Taking over IT for a small business



  • As some of you know, I recently picked up a new client.

    They are a boutique compounding pharmacy. So they have all the HIPAA requirements, etc.

    Currently security is not even a thought around this place, and while one partner seems to understand at least the requirements, the other no so much so.

    • three POS terminals, 1 Win 7, 2 Wind 10 - I don't know the software name
    • two Win 7 Desktops (2013 or older)
    • one Win 10 upgraded from win 7 (2013 or older)
    • one 'server' running some Linux OS that hosts their RX30 pharmacy software (amazing this is licensed correctly - if only my damned HVAC people would have done this!!!) This is also currently used as a workstation
    • 3-5 Win 10 PCs

    There is a complete mish mash of stuff installed everywhere. There is no management at all.
    The terminals have local admin accounts, and it appears that users do not log into those accounts, but instead use a shared windows account for normal work. The other machines - everyone uses a shared local admin account.
    They have purchased at least 2 LogMeIn remote access accounts - perhaps more.

    They've asked me for suggestions on cleaning up their environment.

    Here's what I'm thinking, I'd appreciate your feedback (except for @JaredBusch πŸ˜‰ ).

    • inventory all of their software, find out what's still in use, do we have installation media for everything, account names/passwords for everything.
    • With the possible exception of the POS systems, wipe and reload all Windows 10 machines, get them to a known good clean, updated state.
    • Create local admin, create local user for daily use - no password
    • deploy freeware software (chrome, firefox, citrix, etc) using Chocolately
    • schedule task to update chocolately daily
    • schedule task to reboot weekly
    • Setup MeshCentral server on Vultr to enable remote access to all devices (confirm they have Linux client) or purchase another remote access solution

    By default, Windows 10 does updates on it's own.
    Any reason to move beyond Windows Defender for AV?



  • @Dashrender
    I think your ideas look very reasonable and a good idea. My thoughts are:

    I would get everything to windows 10 if possible, I understand it might not be with those pos systems.

    I would stick with Defender unless you find out a reason to get more complex later on.

    If they don't understand security very much I would propose to the bosses getting everyone off admin accounts if possible. Have one for yourself and regular user accounts for everyone else that will let them do their job.

    There is a powershell module "windowsupdate" that works ok for me here. I schedule that here along with chocolatey updates for our free stuff.



  • @Dashrender
    Do they have a backup strategy for their pharmacy software?

    Side Note - In small medical offices, when they ask how to shore up security, my statement is, "I will have a much better idea how to fill the security gap if I can see your HIPAA policies and most recent security assessment." I get some interesting reactions. Hard to be HIPAA compliant without those items. Plus, you may get extra billable hours.



  • @jmoore said in Taking over IT for a small business:

    @Dashrender
    I think your ideas look very reasonable and a good idea. My thoughts are:

    I would get everything to windows 10 if possible, I understand it might not be with those pos systems.

    Only one POS system has Win 7 on it... and they have tentatively agreed to replace it... Though I don't think they realized at the time that would mean it likely would no longer be a POS terminal. So I have to remind them of that... then they could choose between just another workstation, or another newer POS terminal...



  • @jmoore said in Taking over IT for a small business:

    There is a powershell module "windowsupdate" that works ok for me here. I schedule that here along with chocolatey updates for our free stuff.

    Why do you kick windows update - do the systems not auto update themselves on a semi-regular basis?

    The big question is - do the systems auto force movement to the next version - which I know they eventually will force... but timing is a kinda a big deal to most offices.. they don't want windows kicking off a 2 hour update when the employee logs in at 8 AM.



  • @Dashrender said in Taking over IT for a small business:

    @jmoore said in Taking over IT for a small business:

    There is a powershell module "windowsupdate" that works ok for me here. I schedule that here along with chocolatey updates for our free stuff.

    Why do you kick windows update - do the systems not auto update themselves on a semi-regular basis?

    The big question is - do the systems auto force movement to the next version - which I know they eventually will force... but timing is a kinda a big deal to most offices.. they don't want windows kicking off a 2 hour update when the employee logs in at 8 AM.

    Forced on your schedule is better than random.



  • @pmoncho said in Taking over IT for a small business:

    @Dashrender
    Do they have a backup strategy for their pharmacy software?

    Good question - I haven't gotten that far yet.. currently, it's not my domain, but I'm assuming it will quickly become part of it.

