Recommended Practices: Basic training for IT end users

/in , /by

This is a multi-part series on recommended IT practices for organizations and their end-users.  Additional parts will be included in upcoming newsletters.

End users receive the benefits of IT, but usually with some pain involved, which they are glad to share with the IT administrators and technicians.  Oftentimes, the pain comes from not knowing the correct way to do something or from enabling malware; these can be avoided (or at least reduced) through proper training.

Training is usually considered optional, but the increased emphasis on security and compliance, along with the potential gains from trained users that are comfortable and knowledgeable with their IT assets and systems, can provide significant return on investment.

Training can play a critical role in the satisfaction of end users and in the security of the computer network.  It can provide end users with the knowledge to safely browse the Internet, reject harmful emails, and avoid trouble.  It is also important to define appropriate-use policies and demonstrate how to enter timely data into information systems.

Training topics

Generally, IT-oriented training occurs in these areas:

  • End-user equipment
  • Network resources
  • Applications
  • Policy
  • Security

End-user equipment

End-users have a myriad of devices, ranging from desktop PCs to terminals, tablets and other mobile devices; some have specialized items like hand-held scanners or terminals tied to a specific application.

The fundamentals are important:

  • Simple maintenance (cooling, ventilation, etc.)
  • How to operate the user interface (touch display, special keyboard, etc.)
  • Basic usage at the operating-system (Windows, Android, iOS) level

Ergonomics should also be considered; ensure that the equipment is optimized to the user’s body in the placement of displays, keyboards, mouse, etc. and that ergonomically correct accessories (gel-based wrist pads, comfortable seating, etc.) are provided and aligned properly.  (See Ergonomics Made Simple from the May 2014 edition of Bryley Tips and Information.)

Network resources

Resources available to end-users should be identified and demonstrated:

  • Printer features (b&w/color options, duplexing, etc.), location, and use
  • Multi-Function Printer (MFP) functions (faxing, copying, scanning) and use
  • Server names, basic purpose, shared folders, and access privileges
  • Conference-room display and wireless keyboard/mouse
  • Login credentials to Wireless Access Points (WAPs)

Labeling these resources makes them easier for end-users to identify.

Applications

Software applications fit a variety of functions, including:

  • Productivity suites:
    • Microsoft Office
    • Google Apps
  • Organization-wide:
    • Customer Relationship Management ((CRM)
    • Professional Services Administration (PSA)
    • Enterprise Resource Planning (ERP)
  • Utilities:
    • PDF readers and writers
    • Password managers
    • File compression
    • Storage
    • Backup
  • Prevention:
    • Email protection
    • End-point security
    • Web filtering

(Software applications are discussed in the September 2013 through January 2014 editions of Bryley Tips and Information.)

Policy

Usage policies focus on the organization’s permissiveness (and lack thereof); they are designed to specify proper use and discourage improper behavior.

Most organizations have at least these IT-related policies:

  • Authorized use of computer network and its resources
  • Internet, email, and social media use and etiquette
  • Information Security Policy

Security

Security relies heavily on policies, training, and protective applications; the human element is the largest security risk in any organization.  Policies and training should encourage end-user behavior that minimizes security risks; protective applications help to enforce policies and to detect and remove problems when they occur.

Security training should include, at a minimum:

  • Anti-virus/anti-malware protection
  • Preventing phishing attacks
  • Password guidance
  • Safe web browsing

Many organizations will provide continuous training and reminders; some setup internal honeypots designed to lure end users into inappropriate behavior so that this behavior can be addressed and corrected.

Training process and related factors

The training process:

  • Set training goals
  • Assess end-user needs
  • Tailor the delivery methods
  • Create the training program
  • Scale the program to the audience

Trainers should factor in these items:

  • Budget training at the beginning of the project
  • Consider the needs and learning styles of the end-users
  • Marry the business context of the need to the IT training

References

Bryley Basics: How ransomware (Crypto Locker) makes backups more critical

/in , /by

Ransomware – usually Crypto Locker and its variants – is a form of cyber-malware based on encryption software that seeks payment (ransom) to undo the damage; when infected, the malware typically encrypts all data files, rendering them useless until the ransom is paid.  (Encryption software scrambles a files’ contents and creates an encryption key, essentially a code used to reverse the process.  Unless you have this key and the encryption software, the files remain unreadable.)

