Meraki MX-100 vs Fortigate 100E

Recently a customer with a Meraki MX80 was getting low speeds. The customer had a 400MB internet connection , however after turning all the Anti Threat Protection and Web Filtering on the Meraki it was only able to do around 60-80MB

Meraki Datasheet said this should be able to do 250MB however support confirmed after disabling all the Security features of the device and it peaking to 200mb , it was a limitation of the device.

We looked at scoping some comparisons particularly Fortinet

Meraki MX100 ( Datasheet )

Cost : Device : 3000GBP and Yearly License 3000GBP


  • Support their Existing Wireless Access Points

  • Managed Firmware Upgrades


  • License Renewals needs to be done on the day to avoid missing days

  • Meraki support will need to fix things the gui cannot

Fortigate 100E ( Datasheet )

Cost : 1560 GBP and Yearly License 908 GBP


  • Throughput we have seen 500MB on this device no problem , we don’t enable SSL Inspection. It can be controlled granularly in this respect rather than just on off


  • Larger support community for issues / fixes

The cost benefit of Fortinet is massive compared to Meraki as you can see on both parts! Meraki also control their AV as its written internally rather then outsourced like Cisco

Response IT Services has reached the finals of the Best for Fathers and Best Small Employer in Working Families’ Best Practice Awards

 The shortlist for the annual Best Practice Awards has been announced today by work life balance charity Working Families

 Response IT has been named as a finalist in the Best for Fathers and Best Small Employer of Working Families’ Best Practice Awards. Employers large and small from many sectors compete annually to reach the shortlist for the unique business awards for flexible, agile organisations.

Now in their tenth year, Working Families’ Best Practice Awards [3] showcase and celebrate employers who are offering flexibility for all their people and going above and beyond in their support for parents and carers.

Response IT has been shortlisted for Best for Fathers and Best Small Employer because of absolute level of trust and flexibility to their entire team. It started on day one with Simon, Graeme and Shaun being very hands on fathers. As a small company positive work life balance mentality, this made complete business sense for everyone to have the same level of flexibility. Staff are happy and work hard. This in turn means our customers are happy with the level of service they receive, and our level of client retention is very high.


Jane van Zyl, Chief Executive of Working Families and Chair of the judging panel [4], said:

 "Working Families would like to congratulate Response IT Services whose flexible working culture and employee-friendly workplace has earned them a much-coveted place as a finalist of this year’s Best Practice Awards.  Response IT Service’s outstanding entry in the Best for Fathers and Best Small Employer categories caught the attention of the judging panel and stood out amongst a record number of entrants.


“Flexible working isn’t just good for parents and carers; it’s good for business. Employers reap valuable rewards when they give their staff members more control over their time—from improved employee engagement to better organisational performance.”

"Our research shows an unmet demand for flexible working. 86% of parents want to work flexibly but less than half (49%) actually do [5].  Initiatives like those on the shortlist are key to helping parents take control of their time and find the work-life balance that works best for them.”

The full shortlist for the 12 categories:

Best for Mothers

  • Barclays


  • Unibail-Rodamco-Westfield

  • Mum & You

 Best for Fathers

  • Response IT

  • Deloitte

  • Unibail-Rodamco-Westfield

 Best for Carers & Eldercare

  • Barclays

  • Centrica

 Best Flexible Working Initiative – sponsored by NHS Employers

  • Larking Gowen

  • Suffolk County Council

  • Global Witness

 Best for Embedded Flexibility – sponsored by Arnold Clark

  • Freestyle

  • Deloitte

  • Morgan Sindall

 Best for Flexible Recruitment

  • Suffolk County Council

  • Arnold Clark

 Best for Line Manager Support

  • Unibail-Rodamco-Westfield

 Best Innovation – sponsored by ILF Scotland

  • Waltham Forest Council

  • Arnold Clark

 Best Returner Programme – sponsored by Royal Bank of Canada

  • Barclays

  • Allen & Overy

  • Morgan Sindall

  • Natwest Markets

 Best Family Network

  • Barclays

  • Royal Bank of Scotland

  • Sky

 Best for Mental Health & Wellbeing – sponsored by Schroders

  • Deloitte

  • QBE Insurance Group

  • Unibail-Rodamco-Westfield

  • Financial Ombudsman Service

 Best Small Employer

  • Response IT

  • 9-2-3 Jobs

  • Slalom


The winners of each category will be announced on 20th June at London’s Vintners’ Hall.