    Side Note - In small medical offices, when they ask how to shore up security, my statement is, "I will have a much better idea how to fill the security gap if I can see your HIPAA policies and most recent security assessment." I get some interesting reactions. Hard to be HIPAA compliant without those items. Plus, you may get extra billable hours.

    yeah - so in regards to that - they told me "we want all machines to be nearly identical - when I sit at any computer, I want all the same websites (in favorites) with the passwords already remembered, etc."
    I then reminded them that wasn't legal from HIPAA perspective - that all users need to have their own logons for systems that house PHI (I know for example, they are all sharing a single logon to someone else's EHR system - I wonder if that company knows that?) They were taken aback by that realization, then told me they would work to get everyone their own logon for that EHR, and their their pharmacy software already had an account for each person.



  • @Dashrender said in Taking over IT for a small business:

    @jmoore said in Taking over IT for a small business:

    There is a powershell module "windowsupdate" that works ok for me here. I schedule that here along with chocolatey updates for our free stuff.

    Why do you kick windows update - do the systems not auto update themselves on a semi-regular basis?

    The big question is - do the systems auto force movement to the next version - which I know they eventually will force... but timing is a kinda a big deal to most offices.. they don't want windows kicking off a 2 hour update when the employee logs in at 8 AM.

    Keep in mind I'm talking about my environment here and this is what I've seen. Yours or theirs could be different. The systems here will auto-update and do regular security and app updates eventually, but it usually takes a long time, sometimes months. I like to keep things more up to date than that. I havent had any issues scheduling windows updates for every 2 weeks here.

    The other big reason why I schedule the updates is so I can control when they happen. I schedule for the evening and so far no has had to wait 2 hours to log in or be interrupted at 9am with a large update. I was told that used to happen a lot. Users would arrive at 8am, turn computer on, have it start configuring a large update and not be able to log in for 2 hours.

    I am not sure but I don't believe the large feature updates( such as 1903) happen on their own. At least I have not seen anything do one yet. Its possible I don't wait long enough to see if it happens. For my environment, I don't have a reason to.

    i am not sure



  • @jmoore said in Taking over IT for a small business:

    @Dashrender said in Taking over IT for a small business:

    @jmoore said in Taking over IT for a small business:

    There is a powershell module "windowsupdate" that works ok for me here. I schedule that here along with chocolatey updates for our free stuff.

    Why do you kick windows update - do the systems not auto update themselves on a semi-regular basis?

    The big question is - do the systems auto force movement to the next version - which I know they eventually will force... but timing is a kinda a big deal to most offices.. they don't want windows kicking off a 2 hour update when the employee logs in at 8 AM.

    Keep in mind I'm talking about my environment here and this is what I've seen. Yours or theirs could be different. The systems here will auto-update and do regular security and app updates eventually, but it usually takes a long time, sometimes months. I like to keep things more up to date than that. I havent had any issues scheduling windows updates for every 2 weeks here.

    The other big reason why I schedule the updates is so I can control when they happen. I schedule for the evening and so far no has had to wait 2 hours to log in or be interrupted at 9am with a large update. I was told that used to happen a lot. Users would arrive at 8am, turn computer on, have it start configuring a large update and not be able to log in for 2 hours.

    I am not sure but I don't believe the large feature updates( such as 1903) happen on their own. At least I have not seen anything do one yet. Its possible I don't wait long enough to see if it happens. For my environment, I don't have a reason to.

    i am not sure

    The large updates will eventually force their way on - it might be a year later.. for example, when 1903 was released, 1709 went out of support, and Windows was forcing people to 1903 (assuming no blocks).

    I wouldn't expect the 2 hour updates in general except for the large bi-annual updates (i.e. 1903).

    How are you dealing with machines that people turn off at night?



  • @Dashrender said in Taking over IT for a small business:

    How are you dealing with machines that people turn off at night?

    By having a company policy put in place that they are to be left powered on. Logged off, or locked, yes. But not powered off.



  • @JaredBusch said in Taking over IT for a small business:

    @Dashrender said in Taking over IT for a small business:

    How are you dealing with machines that people turn off at night?

    By having a company policy put in place that they are to be left powered on. Logged off, or locked, yes. But not powered off.

    Same here.



  • @Dashrender said in Taking over IT for a small business:

    How are you dealing with machines that people turn off at night?

    Change the defaults in windows to "sleep" instead of "shutdown".
    Send Wake On LAN packet if you need to start it.

