There is no one-size fits all for equipment, but we have several best-practices we recommend to ensure your environment is supportable and reliable. This is a general list, but your business may have more stringent requirements that we will bring up with you over time. In addition to any recommendations below, we recommend all equipment either has an active next-business-day replacement or better warranty or a spare is kept on-site at all times.
While not a strict requirement for service, failure to meet these baseline standards may result in security, stability or suitability issues for your business.
We recommend laptops and desktops with the following minimum specifications and an active warranty from the manufacturer.
- Current Generation Intel Core i5 or i7 Processor (i3 in some circumstances), or Within 4 Prior Generations
- 16GB RAM (memory) preferred (8GB RAM in some circumstances)
- 512GB Solid State Drive (SSD) for storage (256GB in some circumstances)
- Windows 11 Professional or better (all new machines)
- Windows 10 Professional version 22H2 will be supported through Microsoft’s end of support on October 14, 2025
- Windows 8.1 is no longer supported since Microsoft support ended January 10, 2023
- Windows 7 is no longer supported since Microsoft support ended January 14, 2020
We do not recommend the non-Professional versions of Windows (sometimes referred to a Home) for business use.
Where Apple Mac laptops and desktops are supported and allowed by business and software requirements and organizational policies, we recommend the use of systems with Apple Silicon processors. Specifications will vary by intended use case.
Servers should be selected to be suitable for the customer’s business needs and software requirements. We recommend a minimum of RAID and redundant power-supplies. Servers should run an operating system and applications currently under vendor support, and the life expectancy of the server (a default of 5 years is normal) should be considered when choosing an operating system in order to ensure support and updates are available at least through the server’s expected lifetime. Servers should have active next-business-day warranties to minimize the risk of extended downtime and unexpected repair expenses.
Please note the following Windows Server support end dates, subject to change by Microsoft, for your convenience:
- Microsoft Windows Server 2022 Mainstream Support is through October 13, 2026, with extended security updates available until October 14, 2031.
- Microsoft Windows Server 2019 Mainstream Support is through January 9, 2024, with extended security updates available until January 9, 2029.
- Microsoft Windows Server 2016 Mainstream Support is through November 1, 2022, with extended security updates available until November 1, 2027.
- Microsoft Windows Server 2012 and 2012 R2 Mainstream Support was through October 9, 2018, with extended security updates not available past October 10, 2023.
- Windows Sever 2008 R2 and all previous versions are no longer supported or updated by Microsoft.
Microsoft’s Product and Services Lifecycle Information page is the official reference site for the above determinations.
We recommend that a backup hard drive or network storage device is used for local backup of the server. This device should use high quality enterprise storage drives and should be sized to hold at minimum 3 full backups of the server(s) it is meant to protect, or more depending on the retention requirements of your organization. If possible, the local storage destination should use unique access credentials separate from the rest of the network, to reduce the likelihood of malicious tampering or deletion, and should be located on an isolated network segment with limited access only as required to create, validate, and restore backups.
All backups should be copied as soon as reasonable to a secured and isolated storage location located physically away from the premises of the server(s) being backed up, encrypted using 128-bit or higher encryption with a strong, unique encryption key that is stored separate from the backups, and in a location inaccessible without unique credentials to make malicious modification or deletion as difficult as possible.
Our recommended firewall is a Fortinet FortiGate F-series (or existing E-series) sized appropriately for internet connection speed, with an active FortiGuard UTM subscription. Exceptions may be made on a case-by-case basis where different solution is more appropriate.
Firewall firmware should be periodically reviewed and updated to the latest release on a regular cadence, or more rapidly if a security issue is discovered that may be exploited externally.
Firewalls should be configured to allow the minimum inbound access necessary for the organization to operate (ideally zero, with VPN protection if required, and with any other openings being evaluated based on risk), and all administrative management should be restricted and not available for access from the general internet.
We will not configure nor support a firewall which directly opens Remote Desktop port 3389 (or Remote Desktop running on alternate ports) directly from the Internet to an internal network, due to extremely high security risk.
Ethernet switching fabrics should be designed for the environment. Where appropriate, quality unmanaged switches may be acceptable but we highly recommend fully managed switches for all environments. We recommend consistent models and brands when possible to reduce the number of unusual support issues.
Our preferred brands of switches are Ubiquiti, Meraki-Go, HPE/Aruba, and Fortinet.
To a greater extent than even switching, wireless needs to be designed for the environment. In all cases, we do not recommend using any wireless provided by an ISP modem or other equipment.
Our preferred brands of wireless equipment are Ubiquiti, Meraki-Go, and.
Staff and guest networks should be segmented for security, and staff or other internal wireless networks should be secured with WPA2 security or higher, with a long, random, unique passphrase if not using Enterprise authentication.
We recommend at bare minimum a business-class broadband Internet connection, but this may not be suitable for all purposes. If Internet is required for primary business operations, we recommend at minimum redundant broadband services with one of them being a business fiber circuit. Dedicated fiber circuits may be preferred to meet some requirements.
Battery Backup (UPS)
We recommend all servers and critical network infrastructure have appropriately sized battery backups that are regularly tested and maintained.
We recommend all authentication used in the business comply with Current US-Cert Guidelines for Password Management. For convenience they have been copied below:
- Use multi-factor authentication when available, in the most secure version available.
- Use different passwords on different systems and accounts.
- Don’t use passwords that are based on personal information that can be easily accessed or guessed.
- Use the longest password or passphrase permissible by each password system.
- Don’t use words that can be found in any dictionary of any language.
- Use a well-known password manager to generate and fill unique passwords whenever possible.
We recommend the use of account lockouts, separate accounts per user, secure password storage, audit logging and the timely disablement of disused accounts. When access outside of the office or over a VPN is not required, we recommend locking down access.
We recommend periodic security awareness training for anyone who has access to critical business systems.
- All Server and Desktop Software must be Genuine, Licensed and Vendor-Supported.
- The environment must have a currently licensed, up-to-date and Vendor-Supported Antivirus Solution protecting all Servers, Desktops, Notebooks/Laptops, and Email.
- The environment must have a currently licensed, Vendor-Supported Server-based Backup Solution that can be monitored, and send notifications on job failures and successes.
- The environment must have a currently licensed, Vendor-Supported Hardware Firewall between the Internal Network and the Internet.
- All Wireless data traffic in the environment must be securely encrypted.
- Local Admin access is strictly prohibited on all devices and systems
- All cabling must be properly labeled and documented.
Costs required to bring Client’s environment up to these Minimum Standards are not included in this Agreement.