Hiawatha Bray of the Boston Globe recently reported a ransomware infection at the Tewksbury Police Department; after repeated attempts to decrypt, the Chief of Police paid the ransom.

Other than paying the ransom, which is risky and not recommended since it potentially makes you more of a target in the future, the only way to thwart ransomware is by restoring the corrupted files through a backup that was created before the infection.

A properly planned and implemented backup process is vital since data stored on a network server represents many hours of effort over time, making it impractical and usually impossible to recreate.  A properly functioning, multi-point-in-time backup is necessary to provide restoration under these and other scenarios:

  • A server fails
  • A file is deleted
  • A template is written over
  • An application upgrade fails and must be restored
  • A document is inadvertently changed and saved by a user

A backup should be a complete, recoverable copy of not just data, but the entire server/network environment.  It should have these properties:

  • Sequenced over many days
  • Complete image
  • Offsite storage

For information on backups, visit our Data-Backup Guidelines.

Recommended Practices: How to update technology

/in , /by

This is a multi-part series on recommended IT practices for organizations and their end-users.  Additional parts will be included in upcoming newsletters.

The psychological impact of an IT upgrade is significant:  Most employees are excited to receive new equipment (larger monitor, faster PC, better tablet), but often balk at a significant change – like introducing a new version of Microsoft Office – since their daily, tried-and-tested routines might shift, and not always for the better.  Also, these changes could impact their ability to get things done, even if for just a few hours during the cut-over.

In general, various groups involved might have different perspectives:

  • CEOs and C-level executives see IT as an influential asset that should increase operational efficiencies or provide a competitive advantage – either through data analytics or by enhancing the customer experience – but they don’t want the pace of technological change to inhibit growth.1
  • Professionals might be more willing to accept the changes (and the pain) that go with new technology, particularly if they see how these changes will help them succeed in their roles within the organization.
  • Middle management wants things to work the first time, every time. They are glad to have new equipment, but are concerned with keeping their direct reports functional and happy.
  • Office workers have the most to gain (or lose); some might be excited by the prospect of bigger-better-newer, but none want to lose what they had, whether it was an icon pointing to a specific file on their desktop or an older, label-printing application. To many, IT can be confusing and frustrating.
  • Line workers view technology primarily as a tool; when it is broken, replace it, but make sure the new one works the same as the old one or show me how to use the new one.

The strategic objectives of an organization also play a role in the process:

  • A growing organization will want improvement, but with a strong emphasis on planning to ensure that the direction taken is suitable, now, into the near future, and beyond.
  • A stable, slow-growing organization might focus more on replacement rather than on change, preferring to avoid the pain of a significant upgrade.

Typically, the management team develops the technology plan, either internally or with an IT partner like Bryley Systems. Needs filter up through the organization, typically during the budgeting process.  The implementation then filters down through the organization.

For technology planning and implementation, we recommend these steps:2

  • Define needs and requirements
  • Assess and select
  • Implement
  • Train

Define needs and requirements

Identify what you have before you decide what you need; a full inventory of all IT assets can remove the guesswork and point-out critical issues.  (We use Kaseya, our remote-monitoring-and-management tool, to inventory existing clients.  We also use Network Detective from Rapid File Tools to audit and assess new clients.)

Knowing what you need simplifies the decision and timing; having a good handle on where the organization is now and where it is going is critical, but also defining what constitutes success, and how to measure it, are important.

Consider these needs from the context of the different groups above; try to permit these groups to define their individual requirements within the overall plan.

Requirements can be as simple as counting new PCs or as complex as determining the best-fit solution to permit a quick recovery after a disaster.  Requirements should be recorded, categorized, prioritized, and then monetized.

Assess and select

We at Bryley Systems tend to err on the side of caution; we’re rarely early adopters and we don’t want to be far in front of the pack, but we do try to keep up with the well-tested tools and hardware that will improve our efficiency, particularly when this technology impacts our clients.

We also favor these technology-selection principles:

  • Business-grade (rather than consumer-class) equipment and software,
  • Well-known, USA-based manufacturers with time-tested credentials,
  • Available updates and ongoing support, and
  • Green and ergonomic (where appropriate).

