Guidelines for Home / SOHO Computers

Updated 5/10/08

The following guidelines are ones that Dave Snow has developed over his more than three decades in the computer industry. Many he learned the hard way. Like everyone in the computer industry he is still learning, so these guidelines aren't perfect and are still a work in progress. These are the policies that the Snows use for their SOHO (small office home office) computers. You are welcome adopt these guidelines for use on your own computer systems at your own risk. The order here is in approximate order of importance!  

If your computer has data that is valuable to you then you MUST back that data up! Data might be Music (MP3's), Photos (Jpeg's), Tax and Business Records, correspondence, email, your calendar or many other things. Computer hardware can break, computer software can have bugs, systems can get infected with a virus, a fire or disaster can damage your system. If you don't have a backup, you will have lost that valuable data.

Today with the massive amount of data that users keep on their computers DVDs are no longer a viable backup media for may people. Blue-Ray and HD-DVD won't be either due to high costs and the limited size. We recently switched from DVD's to an external 500 GB USB2.0/Firewire Hard Disk that we were able to buy for $120. For smaller systems, a similar strategy to ours can be developed using DVDs or a second hard drive. Note: DVD Burners can be purchased for about $30 - $40 and External Hard Drives for $80 - $130 at www.NewEgg.com.  DVD-R Media is now down to $.30 a 4.7 GB disk. Backing up you computer doesn't have to be expensive - not backing it up can be VERY costly!

• One of our computers has an external 500 GB USB 2.0 Hard Disk. We use this exclusively for backups and storing Software Kits. It is portable, so we can easily move it from system to system if required. We are using Nero Ultimate 8's BackItUp3 as our backup program now rather than either WindowsXP or Vista's backup programs. Nero can encrypt our backups, although this drastically increases the backup time. We keep several types of backups for each computer. Remote computers can be automatically backed up over our local area network.
  • Image Backups of each drive, except the 500 GB backup drive, are done on major upgrades and/or about every 6 months. These are used to quickly restore the Operating System and applications to a usable state if the system disk crashes. Nero can restore them from a bootable CD or DVD. The backup drive has to be physically attached for the restore, but the drive can easily be moved from system to system. Note: On my Vista system I had an occasion to try a Nero Image Restore with Nero 7, it almost worked. The disk which had no errors before we started failed chdisk and I ultimately had to do a complete reinstall.  Now I am using Vista Image Backup and have even tried a restore once and it worked well.
  • Full Backups of Documents & Settings for all users. These are scheduled, done in the middle of the night, and occur daily. If there are other areas outside of Documents & Settings we add these directories too. The hard part is knowing, what outside of Documents & Settings also needs to be backed up! Every time a new application is installed I have to check where it stores any important long-term data.
  • Incremental Backups or Differential Backups--- Note: In Jan 2008 we started doing full backup every night or every other night rather than the mix of Full and Incremental backups. The small amount of disk space saved wasn't worth the complexity! At the end of the month we delete the backups that we don't want to keep for a longer period.
  • QuickBooks Backups - Since we use QuickBooks for our business, we have set its automatic backups to record on the computer system that doesn't have the company file. These backups are supposed to occur whenever you exit QuickBooks. However, as soon as we enabled multi-user mode, QuickBooks stopped doing backups. I guess that Quickbooks feels that if your business is big enough to have two people entering data into the company's books that you not longer require backups ;=}  In reality our nightly BackItUp3 backups are what we are counting for QuickBooks. As of 4/1/2008, I still have to fully test this area
• Off-Site Full Backups similar the automated Full Backups above are manually done once a month to 1 too 3 DVDs and are stored securely off-site.
• Test that the backup strategy is saving the correct files. First by looking at what is being saved. When you upgrade your system, test that restoring gives you the desired data. Always remove and save the old disk from any system upgrade! Note: Nero BackItUp2 version 2.9.1.0 appeared to not work correctly when backing up from one drive (F:\) and restoring to another (C:\). This made testing our backup strategy harder!
• With a good backup program, you can restore anything from a single file to all of your data. If the disk dies, you may have to reinstall the OS and applications as well then restore the data from the backups. I keep several copies of the Full Backups on the External HD, as well as several months worth of DVDs off site. Often you don't discover a deleted or corrupted file for a long time.
• Part of the data that must be backed up at least once is the Microsoft's Operating System Key that is often physically located on the outside of your CPU box or the bottom of your laptop. You need this number to reinstall the OS. Record it and any other software keys and keep them with your off-site backups. Today most new Windows computers are shipped without the disk for the Operating System. You really need to have one of these disks or access to one! Since I build our system from scratch, I have one.
• Local backup DVDs are stored in a locked fire resistant cabinet along with original software kits and keys. Off-site backups also need to be secure.

High-speed always-on broadband networks are the source of both useful information and computer hackers. Your computer should be isolated from the network by a hardware firewall. WindowsXP and Vista have  built-in software firewalls. Anti-Virus programs often include firewalls as well. These firewalls are better than no firewall, but a hardware firewall is a far better solution. I recommend them even for SOHOs with a single computer.

Small hardware firewalls are available from NewEgg.com or Amazon.com  for about $60. If you select an 802.11b/g/n wireless router be sure to enable WPA encryption and select a secure password. Be sure to record this password, since you will need to input into the router and each computer on your local network. Be sure to select and set a secure password for the administrator account on your router as well. See Default Router Passwords for the manufacturer's default passwords.

