General
There is no one-size fits all for equipment, but we have several best practices we recommend to ensure your environment is supportable and reliable. This is a general list, but your business may have more stringent requirements that we will bring up with you over time. In addition to any recommendations below, we recommend all equipment either has an active next-business-day replacement or better warranty or a spare is kept on-site at all times.
Failure to meet these baseline standards may result in security, stability or suitability issues for your business.
Computers
We recommend laptops and desktops with the following minimum specifications and an active warranty from the manufacturer.
- Current Generation Intel Core i5 or i7 Processor, or Within 4 Prior Generations
- 16GB RAM (memory) preferred (8GB RAM in some circumstances)
- 480GB Solid State Drive (SSD) for storage
- Windows 11 Professional or better (all new machines)
- Windows 10 Professional version 22H2 will be supported through Microsoft’s end of support on October 14, 2025
- Windows 8.1 is no longer supported since Microsoft support ended January 10, 2023
- Windows 7 is no longer supported since Microsoft support ended January 14, 2020
We do not recommend the non-Professional versions of Windows (sometimes referred to a Home edition) for business use.
Where Apple Mac laptops and desktops are supported and allowed by business and software requirements and organizational policies, we recommend the use of systems with Apple Silicon processors. Specifications will vary by intended use case.
Servers
Servers should be selected to be suitable for the customer’s business needs and software requirements. We recommend a minimum of RAID and redundant power-supplies. Servers should run an operating system and applications currently under vendor support, and the life expectency of the server (a default of 5 years is normal) should be considered when choosing an operating system in order to ensure support and updates are available at least through the server’s expected lifetime. Servers should have active next-business-day warranties to minimize the risk of extended downtime and unexpected repair expenses.
Please note the following Windows Server support end dates, subject to change by Microsoft, for your convenience:
- Microsoft Windows Server 2022 Mainstream Support is through October 13, 2026, with extended security updates available until October 14, 2031.
- Microsoft Windows Server 2019 Mainstream Support is through January 9, 2024, with extended security updates available until January 9, 2029.
- Microsoft Windows Server 2016 Mainstream Support is through November 1, 2022, with extended security updates available until November 1, 2027.
- Microsoft Windows Server 2012 and 2012 R2 Mainstream Support was through October 9, 2018, with extended security updates not available past October 10, 2023.
- Windows Sever 2008 R2 and all previous versions are no longer supported or updated by Microsoft.
Microsoft’s Product and Services Lifecycle Information page is the official reference site for the above determinations.
Server Backups
We recommend that all backups are made to a Cloud based service. We recommend Acronis or Ninja One Native backup.
If using a local disk, backups should be copied as soon as reasonable to a secured and isolated storage location located physically away from the premises of the server(s) being backed up, encrypted using 128-bit or higher encryption with a strong, unique encryption key that is stored separate from the backups, and in a location inaccessible without unique credentials to make malicous modification or deletion as difficult as possible.
Firewall
Our recommended firewall is a Sonicwall sized appropriately for internet connection speed, with an active subscription. Exceptions may be made on a case-by-case basis where different solution is more appropriate.
Firewall firmware should be periodically reviewed and updated to the latest release on a regular cadence, or more rapidly if a security issue is discovered that may be exploited externally.
Firewalls should be configured to allow the minimum inbound access necessary for the organisation to operate (ideally zero, with any other openings being evaluated based on risk), and all administrative management should be restricted and not available for access from the general internet.
VPNs are discouraged particularly where they may be used by machines that are not managed by us.
We will not configure nor support a firewall which directly opens Remote Desktop port 3389 (or Remote Desktop running on alternate ports) directly from the Internet to an internal network, due to extremely high security risk.
Switching
Ethernet switching fabrics should be designed for the environment. We highly recommend fully managed switches for all environments. We recommend consistent models and brands when possible to reduce the number of unusual support issues.
Our preferred brands of switches are TPlink or Cisco Meraki.
Wireless
To a greater extent than even switching, wireless needs to be designed for the environment. In all cases, we do not recommend using any wireless provided by an ISP modem, router or other equipment.
Our preferred brands of wireless equipment are TPlink or Cisco Meraki.
Staff and guest networks should be segmented for security, and staff or other internal wireless networks should be secured with WPA2 security or higher, with a long, random, unique passphrase if not using Enterprise authentication.
Internet Service
We recommend at bare minimum a business-class broadband Internet connection, but this may not be suitable for all purposes. If Internet is required for primary business operations, we recommend at minimum redundant broadband services with one of them being a business fibre circuit. Dedicated fibre (Leased Lines) circuits may be preferred to meet some requirements.
Printing
If you have fewer than 5-10 computers only one printer, manual print management may be an option, but beyond that the complexity and difficulty of securely deploying and updating printers means greater efficiency and reduced overall costs for all involved.
For specific printer models, we will work with you to determine which models or ranges may fit you best, or you can work with a dedicated printer vendor for larger needs, but we don’t strongly recommend any specific brand or model as being effective in all cases and needs vary widely.
For shared printers, we recommend that the printer include a hardwired Ethernet networking port and that you have one available to plug it into. Wireless printers tend to be unreliable and should be a last choice only if absolutely necessary. Personal printers may be USB-connected but not shared printers.
You should use only genuine consumables to avoid warranty and support issues.
Battery Backup (UPS)
We recommend all servers and critical network infrastructure have appropriately sized battery backups that are regularly tested and maintained.
Security
We recommend all authentication used in the business comply with guidance from the National Cyber Security Centre For convenience they have been summarised below:
- Use multi-factor authentication when available, in the most secure version available.
- Use different passwords on different systems and accounts.
- Don’t use passwords that are based on personal information that can be easily accessed or guessed.
- Use the longest password or passphrase permissible by each password system.
- Don’t use words that can be found in any dictionary of any language.
- Use a well-known password manager to generate and fill unique passwords whenever possible.
We recommend the use of account lockouts, separate accounts per user, secure password storage, audit logging and the timely disablement of disused accounts. When access outside of the office or over a VPN is not required, we recommend locking down access. Under no circumstances should users login on any device routinely with an account with administrator priviledges (local or domain).
Keeping track of complex passwords or giving access to multiple users can be difficult so we recommend Keeper password management.
We recommend applying for Cyber Essentials accreditation to ensure you meet minimum security standards
We recommend periodic security awareness training for anyone who has access to critical business systems or software.
Updated 18/11/2024