Price should not be the overriding selection factor; a long-term investment should consider all impactful areas, including:

  • Going Green
  • Length of service

Going Green

In technology, going Green is mostly about reducing energy consumption:

  • Virtualization techniques can cut energy costs by efficiently using on-premise servers to house multiple platforms, both for server-based applications and for end-user access.
  • Tablets, Ultrabooks, and small-footprint PCs with SSD drives consume less electricity than traditional PCs with internal fans and moving parts.
  • Inkjet printers use significantly less energy than laser printers.

However, other Green factors can also apply:

  • Printers that print two-sided (duplex), reduce costs and paper use.
  • Multi-purpose printers that fax, copy, and scan increase efficiency.
  • Fewer components, each with higher value, simplify recycling.

Length of Service

Most technology decisions have a span of three to five years; newer, virtualized platforms and Cloud-based options can be significantly longer.  Due to the rapid pace of change, planning horizons are typically only a few years, but consideration should be given to the longer term.

Implement

Implementations work best with planning and preparation; knowing what to expect and being prepared to deal with anomalies can shorten deployment time and minimize user disruption.

A solid, reliable series of backups should be completed and verified before starting.

We try to schedule our automated deployments to occur overnight or over the weekend, often arriving early the next business day to sort-out any issues.

Train

Often overlooked and usually under-budgeted, training should be considered, particularly when deploying a software change that introduces a new interface to the end-users.

Training often occurs during implementation, usually by the implementer showing the end-user what is new.  However, pre-implementation training on any new technology platform will facilitate a successful transition.

For large-scale deployments of new technology, we recommend initial group sessions followed by refresher courses for those greatly impacted.

Sources:

  1. Dennis McCafferty of CIO Insight What CEOs expect from IT investment on 4/17/2015.
  2. Brian J. Nichelson, PhD, of About Money Keeping up with Technology – Four Steps and some Resources, undated.
  3. Susan Ward of About Money Information Technology Makeover, undated.

Bryley Basics: Current PC configuration for office use

/in , /by

Recommended configuration

We recommend brand-name PCs (HP is our preference, but Dell is also a US-based company with good products) with Intel processors and these minimum features:

  • 8Gb (or more) of RAM
  • A 250Gb (or larger) fixed-disk drive
  • DisplayPort video with two monitors

We typically deploy Windows 8.1 (or downgrade to Windows 7 upon request), but Windows 10 is slated to be released this summer.  Microsoft Office 2013 is the current version; Microsoft Office 2016 will be available in late 2015.

Favored options

We like these options:

  • SSDs (Solid State Drives) – SSDs are memory-only drives with no moving parts, which makes them durable and fast. They speed-up the boot process and work well for those that store large files.  Though they have dropped in price, they still add about $100 to the price of most PCs, but pay-off for high-end users.  (We don’t always quote these because of their higher price, but the boot-up speed is significantly faster.)
  • Ultrabook – Ultrabook is a thin, light, durable, high-end sub-notebook with reasonable battery life. Combined with a docking station, it’s a great, mobile alternative to a desktop computer.  Due to their sleek physique, most do not have internal DVD drives and have few external ports.

Most of our staff have an Ultrabook with a docking station, which works well for the field technicians and account executives.  Many of our newer PCs have SSD drives.

PC Refresh Schedule:  We recommend developing a PC-refresh schedule, one that meets the budget and objectives of the organization.  For example: Bryley Systems replaces at least one PC each quarter, which gives us a maximum replacement-PC cycle of about four-and-½ years for our 18 employees.

Recommended Practices: Licensing Microsoft professional software

/in /by

This is a multi-part series on recommended IT practices for organizations and their end-users.  Additional parts will be included in upcoming newsletters.

Microsoft software licenses can be categorized by their function:

  • User-oriented applications – Microsoft Office, Visio, Project, etc.
  • Operating systems – Windows, Windows Server, Windows Mobile, etc.
  • Server-based applications – Exchange Server, SQL Server, SharePoint, etc.
  • Access to server-based apps – Client Access Licenses (CALs); user or device

Microsoft offers these methods for purchasing licenses from outside vendors, arrayed from least expensive to most expensive:

  • Original Equipment Manufacturer (OEM)
  • Open Volume Programs (OVPs)
  • Fully Packaged Product (FPP)

Original Equipment Manufacturer

OEM is sold preinstalled on a hardware device, like a PC or a server.  It is a non-transferrable license that must be retired when decommissioning the hardware device.  For example:  Most Original Equipment Manufacturers (Dell, HP, etc.) provide OEM Windows 8.1 licensing with their new PCs; these licenses end when the PC is retired or no longer functional.

