As your business grows, you may find that there comes a time where you need to upgrade to a faster and more reliable Internet Service Provider (ISP).  While the DSL line that you started out with worked fine when there were less than five employees, the bandwidth you receive from your ISP is no longer sufficient.  Having a slow internet connection can really affect your productivity.  Problems such as slow email, web browsing, and incomplete cloud backups are often caused by having insufficient bandwidth.

When selecting a new ISP, there are many factors to consider.  Try to avoid being fooled by slick marketing and salespeople.  The amount of bandwidth and the type of connection you select are very important factors.  This is why we never recommend slow DSL connections, especially when there is no guarantee of specific upload or download speeds.  Have your IT consultant review all proposals from ISP's.  If possible, obtain multiple quotes from multiple vendors.  You should also consider utilizing a master agent or broker type service.  They generally know where to find the best deals, and often they are paid by the ISP's, not your business.  Always familiarize yourself with the terms of your current ISP service agreement.  Many ISP's will charge a cancellation fee if you cancel the service early.

Once you have decided which ISP your business will switch to, there are many things to consider when planning a seamless transition.  You should always gather the relevant information ahead of time, and not wait until the day of the cutover to find the information you need.

Here is a list of considerations when planning your ISP cutover.

• Always schedule ISP changes a couple of weeks ahead of time to give users and clients ample notice.  Remind your users the day before, and a few hours before making your changes.
• Have account information for your ISP, hosting company, DNS provider, and domain registrar ahead of time.  ISP changes will often require changes to DNS records for email and remote access servers.
• If your new ISP requires you to have a new router installed, consider having the ISP provide and manage the router.  This will prevent finger pointing in the future, should there ever be a problem with the new ISP.
• Know the user names and password for your routers and firewalls.  Your firewall will need to be reconfigured if you have a new IP address.  You may also need to change the speed settings of your external firewall interface.
• Consider upgrading your firewall at the same time as you switch to another ISP.  Chances are that you have outgrown your firewall at the same time as you have outgrown your old ISP.
• If you do not need to upgrade to a new firewall, check if there are any software or firmware updates for the firewall you plan to keep.
• Understand the changes that the ISP installer is making.  Make sure that they don't disconnect your existing ISP, phone, or fax lines, unless you have already planned accordingly.  Many DSL installations utilize your fax line.  If your DSL is getting disconnected, you will need to know how this affects your fax capabilities.
• Document the configuration of your firewall prior to making any changes.
• If you are changing DNS providers, document your DNS records (zone file) prior to making changes.
• If a new router or firewall is installed, make sure that the DHCP settings are consistent with your existing network configuration.  You should never have your router or firewall providing DHCP if you have Windows servers on your network.
• Know whether or not you are moving to a static or dynamic IP address.  Having a static IP address may be required if you have an internal email or remote access server.
• Test your new connection with a single notebook computer prior to connecting a firewall.  Make sure that you are receiving the expected upload and download speeds.
• Let the connection run for a couple of days before making the switch.
• Think about any site to site VPN connections between your office.  If you change ISP's or IP addresses, your VPN connections will be affected.
• If you use a 3rd party spam filtering service like Reflexion or Postini, you may limit the downtime for your email server.  These services do not require that you change DNS records.  They will also hold on to your incoming email while you cutover.
• If possible, do not cancel your current ISP until your new ISP is in place and active.  If feasible for your budget, consider using two ISP's and a firewall that allows for automatic failover and load balancing.  It is always a good idea to have a Backup Internet Connection.
• Understand any changes that need to be made to your Citrix server if it uses a private IP address instead of a routable public IP address.
• Communicate often with the management of your business to set expectations.  When done properly, there should be no downtime, as long as you plan your ISP change carefully.
• If you are using a 3rd party monitoring service or managed service provider, let them know when you are making these changes.  It will prevent unnecessary alerts and phone calls if your servers go offline.
• Make sure that your monitoring service adds your new IP addresses to the items that they monitor for you.
• Have your ISP configure Reverse DNS for your new IP address.  A lack of reverse DNS may cause some spam filters to reject messages from your internal email server.
  
• Update your network documentation when the ISP cutover project is complete.

As you can see, there are many things to think about when moving to a new ISP.  One way to ensure that your ISP cutover is seamless to your users, is to contract Hilltop Consultants to manage the project.  We have performed hundreds of cutovers and new installations over the years.  We have the expertise and experience to get the job done on time with the least impact on your users and management.

Recently Hilltop began supporting a DC based law firm with around 80 users.  The firm had been working with another Outsourced IT service provider.  As far as the firm knew, they were doing everything right.  Email was getting backed up, filtered for spam, and was be journaled offsite with Microsoft.

During Hilltop discovery, we found that the Outsourced IT service provider did not have everything under as much control as both the firm, and Hilltop would have hoped.

Email is one of the most critically important systems that your firm has.  Your firm needs an IT partner that can be trusted to keep your email system secure, compliant, and reliable.  In turn, your IT partner needs an email compliance and security partner that it can trust.  Once that partner is in place, their systems need to be monitored and tested regularly.

If you are not 100% sure that your email system is properly secured, backed up, and archived, contact Hilltop about a free assessment. 

Hilltop has found an email compliance partner that we can trust in:

Reflexion Networks

Reflexion provide a range of hosted email services that are differentiated by their ease of implementation and use, their unique features and effectiveness, and their affordability.

