually Forest, Tree, Sites, Organizational Units, orDomains.

If you prefer to setup access for a group of users rather than a group of computers, you would select User Configuration rather than Computer Configuration when publishing a resource.

Once published, resources within Active Directory need periodic attention to adjust access as needs change and to remove decommissioned resources.

Active Directory has a well-established set of best practices; these can be enforced through the Active Directory Best Practices Analyzer, which identifies and reports deviations from best practices.

William R. Stanek provides an overview on Active Directory features and capabilities in his article Using Active Directory Service from Chapter 5 of theMicrosoft Windows 2000 Administrator’s Pocket Consultant.

Recommended practices – Part-6: Manage end-users via Active Directory

/in /by

This is a multi-part series on recommended IT practices for organizations and their end-users. Additional parts will be included in upcoming newsletters.

End-users and their equipment (PCs, tablets, mobile devices) need access to network resources (servers, printers, scanners, etc.); basically, a network administrator connects the end-users with the appropriate resources while matching that access to the needs of the organization.

For example, Human Resources would typically be granted access to sensitive, employee information stored on a server, while the shipping department would be denied this privilege. And, since Human Resources has this access, they would be held to higher security standards designed to protect this information.

One could create an account within each resource mapped to the end-user device, but a more practical solution would be to use a network-wide tool to manage these accounts and their relationships: Active Directory, included within Windows Server, is a robust, rules-driven set of services and processes to facilitate one-site login and to enforce desired behavior. (Visit Wikipedia’s write-up on Active Directory.)

Methods within Active Directory to manage end-usera

This is a multi-part series on recommended IT practices for organizations and their end-users.  Additional parts will be included in upcoming newsletters.

End-users and their equipment (PCs, tablets, mobile devices) need access to network resources (servers, printers, scanners, etc.); basically, a network administrator connects the end-users with the appropriate resources while matching that access to the needs of the organization.

For example, Human Resources would typically be granted access to sensitive, employee information stored on a server, while the shipping department would be denied this privilege.  And, since Human Resources has this access, they would be held to higher security standards designed to protect this information.

One could create an account within each resource mapped to the end-user device, but a more practical solution would be to use a network-wide tool to manage these accounts and their relationships:  Active Directory, included within Windows Server, is a robust, rules-driven set of services and processes to facilitate one-site login and to enforce desired behavior.  (Visit Wikipedia’s write-up on Active Directory.)

Methods within Active Directory to manage end-users include:

  • Enforce password use and complexity
  • Require periodic password changes
  • Lock screen after time-out
  • Restrict access
  • Grouping

Enforce password use and complexity

Passwords should be required for all end-users, regardless of their function.

A password’s complexity is also important:  A password should have a minimum length of at least nine characters and should have a mix of characters (numeric, upper and lower-case alphabetic, and at least one special character like $, #, @, etc.) that are not easily guessed.  (Please see “Simple Passwords = Disaster” in the January 2013 edition of Bryley Tips and Information.)

Require periodic password changes

Passwords become stale and should be changed periodically to discourage theft.  (We require password changes every 90 days.)  When changed, the end-user should be forced to enter a new, unique password rather than recycle an old one.

Lock screen after time-out

Computer screens are easily viewed by passing employees; highly sensitive employee data might be in open view when a payroll administrator leaves their desk.  To alleviate, many organizations define a time-out period, after which a computer screen is forced to lock and requires a password to refresh.

Restrict access

Network resources are available to all, 24 hours a day, seven days a week.  However, you might not want to enable 24-hour access to all employees and you might want to limit access to specific folders by granting one of these access rights:

  • Read – Allow access to a file
  • Change – Permit adding, modifying, and removing a file
  • Full Control – Change permissions settings in a file
  • Deny – Override all other access settings to prevent access

Read, Change, and Full Control work on a “most permissive” basis.  For example, all users may have Read access to a policy document, and the Human Resources group is granted Change access.  Since one of the groups they are a part of is granted Change access, Human Resources personnel can modify the policy document or replace it with a new one.

Deny work differently than the others, since a Deny overrides all other permissions to prevent access. Inexperienced administrators often use Deny improperly – setting Deny on payroll data for users, for example, and preventing everyone from accessing the payroll data – including the Payroll group, whose Change permission is ignored because they are a member of a group that has Deny set.  (We use Deny sparingly, since there must be a separate group for users who should not have access.)

Preventing access in Windows is achieved by removing the default Read right granted to users.

Grouping

Grouping also simplifies management; rather than manage end-users separately, group them by function, department, division, or organization to enable specific privileges across a group.

s include:

Enforce password use and complexity
Require periodic password changes
Lock screen after time-out
Restrict access
Grouping
Enforce password use and complexity

Passwords should be required for all end-users, regardless of their function.

A password’s complexity is also important: A password should have a minimum length of at least nine characters and should have a mix of characters (numeric, upper and lower-case alphabetic, and at least one special character like $, #, @, etc.) that are not easily guessed. (Please see “Simple Passwords = Disaster” in the January 2013 edition of Bryley Tips and Information.)

Require periodic password changes

Passwords become stale and should be changed periodically to discourage theft. (We require password changes every 90 days.) When changed, the end-user should be forced to enter a new, unique password rather than recycle an old one.

Lock screen after time-out

Computer screens are easily viewed by passing employees; highly sensitive employee data might be in open view when a payroll administrator leaves their desk. To alleviate, many organizations define a time-out period, after which a computer screen is forced to lock and requires a password to refresh.