[1] For more information contact Working Families press office by email

[2] About Working Families Working Families is the UK’s work life organisation.  The charity supports and gives a voice to working parents and carers, whilst also helping employers create workplaces which encourage work life balance for everyone.   Twitter @workingfamuk

[3] The Working Families Best Practice Awards 2019 The winners of the Working Families’ Best Practice Awards will be announced at London’s Vintners’ Hall on 20th June 2019.

[4] Judging Panel. The final winners of each Award category are judged by an expert panel. The judging process for the Awards is anonymous - none of the judges knows the identity of the companies which they are judging.

[5] Modern Families Index 2019

The Modern Families Index was published by Working Families with Bright Horizons in February 2019. More information can be found here:

[6] Case studies of previous award winners and finalists are included in Working Families’ online library of case studies which is available here. Please contact the press office for further details and for contact details of previous finalists and winners.

2019 The Year to Hyperconverge!

We touched on Hyper-convergence in 2017 in this article. There has been a dramatic increase in installations and also vendors offering the service. Microsoft with its Storage Spaces Direct (S2D)  offering taking on Vmware VSAN.

Netapp has been a new player to the game with Nutanix being still the strongest player per below


One of the main benefits we have seen with Nutanix is the cost of the Open Source operating system Nutanix AOS compared to Vmware. Nutanix can run Hyper-V or Vmware but the only benefit you entail then is the bonding hardware ( Storage , Compute and Networking )

We are definitely seeing a shift of Small to Medium Business using more cloud offerings with Compute in Azure and larger Enterprise using the above systems!

Cisco Announces Service Price Changes 4th May 2019

For customers using Cisco Devices some of your product support renewals will be increasing from 10-30% on your next renewal Date. Please see the official press release here

We recommend customers to check with us before direct renewal with the supplier as there are cheaper providers out there that supply hardware maintenance for your devices at 40% of the cost

Get in touch to find out how Interactive can support your Cisco devices today.

New Wifi Standard - 802.11ax (also known as Wi-Fi 6)

4.8Gbps of blistering fast Wi-Fi


This emerging standard delivers greater throughput (up to 25% faster), efficiency, and battery life. The technology in Wi-Fi 6 makes it easier to design an efficient wireless network, especially in high density environments.

Security WPA3 eliminates unencrypted wireless traffic between compatible devices. Even with an open access point where you don't have to enter a password the connection between the AP and client is automatically fully encrypted with a per-client key, essentially eliminating the risk of even http traffic being sniffed.

Previous Wifi's and Their Names

802.11b is now Wi-Fi 1

802.11a is now Wi-Fi 2

802.11g is now Wi-Fi 3

802.11n is now Wi-Fi 4

802.11ac is now Wi-Fi 5

802.11ax is Wi-Fi 6

Technically, Wi-Fi 6 will have a single-user data rate that is 37% faster than 802.11ac, but what's more significant is that the updated specification will offer four times the throughput per user in crowded environments, as well as better power efficiency which should translate to a boost in device battery life so also great for Mobile Devices

Meraki have released some models

MR45 and MR55 are now out

Why Zen Internet is one of the Best UK ISP's

Auto compensation – your entitlements This is a service message to inform you that our new auto compensation scheme will begin from 1st April.

From today, if your landline or broadband services stop working simply report the fault to Zen, and whenever you qualify to receive compensation, you'll get it automatically.