Open Volume Programs

OVPs are volume-purchase options for transferrable licenses that can be either perpetual or subscription-based.  (A perpetual license lives forever, but does not include version upgrades; subscription-based licenses provide version upgrades, but require periodic payment.)  Open Volume Programs include:

  • Open Business – For-profit, commercially oriented companies
  • Open Government – Local, state, and federal agencies
  • Open Charity – Non-profit, charitable organizations
  • Open Value – Subscription-based licensing

OVPs requires an initial, minimum purchase of five licenses to establish an Open Volume license agreement; these agreements have a two or a three year term.  With a valid Open Volume license agreement, additional licenses may be purchased in any quantity during the agreement term.

Fully Packaged Product

FPP (also known as Retail) comes packaged with documentation and installation media and is transferrable.  Many small organizations purchase FPP licenses at their local retailer or online to enable licensing for Microsoft Office and similar products.

Licensing rules

Basic rules-of-thumb:

  • Purchase one server and one server-application license for each server, whether virtual or physical.
  • Purchase one CAL for each user or device that accesses the corresponding server application. For example:  Microsoft Exchange Server requires one Exchange Standard CAL for each user.
  • All new-installation licenses must be Full, rather than Upgrade, licenses; less-expensive Upgrade licenses can only be used to update existing Full
  • When transferring a FPP or OVP license, it must be first removed from the former platform before being installed onto the new platform.

Some exceptions to these rules:

  • One Windows Server Data Center edition license permits the licensing of unlimited, virtual Windows Servers on one physical host.
  • SQL Server Enterprise and SQL Server Standard can be licensed by processor core, rather than by CAL, for mission-critical applications.
  • One Exchange Enterprise Add-on CAL also requires one Exchange Standard CAL; however, not all users require an Exchange Enterprise Add-on CAL.

Licensing validation

Some validation guidelines:

  • OEMs should affix both a Genuine Microsoft Label (with hologram) and a Certificate of Authenticity (COA) that identifies the product and its license number to each PC with Microsoft Windows and to each server with Microsoft Windows Server.
  • Valid OEM and FPP packages always ship with a Genuine Microsoft Label and a COA; valid media DVDs should have an identifying hologram.

Check licensing validity at Microsoft’s How to tell website.

Licensing recommendations

Our recommendations:

  • The licensing method selected should match the needs and financial requirements of the purchasing party. For details, see Microsoft’s Software Asset Management
  • Purchase Microsoft licenses only from a trusted, Microsoft Certified Partner.
  • Avoid any licensing deals that look too good to be true; they probably are.

Second, consecutive year on MSPmentor® 501: 2015 Global Edition – Worldwide  

/in , /by

March 26, 2015:  Bryley Systems Inc. ranks 462 on Nine Lives Media’s eighth-annual MSPmentor 501: 2015 Global Edition – Worldwide Company Rankings, a distinguished list and report identifying the world’s top 501 Managed IT Service Providers.  (Managed IT Service Providers, or MSPs, provide their clients with outsourced IT management and functions, typically at a predetermined cost.)

Gavin Livingstone, President of Bryley Systems Inc., said: “We are thrilled and honored to be recognized, for the second year in a row, as one of the top 501 Managed IT Service Providers in the world!  All of the credit belongs to the Bryley team; a dedicated group of long-term employees who work together to meet the IT needs of our clients.  Our motto is Dependable IT at a Predictable Cost.”

Bryley Systems continues to grow: Welcomes George Butler to Service Team

/in , /by

GBakerMr. Butler has over 20 years of experience in IT infrastructure support, most recently as a Systems-Network Engineer for Baesis, Inc. of Northborough, MA. He holds a MSMgt (Applied Management) from Lesley University, Cambridge, MA and a BSBA from Nathaniel Hawthorne College, Antrim, NH.

Bryley Basics: Apps to scan business cards into your smartphone

/in /by

Melissa J. Perenson of ComputerWorld recently updated her review of seven apps in the article: “Tired of losing business cards?  With these apps, your smartphone can do the heavy lifting.