Reflexion Total Control (RTC)

RTC is a hosted email security service that blocks spam, viruses and volume-based attacks before it reaches the corporate network. Reflexion’s unique technology also identifies address-sharing and the sources of spam, and provides concrete tools for preserving the integrity of one’s primary email address. Automatic inbound email queuing assures email continuity in the event of a local server outage, and outbound email filtering protects one’s reputation and helps to avoid the business disruption of IP address blacklisting. Reflexion’s service provides the configurability that IT Solution Providers need to address a wide range of customer requirements, with the automation and simplicity that ISPs require for their subscribers.

Reflexion Archiving, Discovery and Recovery (RADAR)

RADAR provides businesses with a complete, searchable email archive that can be accessed at any time, from anywhere on the Internet. RADAR provides email continuity during local email server outages, full email disaster recovery from more severe outages, rapid retrieval of emails that have been misplaced or deleted locally, a searchable knowledgebase of a company’s intellectual property stored in email, and a rapid means of responding to discovery requests for legal proceedings governed by the new Federal Rules of Civil Procedure.

RTC Encryption

With an increase in regulatory pressures, identity theft and highly publicized security breaches in the media, companies that do not encrypt emails containing sensitive information are at risk of regulatory fines, lawsuits, negative PR and a loss of company intellectual property.  Companies dependent on building a relationship of trust with their customers and business partners cannot afford to risk such potential damages to their brand image. Email encryption is, therefore, an important piece of the security puzzle; it protects your company, your customers and business partners. The question then becomes how to implement this critical business process.

Jim Turner will be presenting a seminar on Mobile Device Management for Law Firms on 5/29/2013.  This seminar is only for members of the Association of Legal Administrators.

Here is what you will learn:

• What is Mobile Device Management
• How MDM software secure, monitors, manages, and supports mobile devices
• How to protect the data and configuration settings for all wireless devices attached to your firms network
• How to protect corporate data on both firm-owned and employee owned (BYOD) devices
• How to optimize the functionality and security of mobile devices while reducing costs and downtime
• How to select the best MDM software for your firm

Find out more and RSVP here:

MDM for Law Firms Seminar

Find out more about joining the Association of Legal Administrators here:

Association of Legal Administrators Capital Chapter

I wanted to share information on the Best Practices for Enforcing Password Policies.  Many firms are not enforcing password policies, rather they let the users determine how frequently they change their password.  This usually means that the passwords never get changed.  Weak passwords that are not changed on a regular basis leave gaping holes in the security of the network.  Read the article below for more information.

No matter how secure you make a user’s password initially, she will eventually choose her own password. Therefore, you should set account policies that define a secure password for your systems. Account policies are a subset of the policies configurable in Group Policy. Here’s a look at the key settings you will work with.

Enforce Password History
This sets how frequently old passwords can be reused. With this policy, you can discourage users from alternating between several common passwords. Windows Server 2008 R2 can store up to 24 passwords for each user in the password history. To disable this feature, set the value of the password history to 0. To enable this feature, set the value of the password history using the Passwords Remembered field. Windows Server 2008 R2 then tracks old passwords using a password history that’s unique for each user, and users aren’t allowed to reuse any of the stored passwords.

Note: To prevent users from working around the Enforce Password History settings, you should prevent users from changing passwords immediately. This stops users from changing their passwords several times to wipe the history and get back to the old password. You can set the time required to keep a password with the Minimum Password Age policy.

Maximum Password Age
This determines how long users can keep a password before they have to change it. The aim is to force users to change their passwords periodically. Generally, you use a shorter period when security is very important and a longer period when security is less important. You can set the maximum password age to any value from 0 to 999, where a value of 0 specifies that passwords don’t expire. Although you might be tempted to set no expiration date, users should change passwords regularly to ensure the network’s security. Where security is a concern, good values are 30, 60, or 90 days. Where security is less important, good values are 120, 150, or 180 days.

Note: Windows Server 2008 R2 notifies users when the password expiration date is approaching. Any time the expiration date is less than 30 days away, users see a warning when they log on that they have to change their password within a specific number of days.

Minimum Password Age
This determines how long users must keep a password before they can change it. You can use this field to prevent users from bypassing the password system by entering a new password and then changing it right back to the old one. If the minimum password age is set to 0, users can change their passwords immediately. To prevent this, set a specific minimum age. Reasonable settings are from three to seven days. In this way you make sure that users are less inclined to switch back to an old password but are able to change their passwords in a reasonable amount of time if they want to.

Note: Keep in mind that a minimum password age could prevent a user from changing a compromised password. If a user can’t change the password, an administrator has to make the change.

Minimum Password Length
This sets the minimum number of characters for a password. If you haven’t changed the default setting, you should do so immediately. The default in some cases is to allow empty passwords (passwords with zero characters), which is definitely not a good idea. For security reasons you’ll generally want passwords of at least eight characters because long passwords are usually harder to crack than short ones. If you want greater security, set the minimum password length to 14 characters.

Passwords Must Meet Complexity Requirements
Beyond the basic password and account policies, Windows Server 2008 R2 includes facilities for creating additional password controls. These facilities enforce the use of secure passwords that follow these guidelines:

• Passwords must have at least six characters.
• Passwords can’t contain the user name or parts of the user’s full name, such as his first name.
• Passwords must use at least three of the four available character types: lowercase letters, uppercase letters, numbers, and symbols.

To enforce these rules, enable the Passwords Must Meet Complexity Requirements policy.

Store Password Using Reversible Encryption For All Users
Passwords in the password database are encrypted. This encryption can’t normally be reversed. The only time you would want to change this setting is when your organization uses applications that need to read the password. If this is the case, enable Store Password Using Reversible Encryption For All Users. But with this policy enabled, passwords might as well be stored as plain text—it presents the same security risks. With this in mind, a much better technique is to enable the option on a per-user basis and then only as required to meet the user’s actual needs.