The three scenarios where auto compensation will apply are:

  • Delayed repair

If your service stops working and the fault is not fixed within two working days, you’ll then automatically receive £8 per day for each additional day until the fault is repaired.

  • Missed appointments

If an engineer doesn’t turn up for a scheduled appointment, or the appointment is cancelled with less than 24 hours’ notice, you’ll receive £25 compensation.

  • Delayed provision

If you’re promised that a new service will go live on a particular date and it doesn’t, you’ll receive £5 per day (including the missed start date) until the service starts.

You do not need to take any action or steps to be eligible for auto compensation. In the event of any of the above scenarios, you will receive your compensation automatically in the form of credits to your Zen account.

DaaS - Device as a Service

You may have heard of SaaS solutions - Software as a service such as Salesforce and other cloud based Applications. This technology changed the dynamic of companies purchasing software from a single point of purchase such as Microsoft Office for 300GBP per user license , to a subscription service at 10GBP / Month / User.

Hardware providers are now offering the same based subscription model for companies IT hardware. This matches the way that most consumers will purchase their mobile phones for their Mobile Carrier currently to a larger purchase model

Its not just a single device purchase you get over a 3 year period , you also get :

  • The physical Equipment with the latest operating system and Software Add ons as required.

  • Configuration and Deployment - They can be pre-enrolled in Intune or have an image deployed before arriving to site.

  • Support - Hardware and Software support is provided by the manufacturer for any fault/issues.

  • Asset Recovery - Secure Data wiping and recycling old hardware


Cash Flow

This now enables organisations to be more flexible with on boarding new users by presenting a lower TCO ( Total Cost Ownership) per user. Like adding new licenses in a SaaS software portal , users can be added and reduced without having to worry about obsoleted wasted hardware.

Support and IT Benefits

This enables your workforce to maintain a 3 year hardware refresh cycle which means they get up-to-date hardware for better productivity and support with repairs. It also takes less strain off your IT Team repairing outdated or supported hardware and software


We partner with supplies ( e.g. Lenovo and HP ) who offer DaaS ( Device as a Service ) woldwide which means where ever users are around the world they get supported and hardware refreshed, without having to worry about maintaining warranties and support from a companies head office

Your companies own Virtual System/Network Administrator

As wikipedia puts it :

A network administrator is the person designated in an organization whose responsibility includes maintaining computer infrastructures with emphasis on networking. Responsibilities may vary between organizations, but on-site servers, software-network interactions as well as network integrity/resilience are the key areas of focus.

A network administrator will usually have a full time day of standard tasks like :

  • Checking monitoring for alerts

  • Checking backups have succeeded and running test restores

  • Checking a companies internet and network connections

  • Helping the help desk with any 1st Line Support calls that need escalating

  • Working on new IT projects to implement new Software/Hardware/Services

  • Checking IT Security

A small to medium business’ utilization of a Network or System Administrator however probably won’t keep them busy enough for the whole day. A good System Administrator will have scripts for most of these tasks and only get notified on failure and resolve adhoc!

Being a Network Administrator myself, it is too often that a business will then ask the Network Administrator to fulfill other tasks such as 1st Line Help Desk , roles that he would have been previously promoted from.

The solution ….. Rent a network Administrator , or rent a few network administrators giving you extra redundancy like your servers.

Response IT provider Virtual System and Network Administrators for business in Surrey and London ( so we can visit site as and when we need to ) who are only a phone call away. They can help out Ad Hoc Support with issues your current helpdesk are having issues with , or can be brought in for issues or normal maintenance.

All the tasks bulled pointed can be automatically scheduled every week and reported on back to you.

How SD Wan can help your company

SD Wan stands for “Software Defined Wan”. Its primary focus for companies is enabling business to use a range of internet services together to reduce cost and increase reliability and scalability. There are a number of providers who provider Virtual and Hardware devices for this e.g. Citrix Netscaler , Fortinet’s Fortigate Product and Junipers Routers to name a few.