Business-card apps scan a business card via your smartphone’s camera; once scanned, the image is converted into text and then placed into the appropriate fields within a contact manager.  These apps are generally available for both Google Android-based and Apple iOS-based smartphones.

Of the seven tested, these were preferred:

  • ABBYY Business Card Reader – Free version and $9.99 full version
  • CamCard – Free version and full version from $2.99 to $11.99
  • WorldCard Mobile – Free version and $6.99 full version

CamCard’s free version worked well, but all others required the paid, full version to offer meaningful capability; it was also Ms. Perenson’s top choice.

Honorable mentions were given to ABBYY (easiest to navigate with most-accurate scans) and WorldCard (which provides International support with seven on-board languages).  Both were considered good, but not quite as good asCamCard.

Recommended practices – Part-7: Resource management via Active Directory

/in /by

This is a multi-part series on recommended IT practices for organizations and their end-users.  Additional parts will be included in upcoming newsletters.

Active Directory is an integral component of Microsoft Windows Server; it is a powerful utility to manage both end-users and shared resources on a network.

It can scale to match the needs of any organization, from small to Enterprise size.

User management via Active Directory was discussed in January 2015 Bryley Tips and Information at http://www.Bryley.com/Bryley-Tips-Information-January-2015/. Resource management is reviewed below.

Resources (servers, computers, folders, printers, scanners, etc.) should be located strategically to provide capabilities where needed.  They can be setup to support either groups of computers (IE:  all counter-based PCs in a retail store) or groups of users (IE:  all tellers at a specific branch office of a bank).

Resources are published within Active Directory to assign access.  For example, these are the basic steps to publish a new printer for a group of computers:

  • Create a new Group Policy within the appropriate Container*
  • Select the desired Computer Configuration settings
  • Setup Location Tracking (as needed)

*Active Directory uses Containers to provide segmentation and organizational structure; Containers are usually Forest, Tree, Sites, Organizational Units, orDomains.

If you prefer to setup access for a group of users rather than a group of computers, you would select User Configuration rather than Computer Configuration when publishing a resource.

Once published, resources within Active Directory need periodic attention to adjust access as needs change and to remove decommissioned resources.

Active Directory has a well-established set of best practices; these can be enforced through the Active Directory Best Practices Analyzer, which identifies and reports deviations from best practices.

William R. Stanek provides an overview on Active Directory features and capabilities in his article Using Active Directory Service from Chapter 5 of theMicrosoft Windows 2000 Administrator’s Pocket Consultant.

Recommended practices – Part-6: Manage end-users via Active Directory

/in /by

This is a multi-part series on recommended IT practices for organizations and their end-users. Additional parts will be included in upcoming newsletters.

End-users and their equipment (PCs, tablets, mobile devices) need access to network resources (servers, printers, scanners, etc.); basically, a network administrator connects the end-users with the appropriate resources while matching that access to the needs of the organization.

For example, Human Resources would typically be granted access to sensitive, employee information stored on a server, while the shipping department would be denied this privilege. And, since Human Resources has this access, they would be held to higher security standards designed to protect this information.

One could create an account within each resource mapped to the end-user device, but a more practical solution would be to use a network-wide tool to manage these accounts and their relationships: Active Directory, included within Windows Server, is a robust, rules-driven set of services and processes to facilitate one-site login and to enforce desired behavior. (Visit Wikipedia’s write-up on Active Directory.)

Methods within Active Directory to manage end-usera

This is a multi-part series on recommended IT practices for organizations and their end-users.  Additional parts will be included in upcoming newsletters.

End-users and their equipment (PCs, tablets, mobile devices) need access to network resources (servers, printers, scanners, etc.); basically, a network administrator connects the end-users with the appropriate resources while matching that access to the needs of the organization.

For example, Human Resources would typically be granted access to sensitive, employee information stored on a server, while the shipping department would be denied this privilege.  And, since Human Resources has this access, they would be held to higher security standards designed to protect this information.

One could create an account within each resource mapped to the end-user device, but a more practical solution would be to use a network-wide tool to manage these accounts and their relationships:  Active Directory, included within Windows Server, is a robust, rules-driven set of services and processes to facilitate one-site login and to enforce desired behavior.  (Visit Wikipedia’s write-up on Active Directory.)

Methods within Active Directory to manage end-users include:

  • Enforce password use and complexity
  • Require periodic password changes
  • Lock screen after time-out
  • Restrict access
  • Grouping

Enforce password use and complexity

Passwords should be required for all end-users, regardless of their function.

A password’s complexity is also important:  A password should have a minimum length of at least nine characters and should have a mix of characters (numeric, upper and lower-case alphabetic, and at least one special character like $, #, @, etc.) that are not easily guessed.  (Please see “Simple Passwords = Disaster” in the January 2013 edition of Bryley Tips and Information.)

Require periodic password changes

Passwords become stale and should be changed periodically to discourage theft.  (We require password changes every 90 days.)  When changed, the end-user should be forced to enter a new, unique password rather than recycle an old one.

Lock screen after time-out

Computer screens are easily viewed by passing employees; highly sensitive employee data might be in open view when a payroll administrator leaves their desk.  To alleviate, many organizations define a time-out period, after which a computer screen is forced to lock and requires a password to refresh.

Restrict access

Network resources are available to all, 24 hours a day, seven days a week.  However, you might not want to enable 24-hour access to all employees and you might want to limit access to specific folders by granting one of these access rights:

  • Read – Allow access to a file
  • Change – Permit adding, modifying, and removing a file
  • Full Control – Change permissions settings in a file
  • Deny – Override all other access settings to prevent access

Read, Change, and Full Control work on a “most permissive” basis.  For example, all users may have Read access to a policy document, and the Human Resources group is granted Change access.  Since one of the groups they are a part of is granted Change access, Human Resources personnel can modify the policy document or replace it with a new one.

Deny work differently than the others, since a Deny overrides all other permissions to prevent access. Inexperienced administrators often use Deny improperly – setting Deny on payroll data for users, for example, and preventing everyone from accessing the payroll data – including the Payroll group, whose Change permission is ignored because they are a member of a group that has Deny set.  (We use Deny sparingly, since there must be a separate group for users who should not have access.)

Preventing access in Windows is achieved by removing the default Read right granted to users.

Grouping

Grouping also simplifies management; rather than manage end-users separately, group them by function, department, division, or organization to enable specific privileges across a group.

s include:

Enforce password use and complexity
Require periodic password changes
Lock screen after time-out
Restrict access
Grouping
Enforce password use and complexity

Passwords should be required for all end-users, regardless of their function.

A password’s complexity is also important: A password should have a minimum length of at least nine characters and should have a mix of characters (numeric, upper and lower-case alphabetic, and at least one special character like $, #, @, etc.) that are not easily guessed. (Please see “Simple Passwords = Disaster” in the January 2013 edition of Bryley Tips and Information.)

Require periodic password changes

Passwords become stale and should be changed periodically to discourage theft. (We require password changes every 90 days.) When changed, the end-user should be forced to enter a new, unique password rather than recycle an old one.

Lock screen after time-out

Computer screens are easily viewed by passing employees; highly sensitive employee data might be in open view when a payroll administrator leaves their desk. To alleviate, many organizations define a time-out period, after which a computer screen is forced to lock and requires a password to refresh.

Restrict access

Network resources are available to all, 24 hours a day, seven days a week. However, you might not want to enable 24-hour access to all employees and you might want to limit access to specific folders by granting one of these access rights:

Read – Allow access to a file
Change – Permit adding, modifying, and removing a file
Full Control – Change permissions settings in a file
Deny – Override all other access settings to prevent access
Read, Change, and Full Control work on a “most permissive” basis. For example, all users may have Read access to a policy document, and the Human Resources group is granted Change access. Since one of the groups they are a part of is granted Change access, Human Resources personnel can modify the policy document or replace it with a new one.

Deny work differently than the others, since a Deny overrides all other permissions to prevent access. Inexperienced administrators often use Deny improperly – setting Deny on payroll data for users, for example, and preventing everyone from accessing the payroll data – including the Payroll group, whose Change permission is ignored because they are a member of a group that has Deny set. (We use Deny sparingly, since there must be a separate group for users who should not have access.)

Preventing access in Windows is achieved by removing the default Read right granted to users.

Grouping

Grouping also simplifies management; rather than manage end-users separately, group them by function, department, division, or organization to enable specific privileges across a group.