    Remove hibernate unless it's a laptop. Frees up some disk space too.

    Also, basically set all machines to go to sleep after X minutes of inactivity. It could be an hour or whatever. Saves on power and if someone forget to turn it "off" (sleep) it will automatically sleep.



  • @Dashrender said in Taking over IT for a small business:

    How are you dealing with machines that people turn off at night?

    Most people do not turn machine off but occasionally(every couple months) I'll use wmic to make sure machines are getting updates somewhat regularly. It shouldnt be critical in any way to miss a few weeks updates but I just make sure someone hasnt gone 3 months or something like that. I have every department in a text file list and I use those a lot for various things.



  • @Dashrender said in Taking over IT for a small business:

    How are you dealing with machines that people turn off at night?

    If you can't change policy easily then maybe just schedule sometime during lunch and give people a heads up.



  • @jmoore said in Taking over IT for a small business:

    @Dashrender said in Taking over IT for a small business:

    How are you dealing with machines that people turn off at night?

    If you can't change policy easily then maybe just schedule sometime during lunch and give people a heads up.

    This would be much more likely - but lunch is not a set time thing around here. It literally changes daily, based upon a floating schedule, so there would be no way to schedule it over lunch.



  • @Pete-S said in Taking over IT for a small business:

    @Dashrender said in Taking over IT for a small business:

    How are you dealing with machines that people turn off at night?

    Change the defaults in windows to "sleep" instead of "shutdown".
    Send Wake On LAN packet if you need to start it.

    Remove hibernate unless it's a laptop. Frees up some disk space too.

    Also, basically set all machines to go to sleep after X minutes of inactivity. It could be an hour or whatever. Saves on power and if someone forget to turn it "off" (sleep) it will automatically sleep.

    2/3's of my fleet is laptops, so yeah.. wake-on-lan is not an option, I'm not sure sleep is even wake-able on a laptop on WiFi?



  • @Dashrender said in Taking over IT for a small business:

    @Pete-S said in Taking over IT for a small business:

    @Dashrender said in Taking over IT for a small business:

    How are you dealing with machines that people turn off at night?

    Change the defaults in windows to "sleep" instead of "shutdown".
    Send Wake On LAN packet if you need to start it.

    Remove hibernate unless it's a laptop. Frees up some disk space too.

    Also, basically set all machines to go to sleep after X minutes of inactivity. It could be an hour or whatever. Saves on power and if someone forget to turn it "off" (sleep) it will automatically sleep.

    2/3's of my fleet is laptops, so yeah.. wake-on-lan is not an option, I'm not sure sleep is even wake-able on a laptop on WiFi?

    WoL is useless unless you have a known on system to send commands from



  • @JaredBusch said in Taking over IT for a small business:

    @Dashrender said in Taking over IT for a small business:

    @Pete-S said in Taking over IT for a small business:

    @Dashrender said in Taking over IT for a small business:

    How are you dealing with machines that people turn off at night?

    Change the defaults in windows to "sleep" instead of "shutdown".
    Send Wake On LAN packet if you need to start it.

    Remove hibernate unless it's a laptop. Frees up some disk space too.

    Also, basically set all machines to go to sleep after X minutes of inactivity. It could be an hour or whatever. Saves on power and if someone forget to turn it "off" (sleep) it will automatically sleep.

    2/3's of my fleet is laptops, so yeah.. wake-on-lan is not an option, I'm not sure sleep is even wake-able on a laptop on WiFi?

    WoL is useless unless you have a known on system to send commands from

    In my environment it would be a server or my desktop to to never sleep.

    In this customer's - from a power POV, I could easily designate a single machine as an always on machine for this purpose - I love using ScreenConnect to send WoL commands to other sleeping machines.



  • @Dashrender said in Taking over IT for a small business:

    @JaredBusch said in Taking over IT for a small business:

    @Dashrender said in Taking over IT for a small business:

    @Pete-S said in Taking over IT for a small business:

    @Dashrender said in Taking over IT for a small business:

    How are you dealing with machines that people turn off at night?

    Change the defaults in windows to "sleep" instead of "shutdown".
    Send Wake On LAN packet if you need to start it.

    Remove hibernate unless it's a laptop. Frees up some disk space too.

    Also, basically set all machines to go to sleep after X minutes of inactivity. It could be an hour or whatever. Saves on power and if someone forget to turn it "off" (sleep) it will automatically sleep.

    2/3's of my fleet is laptops, so yeah.. wake-on-lan is not an option, I'm not sure sleep is even wake-able on a laptop on WiFi?

    WoL is useless unless you have a known on system to send commands from

    In my environment it would be a server or my desktop to to never sleep.

    In this customer's - from a power POV, I could easily designate a single machine as an always on machine for this purpose - I love using ScreenConnect to send WoL commands to other sleeping machines.

    Stop conflating your stuff. The point here is for not your environment, specifically.

    I mean yeah, ideas can work both places. but focus please..



  • Is windows an actual requirement? Maybe Chrome OS or Ubuntu would work if all they use are web apps



  • Even discussing power management on 5-10 desktops is a complete waste for a business IMO. 24/7 for management purposes is the way to go. Just set them to lock



  • Also for you guys that do this kind of stuff on a small scale like this, do you create policies for the client? It seems like you could cover alot of these in policies that can be used in a cookie cutter fashion to work with other customers.

    Handing a manager or ceo a best practice policy and asking for valid reasons for exceptions is a good way to get a good security posture.



  • @Dashrender said in Taking over IT for a small business:

    @Pete-S said in Taking over IT for a small business:

    @Dashrender said in Taking over IT for a small business:

    How are you dealing with machines that people turn off at night?

    Change the defaults in windows to "sleep" instead of "shutdown".
    Send Wake On LAN packet if you need to start it.

    Remove hibernate unless it's a laptop. Frees up some disk space too.

    Also, basically set all machines to go to sleep after X minutes of inactivity. It could be an hour or whatever. Saves on power and if someone forget to turn it "off" (sleep) it will automatically sleep.

    2/3's of my fleet is laptops, so yeah.. wake-on-lan is not an option, I'm not sure sleep is even wake-able on a laptop on WiFi?

    It's called WoWLAN. Windows supports it but I haven't tried it.



  • @Dashrender said in Taking over IT for a small business:

    In this customer's - from a power POV, I could easily designate a single machine as an always on machine for this purpose

    I always set one or more machines to power on at 10:00pm (bios)
    One if they prefer not to leave them on, then I use WoL to power the others up when I need to (updates).

    All if they don't have a preference and it's a small office.



  • @JasGot said in Taking over IT for a small business:

    @Dashrender said in Taking over IT for a small business:

    In this customer's - from a power POV, I could easily designate a single machine as an always on machine for this purpose

    I always set one or more machines to power on at 10:00pm (bios)
    One if they prefer not to leave them on, then I use WoL to power the others up when I need to (updates).

    All if they don't have a preference and it's a small office.

    That is a crazy amount of work I don’t wanna do that



  • @JaredBusch How so?





  • @Dashrender I left this out earlier for fear he would say I was conflating....

    Here's our push for power-on for dell PCs, we push it with GPO, or ScreenConnect, or drop it in the startup folder with a script that uses an admin$ share. Most bios mfrs have a utility for editing bios remotely.

    It sets it up the way we want, and if someone changes it, it auto re-applies at the next boot.

    
    \\server\netlogon\cctk\x86_64\cctk --autoon=everyday --valsetuppwd= -l=c:\pc.log
    \\server\netlogon\cctk\x86_64\cctk --autoonhr=22 --valsetuppwd= -l=c:\pc.log
    \\server\netlogon\cctk\x86_64\cctk --autoonmn=0 --valsetuppwd= -l=c:\pc.log
    
    


  • @Dashrender said in Taking over IT for a small business:

    he's lazy.

    Me too. I script everything.



  • @JasGot said in Taking over IT for a small business:

    @Dashrender I left this out earlier for fear he would say I was conflating....

    Here's our push for power-on for dell PCs, we push it with GPO, or ScreenConnect, or drop it in the startup folder with a script that uses an admin$ share. Most bios mfrs have a utility for editing bios remotely.

    It sets it up the way we want, and if someone changes it, it auto re-applies at the next boot.

    
    \\server\netlogon\cctk\x86_64\cctk --autoon=everyday --valsetuppwd= -l=c:\pc.log
    \\server\netlogon\cctk\x86_64\cctk --autoonhr=22 --valsetuppwd= -l=c:\pc.log
    \\server\netlogon\cctk\x86_64\cctk --autoonmn=0 --valsetuppwd= -l=c:\pc.log
    
    

    Actually - he would adore you for this. πŸ™‚