Some features below are how SD Wan differences from your standard bonding of WAN’s

Application Aware

SD Wan devices understand all the application going through their network. Using this information it can route particular traffic over different links. For example a company would have a 5mb leased line connection and a fast fibelink with a local telco. It can route all unimportant traffic such as facebook, youtube and spotify over the cheap link and important traffic such as Outlook 365 Mapi connections and VOIP to the dedicated leased line connection

Dynamic Monitoring and route changes

SD Devices constantly tests the speed and quality of each connection and routes traffic in real time with this information. For example if a company had a 4g connection and a normal ADSL2 connection , it can route all downward traffic down the ADSL2 connection , then upload all traffic via the 4g connection , which add significant speed advantages to business’ who cannot get a faster connection locally.

For Outside Operations such as mining

Usually sites being setup outdoors such as building and mining sites will utilise cell towers at the beginning for internet connectivity. There remote sites usually only have a single cellular tower which means this single 4g connection is shared between the local town. Increasing the number of 4g connections to this tower also increases your bandwidth. SD Wans makes it easier to add these without worrying about traffic routing

Windows Information Protection (WIP)

Microsoft Windows Information protection - “helps to protect against this potential data leakage without otherwise interfering with the employee experience. “

More of the time data leakage will be situations where hackers , ex or existing empoloyees or third parties try and extract company owned data for their benefit or resales value. Some examples of this could be a recruiter extracting all his customers to take to a new company, a employee extracting his worked on projects so he has a base to continue them on as a contractor.

Other cases could be totally by accident , where an employee copies a file to an Unencrypted USB stick and loses it , or emails it home to a personal email so they can work on it later.

Devices enrolled in windows InTune can have policies set to protect specific files and only allowed them to be opened in applications that support information protection , such as the Office suit or Adobe Products. You can then set granular permissions on what is allowed to be done with these files such as only print.

You can also make sure that documents are only opened on Enrolled devices to InTune which makes sure documents never leave the Company on purpose or by accident.


If you have enrolled a device in Intune you should already have this as a license for free. It comes with the E3 mobility Security E3 License more price variables can be found here

Microsoft 365 InTune with Azure AD - Recommended Features

We have recently deployed Microsoft Intune in 365 for a customer and would like to share some great features of this product with you!

InTune is for device management being mobile phone, PC or Mac , you can control this from your 365 tenant and devices check in through an internet connection meaning no need to take the PC back to the office to deploy software or settings.

Deploy InTune with Azure AD

We recommend the minimum license you will need for this is Enterprise Mobility + Security E3 ( 6.60GBP / month/ user ) you can get Intune on its own as a seperate license , however you will want to setup auto enrollment so that users can join Laptops to Azure AD by themselves and it will deploy the needed apps and setting.

Windows Update Management

Enforce PC’s to update and have a global WSUS control panel in InTune to check the status of devices

Only allow Email on enrolled Mobile device

You can set security so only devices enrolled in InTune can receive emails. As you get Azure P1 License with the E3 Mobility License , this also enables you to get Azure Conditional Access which allows you to set these options

Deploying MSI are easier than Win32 Application Deployment

Hopefully most of your company apps will have MSI’s. These are very straight forward to deploy. If your app only has an .exe . then hopefully it has a silent installer. You can use the Win32 Packager to zip this up with the needed files for deployment. Tricky situations are when the .exe do not have silent .exe installation so you need to build an .msi from scratch using packaging software

Useful Items to configure with InTune

We really found no limitation thanks to powershell and Win32 Packager to what we could deploy. We replicated a whole standard Group Policy deployment and more

  • Rename PC using company name and serial or random number

  • Create a local admin for PC in case PC falls of Azure AD Domain

  • Enable Bitlocker

  • Deploy Signatures and ‘mail merge’ details from AD

  • Add Firewall Policies

  • Deploy Fonts

  • Deploy Outlook Settings

  • Deploy Printers with drivers

  • Deploy Drive Shares

Bye Bye Exchange 2010

Along with its brothers ‘Server 2008’ and ‘Windows 7’ End of Support is coming for Exchange 2010 Environments ( SBS 2008 ) in January 2020

What does this mean?
This means that Microsoft will not be releasing any security patches for your email server anymore so security related problems will not be resolved and could be exploited to gain access to your emails. Email servers especially will live on the internet for services such as Webmail and Phone Syncing so it is crucial for security that these are up-to-date.

Migration plans

For this is really one of two

  • Office 365 in the cloud

  • Exchange 2016 on Premise

Contact us today to speak to our migration wizards

Windows Server 2019 - Whats new!

There are three Versions :


Storage Migration Service


Admin selects nodes to migrate, Storage Migration Service orchestrator node interrogates their storage, networking, security, SMB share settings, and data to migrate


Admin creates pairings of source and destinations from that inventory list, decides what data to transfer and performs one more or transfers


The admin assigns the source networks to the destinations and the new servers take over the identity of the old servers. The old servers enter a maintenance state where they are unavailable to users and applications for later decommissioning while the new servers use the subsumed identities to carry on all duties.

 Migrate files from Server 2003 and up!

System Insights


Add Azure Network Adapter Directory to Server 2019


How to check your company domain name for Attacks

A regular phishing attack is for an attacker to register a domain similar to your domain to trick customers/partners/employees into thinking its your domain so you enter credentials and information that the attacker can use against you

Energy companies are a classic example of this attack. They target existing customers to re-enter in their billing details ( credit card information)

A look at shows all the list of targeted domains

You can run the report for you domain here:


Join us...

1st line Support Engineer / Call handler

This is an exciting opportunity for a 1st Line Support Engineer to join a growing IT Managed Service Provider based in Albury, Guildford.

We are looking for an outgoing and approachable engineer to provide primarily remote support to users across multiple locations in the UK within a fast-paced, dynamic working environment.

Required Skills:

  • Knowledge of Windows up to 10

  • Software/Hardware support knowledge

  • Understanding of basic networking

  • Strong customer service/communication skills

Please apply for immediate consideration, this is an urgent requirement.

We are an equal opportunities employer and welcome applications from all suitably qualified persons.


How to Migrate from One Managed Service Provider to Another

End of Support

When signing up for a new Managed Services Provider you should finalize dates of when a new Managed Services Provider will take on support for your company and the old provider will cease support. There should be at least 2 weeks ( recommended 1 Month ) in between for a handover period, to make sure there is no drop in IT Support Quality for your Company.


Your new MSP should help you with below automatically but this is a list for any company or project manager needing to understand what should be completed.

  • Documentation - Make sure all Documentation from the old provider is handed over to the new one and it is as up-to-date as possible. The company being Supported should also have copies of this on file. The new company should check this and make sure any questions have been answered by the new provider. This should be sent over in a password protected encrypted format (password sent by another means of communication e.g. SMS ).
  • Migration of servers if needed - If your servers are stored onsite you don't need to worry about this, however, some servers are hosted virtually with MSP's hardware or hosted in a rack owned by the MSP. You will need to investigate Physical or Virtual Migrations. If hosted with Services such as Azure/AWS the company should have their own login to these portals
  • Migration of Services if needed - Double check what services the Old MSP currently provide that will cease after the support. This could be DNS Hosting, Website Hosting, 365 Tenant hosting, Mail Hosting, Domain Registration, Mail Filtering.
  • Support Agreements - Make sure you have a list of all Third Party Support Agreements currently held by the company such as Vmware, Firewall, Web Filtering, Veeam
  • Software - Make sure you have a list of all software purchased by your company or old MSP as well as keys. Usually, you should have a login to the VLSC from Microsoft as well.
  • Monitoring - Make sure the old provider removes all their monitoring that has been set up to an external ( not internal ) system.
  • Antivirus - Make sure the old Antivirus is removed by the old provider and the new one has been installed.
  • RMM - Remote Monitoring Again make sure the old RMM tool is removed from all computers and the new one is installed by the new provider.