Restrict access

Network resources are available to all, 24 hours a day, seven days a week. However, you might not want to enable 24-hour access to all employees and you might want to limit access to specific folders by granting one of these access rights:

Read – Allow access to a file
Change – Permit adding, modifying, and removing a file
Full Control – Change permissions settings in a file
Deny – Override all other access settings to prevent access
Read, Change, and Full Control work on a “most permissive” basis. For example, all users may have Read access to a policy document, and the Human Resources group is granted Change access. Since one of the groups they are a part of is granted Change access, Human Resources personnel can modify the policy document or replace it with a new one.

Deny work differently than the others, since a Deny overrides all other permissions to prevent access. Inexperienced administrators often use Deny improperly – setting Deny on payroll data for users, for example, and preventing everyone from accessing the payroll data – including the Payroll group, whose Change permission is ignored because they are a member of a group that has Deny set. (We use Deny sparingly, since there must be a separate group for users who should not have access.)

Preventing access in Windows is achieved by removing the default Read right granted to users.

Grouping

Grouping also simplifies management; rather than manage end-users separately, group them by function, department, division, or organization to enable specific privileges across a group.

Bryley Basics: Scammer YGDNS.org

/in , /by

We received a seemingly legitimate email from YGDNS.org professing to square-away the ownership use of our domains, Bryley.com and Bryley.net, in China; the email was marked “urgent” and came with a person’s name, business address, etc.

I queried Mike Carlson, our CTO, who gave this reply:  “No serious problems, but certainly a scam. If you reply you will be offered the opportunity to register the domains along with other overpriced services.

Google search of “ygdns.org.cn” finds a couple well-written articles that indicate that this ygdns group has been doing this for a while, and if you respond take the extra step of calling. The calls are of the type “This needs to be fixed today!”; hoping to get a “yes” from whomever answers the phone by stressing the perceived urgency.

Note the fact that it was sent…with “Please forward… …this is urgent” line. Any legitimate registrar conducting a legally or procedurally required inquiry would send the request directly to you, to me, or our shared network operations mailbox. These are the publicly-available addresses associated with the bryley.com and bryley.net registrations. I’ve checked my mailbox, junk mail folder, and done the same on the network operations mailbox. Nothing from this company.”

So, we did not respond to any inquiries from YGDNS.org and advise the same to all.

Merchants should get ready for EMV credit cards in 2015

/in /by

The aging, magnetic-stripe credit cards are being replaced by EMV, a new standard with an embedded microchip that stores encoded user credentials with an optional PIN.  These two capabilities combine to reduce fraud by making EMV cards harder to clone and more difficult to use if stolen.

However, retailers and other merchants will need to upgrade credit-card processing hardware to comply with EMV.  Plus, validation and payment approval occur in separate, consecutive steps, which may require rewrites to existing Point-of-Sale (PoS) software.

Other considerations for retailers and merchants:

  • Cards are dipped, rather than swiped, which slows the process
  • EMV-processing applications/certifications takes time; apply early
  • PINs can enhance security, but at the cost of being slower to process
  • Training staff will be necessary for high-volume, credit-card processors

After October 15, 2015, many credit-card issuers (MasterCard, VISA, etc.) will not cover fraudulent issues generated with non-EMV cards; a not-so-subtle statement on complying with the EMV standard in 2015.

Recommended practices – Part-5: Software updates and patching

/in /by

This is a multi-part series on recommended IT practices for organizations and their end-users.  Additional parts will be included in upcoming newsletters.

In general, software manufacturers update their products for these reasons:

  • Resolve problems
  • Fix vulnerabilities
  • Make easier to use
  • Provide new features

The first two are of significant concern, particularly with operating systems (Microsoft Windows, Google DROID, Apple iOS, etc.) and with commonly used applications like Microsoft Office, Adobe Reader, etc.

Many operating-system manufacturers, especially those with large user populations (Microsoft, Google, Apple), release patches to address problems and security concerns.  These patches are typically small applications that either replace a portion of the operating system or update specific components (files) of the operating system.

Unfortunately, particularly with Microsoft Windows, patches that resolve an issue can often lead to unforeseen and unintended consequences; some patches actually designed to fix one area can break things in a different area.  Also, security updates are often time-sensitive; once released, it is important to apply them promptly.

Like operating systems, many popular applications require occasional updating.  Applications are typically not updated as often as operating systems, but their patching can critical to fix vulnerabilities.

The IT department or IT-outsourcing partner (i.e.:  Bryley Systems) of many organizations typically perform patch management with the objective “…to create a consistently configured environment that is secure against known vulnerabilities in operating system and application software.”2  These groups perform their patching in a cyclic fashion, often taking these steps:

  • Verify that the patch has a reasonable purpose in the environment,
  • Investigate its stability and usefulness by checking user forums,
  • Delay (if needed) deployment to ensure wide-spread acceptance,
  • Test it in the environment before deploying, and
  • Deploy and then validate this rollout.

If a rollout fails, procedures are in place to roll-back the operating system or application to its pre-patched state.  Periodic auditing and assessment is useful to ensure that the process is current and appropriate; audits should also identify systems that are not in compliance with the organizations patching standards.

Often, a Remote Monitoring and Management (RMM) tool – GFI, LabTech, Kaseya – or a patch-management tool – PatchLink, SolarWinds, Tivoli – is used to automate and centrally manage the process:  These tools permit the timely, managed deployment of patches and updates to groups of computers.

Notes:

2 Quote taken from the article by Jason Chan of PatchManagement.org “Essentials of Patch Management Policy and Practice”, but actual article is an excellent, in-depth treatise on this subject.

Other resources: