It has been hot out around here the last week or so. Somebody’s office server needed a little extra help:
I am not a fan (pun intended) of this type of thing. Too often, we make do with things that are simply substandard. In an emergency, I get it; you do what you have to to get things going again. However, after the system is recovered comes the remedial phase, which includes making permanent repairs, replacing outdated equipment, installing things properly, making sure that wiring meets electrical code, documentation, labeling, etc.
The remedial phase is often neglected or forgotten altogether. There are two reasons for this; the “saving money” reason, or the too busy to deal with it reason. However, later on, we or the person that follow us, will have to deal with this again after some sort of catastrophic failure. Then there will be the questions: How did this happen? How long has it been like that? and so on.
As far as saving money goes; you are not. Cutting corners may save a few pennies in the short term, but long term, it only creates bigger problems which will have to be dealt with at some point. Doing things the right way will shift the engineering effort from a reactive (e.g. fire fighting) to a proactive stance and everyone will be much happier.
With the spate of ransomware and crypto virus attacks on automation systems, perhaps a quick review of network security is in order:
Isolate the automation system on a separate network from the general office network and do not allow internet access on the automation system’s work stations or servers.
Use a separate switch for all automation network connections.
install a small router between the automation network and the office network. On the router, the WAN port faces outward toward the office network, make the WAN port non-pingable. Grant access from the office network for certain users; e.g. traffic, music director, etc via access lists. Open up a few ports for VNC or RDP on the router so technicians can remotely access machines to do maintenance and troubleshooting.
Use supported and up to date operating systems.
Use separate admin and user accounts, make sure that admin rights are removed from user accounts and keep machines logged in as users. This ensures that some errant DJ or other person does not install any unauthorized programs.
Install and keep up to date a good antivirus program.
Back up the data and test the backups.
The office network is more vulnerable because of the human element. Internet access is require, of course. Click on a pop up, sure! Hey, that photograph has a funny file extension, lets open it and see what it is. I never heard of this person before, but look, they sent me an executable!
Much of the office network security will rely on the quality of the router connected to the internet and the antivirus software installed. Of course, the network users have a good deal of responsibility also.
On occasion, the company I currently work for does installation work. Thus, I am always keeping my eyes open for new equipment and tools to make that job easier. The cable comb seems like it is just such a thing:
Instructional video from youtube:
Then there is this:
Which is simply amazing. It is described as “1320 Category 6 cables, dressed and terminated.”
Incidentally, there is an entire sub-reddit: reddit.com/r/cableporn for all those cable geeks that like to look at neat cabling work.