Kaseya Community

Preparing customers enviornment

  • We are just getting started with Kaseya and I wanted to find out what others MSPs are doing in terms of preapreing the customers enviornment. Do you lock down PC's / servers? If so what methods do you use? I heard about MSP's not giving the clients the admin password to the server and enforcing other restrictions as well? If you could share some of what you do or if you have a procedure/policy that you follow I would love to hear about it.

    Thanks

    Legacy Forum Name: Preparing customers enviornment,
    Legacy Posted By Username: michaelr
  • Please, don't everyone answer at once. Wink

    I came up with some things that I wanted to share and have people comment on it. remember, these are standard things/ideas to do prior to or immediately after deploying Kasyea on a new client site.

    1) Create GPO on DC to disable windows firewall
    2) Create locked down GPO for all managed WS to prevent installing applications
    3) Ensure every WS has up to date anti-virus and spyware software installed

    any other ideas?

    Legacy Forum Name: IT Procedures,
    Legacy Posted By Username: michaelr
  • To make thing easy, it's great to have a standard set of local admin passwords across all WS's.

    My boss' mantra is; Same is good. You can sometimes hear him chanting it from his office.

    Legacy Forum Name: IT Procedures,
    Legacy Posted By Username: LANWorx
  • LANWorx
    To make thing easy, it's great to have a standard set of local admin passwords across all WS's.

    My boss' mantra is; Same is good. You can sometimes hear him chanting it from his office.


    I agree. We did set the local admin username and password in Kaseya, so that is stadardized. I also think documenation is key. Every client that comes on should also have a standard network document. I use visio and create a network diagram and put all of my passwords and other relevant info on it as well.

    Legacy Forum Name: IT Procedures,
    Legacy Posted By Username: michaelr
  • my ideas

    A. use the audit feature to get all hardware and software lic detail and put that in the network doc

    B. as far as password, you could do group id _password (eg, FBI_password, SRPS_password)

    Legacy Forum Name: IT Procedures,
    Legacy Posted By Username: dfenn
  • Does anyone have a standard setup task list. I would think this could be a cookie cutter approach to setting up every new customer that comes on board. Does everyone do the GPO's and disable windows FW and lock down workstations??

    Legacy Forum Name: IT Procedures,
    Legacy Posted By Username: michaelr
  • We have a project template in ConnectWise with all the phases and tasks needed for initial setup.

    Main work phases for client site are:
    Detailed audit and documentation
    SNMP setup
    Backup exec notification set up
    Initial server patching
    Exchange hosted services configuration
    Managed server install
    Network and server configuration according to our MS standards (20 tasks inside this phase, (update firmware, setup doc redirection,...))
    Other

    Other Phases are:
    Kaseya (install agents,install KES,...)
    Connectwise (Create agreement)
    Closure (send welcome letter,procedures, etc. to client)
    Reporting (setup reporting services for reporting)

    Cant give more details, sorry.

    Legacy Forum Name: IT Procedures,
    Legacy Posted By Username: rudi
  • michaelr
    Please, don't everyone answer at once. Wink

    I came up with some things that I wanted to share and have people comment on it. remember, these are standard things/ideas to do prior to or immediately after deploying Kasyea on a new client site.

    1) Create GPO on DC to disable windows firewall
    2) Create locked down GPO for all managed WS to prevent installing applications
    3) Ensure every WS has up to date anti-virus and spyware software installed

    any other ideas?


    1) What are you replacing this with? Are you requiring a decent firewall/utm in your SLA? With all the machines that we are managing, never has the Windows Firewall created a problem.

    2) Your SLA should take care of this. For example, in our SLA we state that all applications have to be approved by us before anyone installs them. Otherwise, if that program messes something else up it is going to cost them (a lot) for us to fix it.

    3) Same as above. Your SLA should state what your minimum requirements are in order for you to take them on. Stuff like up to date security patches, anti-malware patches and an offsite or "cloud" spam solution is some of our requirements before we will even deploy an agent.

    You don't need Kaseya to do all the GPO stuff, how were you "managing" your clients networks before Kaseya?

    Legacy Forum Name: IT Procedures,
    Legacy Posted By Username: CeruleanBlue
  • Most of our clients already have a FW (Sonicwall, Pix, etc..) I didn't really think about it that way, but requiring them to have one seems like a no brainer. The Windows FW only gets in the way when I am deploying agents and thats why it needs to be disabled. I am still trying to think about all the things that are needed as minimum requirements (SLA) We did talk about a minimum hardware standard. The computers could be no more than 3 or 4 years old, preferably under warranty. We will have to work on putting an SLA on paper.

    We didn't do GPO's prior to Kaseya unless there was a need. Mainly used to lock down terminal servers. We did a lot of remote support when possible. It just seems like now that we are taking on more responsibility of our clients networks I have to be much more aware of what could go wrong and to make sure we protect ourselves.

    Does anyone have a list of things that would be in an SLA? or minimum requirements?

    Thanks a lot for all your help and sorry if I seemed a bit overwhelmed, but I am.

    Smile

    Legacy Forum Name: IT Procedures,
    Legacy Posted By Username: michaelr
  • This is only a suggestion, but before you deploy any agents for any client there should be a written SLA that they need to sign. The SLA serves the purpose of letting your clients know what you cover, what you don't cover and what the consequences are if they break that SLA and if you fail to meet that SLA.