Hopefully all your passwords have been stored in a password database either internally or hosted with the MSP. These should be handed over to the new provider. This should be sent over in a password protected encrypted format (password sent by another means of communication e.g. SMS )

Cutover Day

  • Make sure all your Staff know the new provider details and means to lodge support tickets
  • Access Accounts - For security reasons all service, root and domain admin passwords should be reset and updates on the needed system. Also remote access should be blocked from the old MSP
  • Create a rule on your Email server to monitor any emails going to the old MSP - This will catch old monitoring services etc.

How to prepare your companies IT Systems for millennials

A report by PricewaterhouseCoopers has stated : 

By 2020millennials will form 50% of the global workforce.

How should your companies IT future prepare for this?


41% of Millennials prefer electronic communication over face to face or even via Telephone.

Millennials have grown up being submerged in technology for a young age, whether is being multiple mobile devices, high tech gaming consoles and started facebook from the age of 13. They understand how easy it is to share and communicate and build on these platforms so they will be wanting to replicate the same in their job.

They will want to be effective at work, this could be sharing files via Dropbox, or communicating over WhatsApp or even using their student version of office to manipulate company documents without waiting on IT. This goes back to the post on Shadow IT where organizations should always look for new technology to streamline their work instead of employees doing this without their approval


Millennials have a strong appetite for working overseas and 71% expect and want to do an overseas assignment during their career.

Working remotely will be seen as the normal thing to do, whether it's working remotely for a company you have previously built a relationship with and would like to continue on employment or contracting remotely to an entirely new job and country.

Technology should be there for companies to be able to manage and maintain these remote workers with management tasks such as Meetings, Project Management, Timesheets. Remote Millennials will also wanted to feel included in as much of the business process as possible so multiple communication channels should be used e.g. Microsoft Teams for Group Talk and document collaboration, Yammer for Social updates and sharing and Skype for Business for conferences.

Knowledge Transfer

With a shift in thinking and work culture, companies should have the technology around to be able to transfer knowledge between staff and document it for future training. According to a study only 22% of companies feel confident they are currently able to do this.

Windows 7 End of Life January 14, 2020 - Migration Plans

On January 14, 2020 Microsoft support for its Windows 7 Operating system will end.



Large organizations such as governments have looked previously to secure ongoing support packages direct with Microsoft for many millions of dollars, here's a way your organization can migrate before

Hardware refresh

If you your computers had Windows 7 preinstalled when you purchased then the hardware is around 5 years old which is over the recommended 3 years hardware refresh period. Not only will your machines be out of hardware warranty, but they will probably still used hard disks instead of solid state harddrives.

This might be the ideal time to purchase new machines which come with Windows 10 preinstalled to save on the license purchase.( currently 220 GBP for a retail copy ). For large refreshes you can use the Microsoft Deployment Technologies with their User State Migration Tool (USMT) for Seamless migrations


If your machines came with Windows 10 Licenses on them , then you can use one of the following migration routes to upgrade, if not then you can purchase Windows 10 licenses from your Microsoft Partner


Manual Inplace Upgrade

This is advisable for 50 or fewer computers where you have enough time to run this manually, takes around 3 hours.

To get started, go to the Download Windows 10 webpage and click the Download tool now button. After the download completes, run the Media Creation Tool.



MDT Windows 10 Upgrade

You can set up Microsoft Deployment Technologies Server and using this workflow , this will enable you to deploy the installation media for the Windows 10 Upgrade across multiple offices

You can script the upgrade to take place automatically without user intervention

"Can we trust hosting our data with Microsoft Office 365 being in the cloud?"

We recently had a small medical practice who were unsure of setting up their data straight in the Office 365 Suite due to thinking they maybe breaching compliance issues.

Here are some videos from Microsoft to explain where you data sits, who has access to it and how they protect you.


Security Recommendations for all Company Computer Systems - Part 2


Implement Microsoft Local Administrator Solution A common practice when running Windows networks is to set the local Administrator account to the same password on every machine. Whilst this makes system administration more convenient the practice also makes is easier for attackers. When an attacker has compromised one machine, they are able to obtain the administrator password and then use the password to access any other machine on the same network. 
The "Local Administrator Password Solution" (LAPS) provides management of local account passwords of domain joined computers. Passwords are stored in Active Directory (AD) and protected by ACL, so only eligible users can read it or request its reset. 
LAPS removes the common local account password by setting a random password on each machine. LAPS also mitigates the risk of a Pass-the-Hash (PtH) credential replay attacks. 

Consider implementing Microsoft LAPS.

Email Security

SPF (Sender Policy Framework) is a standard that helps reduce spam. Each domain lists in one DNS record a list of all the servers that are allowed to send emails for that domain. When an email provider like Gmail sees an email sent from an address but coming from a server not listed in the SPF record, it knows it is likely to be spam. 

Conversely, it is important to set such a record to avoid your emails to be considered spam. More and more email providers consider domains without SPF record as more suspicious than others. Even if your domain does not send emails, you should set a SPF record as this will prevent spammers from faking emails from your domain. 

Implement DKIM and DMARC to strengthen email security. Deploying both configuration with SPF hard fail will prevent any third party sending emails pretending to be from @companydomain. This will prevent spear phishing emails internally and externally to customers and suppliers. 

Email Archiving

Lack of Email Archiving Email archiving is the act of preserving and making searchable all email to/from an individual. Archiving emails is considered a better practice as it allows an organisation to control the size of mailboxes and to keep a non-reputable copy in case of legal disputes. 

Implement some form of email journaling or archival to meet compliance or admissible evidence in court proceedings. Check if Barracuda offer additional archiving services or purchase additional software and storage for on-premise vault. Alternatively, Office 365 business plans have large mailbox and storage capacities, and offers legal hold as additional add-on service.



Hackers take advantage of errors in software code to attack and take over computers. These vulnerabilities are specifically targeted by attackers. Software vendors correct errors in their code by releasing patches. Applying patches is one of the most effective measures to improve the security of a computer system. 

Patching implement Windows Update Server Services to manage, monitor and control the deployment of Windows patches. This free Windows application. 

Administrator Privileges

Administrator or admin access is a level of access where the user has full, complete or unrestricted access to the entire system and all its data. Users with administrative access pi privileges for operating systems and applications can make significant changes to their configuration and operation, bypass critical security settings and access sensitive ' information.

Make sure Users do not have Local Admin to Machines and Administers have a specific login for Domain Admin Tasks for Logging and Auditing


Consider implementing a system for managing and storing logs from key infrastructure services are periodically copied to an external system for long term storage and access.

We recommend that at least the last 3 months logging information is on hand for immediate analysis and that at least the last 12 months of logging data can be retrieved when required for analysis.

Limited Retention of Logs Logging should be enabled across all systems and logs retained for a reasonable period to allow investigation and review of events that have occurred in the past.

 The lack of available logging information makes any subsequent investigation into an incident that occurred in the past very difficult to perform.

Network segmentation

Network segmentation is the act of splitting a network into many "sub networks" or areas. Segmentation segregates and protects company data and systems and limits attackers' lateral movements between computers and across the network.

There should be an segmentation between internal network and internet accessible computers. Should an internet facing computer be compromised by attackers the rest of the company network will be easily accessible.

Consider implementing network segmentation. At a minimum, internet facing systems should be segregated from the internal network by creating a demilitarised zone or DMZ.

Network access to administer computers, firewalls, switches and routers is not restricted. Any computer on the network can connect to any other computer on the network and potentially access services that are only meant to be accessed by IT administrators.

Access to administration ports should be restricted to only certain network addresses and/or computer systems.

This can be achieved through network segmentation and/or by implementing IP address restrictions for accessing administration functions such as SSH, remote desktop or web based administration portals.