    Here is a handful of minimum requirements that we require:

    [INDENT]All Workstations must be under a manufacturer warranty

    - Windows Workstations must be XP Pro, or Vista Business

    All Servers must be under a NBD manufacturer warranty

    - Windows Servers must be Server 2003 or 2008

    All software (Windows, Line-of-Business apps, etc) must be legally licensed and vendor supported

    All software and operating systems, must be up-to-date and have all security patches applied

    Hardware firewall/UTM like Sonicwall, or Astaro or equivalent

    Robust off-site SPAM solution (MX records repointed) like Postini, MX Logic or Exchange Defender

    Public facing servers (Web servers, Outlook Web Access) must not host private corporate data or mailboxes.[/INDENT]



    There was another post here where some other MSPs mentioned their minimum requirements (or certified network), but I can't find it at the moment.



    There are some decent resources that I listed (books, blogs, etc.) that I listed in the MSP forum that will help you get on the road to managed services. You can find it here, all the links and stuff are at the upper half of that post. I am not sure if the MSP forum is accessible to everyone, if it's not you will need to get ahold of a forum admin somehow.



    As for the Windows firewall, we have only ran into some issues with VNC needing to be added after the agent is installed. But you can write a script to add exclusions to the firewall using "netsh firewall" via the command line. The Windows firewall is pretty transparentStick out tongue anyway.

    Legacy Forum Name: IT Procedures,
    Legacy Posted By Username: CeruleanBlue
  • I would highly recommend NOT disabling the Windows firewall, but instead use the GPOs to enable it with the following restrictions:
    - Protect all network connections: Enabled
    - Define program exceptions: Enabled (with a list of programs you want to have access) I usually use "localsubnet" to make sure locally the programs have access, but not from the entire Internet.
    - Allow local program exceptions: Enabled (This is up to you.)
    - Allow remote administration exception: Enabled (enable Computer Management remotely)
    - Allow file and printer sharing exception: Enabled (opens C$ default share)
    - Allow ICMP exceptions: Enabled, Allow inbound echo request
    - Allow Remote Desktop exception: Enabled
    - Allow UPnP framework exception: Disabled (nothing but problems from UPnP)
    - Define port exceptions: Enabled (with a list of programs you want to have access) I usually use "localsubnet" to make sure locally the programs have access, but not from the entire Internet.
    - Allow local port exceptions: Enabled (same reasoning as programs above)

    I haven't had any issues with this and the firewalls are still enabled on all my machines. The biggest reason for leaving the firewall enabled are laptops out in the field. If you disable the firewall through GPO, then your laptops are vulnerable out of the network.

    ~Dave

    Legacy Forum Name: IT Procedures,
    Legacy Posted By Username: CCDave
  • RSQDave
    I would highly recommend NOT disabling the Windows firewall, but instead use the GPOs to enable it with the following restrictions:
    - Protect all network connections: Enabled
    - Define program exceptions: Enabled (with a list of programs you want to have access) I usually use "localsubnet" to make sure locally the programs have access, but not from the entire Internet.
    - Allow local program exceptions: Enabled (This is up to you.)
    - Allow remote administration exception: Enabled (enable Computer Management remotely)
    - Allow file and printer sharing exception: Enabled (opens C$ default share)
    - Allow ICMP exceptions: Enabled, Allow inbound echo request
    - Allow Remote Desktop exception: Enabled
    - Allow UPnP framework exception: Disabled (nothing but problems from UPnP)
    - Define port exceptions: Enabled (with a list of programs you want to have access) I usually use "localsubnet" to make sure locally the programs have access, but not from the entire Internet.
    - Allow local port exceptions: Enabled (same reasoning as programs above)

    I haven't had any issues with this and the firewalls are still enabled on all my machines. The biggest reason for leaving the firewall enabled are laptops out in the field. If you disable the firewall through GPO, then your laptops are vulnerable out of the network.

    ~Dave


    This is very similar to what we do.

    Michael

    Legacy Forum Name: IT Procedures,
    Legacy Posted By Username: RCS-Michael
  • RSQDave
    The biggest reason for leaving the firewall enabled are laptops out in the field. If you disable the firewall through GPO, then your laptops are vulnerable out of the network.


    not true. this is why you have separate "domain profile" and "standard profile" settings.

    quote from microsoft:

    Domain Profile: Manages Windows Firewall when the computer is connected to the Active Directory network

    Standard Profile: Manages Windows Firewall when the computer is not connected to the Active Directory network, such as when a mobile computer leaves the corporate network.


    we do not disable the windows firewall by default on our managed networks yet (mostly because i have not yet found a way to do mass updates to gpos in a way that can be rolled out with kaseya (i.e. on the command line)), but i'd love to put this policy into place. managing hundreds or thousands of instances of windows firewall seems like way more trouble than its worth to me. besides, if you're really concerned that an attacker might breach your perimeter firewall and put you in a position where windows firewall is the only thing protecting your machines, then i think you may already have way more serious problems to worry about.

    Legacy Forum Name: IT Procedures,
    Legacy Posted By Username: MikeConigliaro
  • Hi

    Why do the systems have to be under warranty?

    hc

    Legacy Forum Name: IT Procedures,
    Legacy Posted By Username: howardc
  • Howard - It probably depends on the SLA and can be especially beneficial for servers.

    Legacy Forum Name: IT Procedures,
    Legacy Posted By Username: rwitt