If you ever plan to use VPN into or out from your LAN, then pick an IP range that is different from every place that you might connect with. I recommend setting the LAN IP randomly between 192.168.50.1 and 192.168.240.1 Most of the consumer grade routers default to low IP numbers in the 192.168.0-12.1 range. Some routers also use the 10.0.0.1 range. Again it is not the actual address that matters, but not having the same address on both ends of a connection.

Try not to open up any ports beyond the firewall's secure defaults. If you must use Remote Desktop, Remote Terminal, VPN, Windows Messenger's, File Sharing  and/or other protocols that allow connections from outside your network to inside your network enable them only when you are using them, limit them to one account and have secure passwords on all accounts. Remember the reason that you have the firewall is to block outside connections! The more holes you open up in any firewall, the less secure it is! Also check that the WAN port can't be ping'ed. Normally today this is the default. Use this feature only when troubleshooting as hackers can easily detect that your computer exists when this is enabled.

YouGetSignal.com have a good tool to test if you have any of the common ports open. Just click on "Scan All Common Ports" in the lower right corner. The test takes 60 seconds or so.

Apply the operating system patches soon after they are released. Most viruses are based on bugs that are known and have already been fixed. With WindowsXP and Vista we use the automatic updates. Prior to applying major service paks, do a full backup.  Make Sure that you do a full image backup just prior to installing Microsoft's Windows Service Paks. SPKs effect many things and haven't had a great reputation of reliability. Note: I had had to do a restore, update from the installation disk, install all updates after Vista SP1 would completely install.

This works for the Microsoft's Operating System, Office, SQL Server, and Visual Studio but not other applications. About twice a year I check my list of applications and apply any patches or upgrades.

For 10 years we used use Norton Anti-Virus.  In 2006 switched Trend Micro PC-illin  which gave us a little better control firewall functions. Fry's often has Anti-Virus software on sale for about $10 or less after the rebate. Starting in late 2007, it appears that the major vendors are making their anti-virus license cover up to 3 systems rather than a single one. 

In 2007 I evaluated and switched to Kaspersky's Version 7 Internet Security. Fry's had it on sale with rebate for $20. I have had to disable its:  Firewall, Anti-Spam, Proactive Defense and Parental Controls in order to get useful work done.  I normally have to disable both the operating system and AV vendor's firewall in order to work behind my hardware firewall, so that part didn't surprise me. However, my demands behind the hardware firewall are not extreme - Windows file & printer sharing for two computers and one computer hosting a web server is all that I require. If you are looking for parental controls, look elsewhere Kaspersky's are useless.  I was hoping that its Anti-Spam would be as good as its outstanding anti-virus capabilities, but it defaulted to declaring an extreme amount (50+ %) of my valid emails as SPAM.   However, what I wanted was a great anti-virus product and a good anti-spam product. I'll have to keep looking for the anti-spam product.

Email seems to be the number one way to spread viruses, spyware, and other attacks today. Know how your email provider handles virus protection. If you are getting viruses by email, change your email provider to one that scans all of your mail.

Since our computers are always on the Anti-Virus programs gets updated daily and complete scans are done at least weekly. If you only power your computer up for short periods, then you must manually force the Anti-Virus updates, scans and Windows Updates to happen, do this on a schedule every week to two at the most.

We use Spybot Search & Destroy, which is a free program that has worked well for us. One of the really great Spybot features is that it blocks your web browser from 80,000+ sites that have spyware and/or tracking cookies. I update Spybot definitions and rerun it once a month. During the fall of 2007 I started using Advanced Windows Care Personal Edition for several tasks. It also includes a Spyware tools in addition to a registry cleaner, junk file cleaner, and other such tools. I am pleased with it.

Microsoft Baseline Security Analyzer is a free program that does a Security Audit of your Operating System. Run it on every computer, read its recommendations and follow them. A virgin installation of WindowsXP fails with several recommendations!  It also tells you how to correctly set security levels for Internet Explorer and Office's programs. It should be re-checked at least twice a year and on major software upgrades.

You have to look any errors that MBSA reports carefully. It errors on the side of telling you that something is wrong. For example, it complains that "the Administrator account on my system has either a weak password or none at all". However, this is because it couldn't test this, because the account is disabled, which it says on the details page. Follow all errors to the details page. When you find a real error FIX IT.

Have at least three username / password - pin pairs. One for really important accounts such as your bank and brokerage accounts. Have a second for public web sites that are not as important. Have a third one for your computers and web sites and other things that you manage. Many people may need a couple more pairs.

Develop a password strategy and stick with it. Passwords should be at least 8 characters; should have at least one uppercase letter and a number both located somewhere in the middle. Decide in your plan, how frequently that you will change them and follow that plan. The frequency of change depends on the risk of discovery and the damage that could be done if compromised.

Most systems also accept .-_ (period, dash and underscore) as password characters. These are good to use, but don't get too fancy by using other punctuation (!@#$%^&*+=/?><{}[] etc.) or you may find that the Operating System or application interprets these characters rather than making them part of the password.

Usernames are usually not case-sensitive and passwords usually are. Do not write passwords where others can find them. If you need to record them, in case of an emergency, keep them on paper locked up with your other important papers.  Always have a password for your local computer even if it is in a physically secure location. After all the password is one more thing for a hacker to have to defeat when entering via the network.

You can usually trust your major hardware manufactures and software houses to have virus-free and usually spyware-free software. If you don't know and trust the source, then don't download it! Be suspicious of attachments, even from your friends. Safe computing isn't always easy. I always rerun a Spyware program after installing software from any new source. Be very careful with sites that want to download and install some ActiveX feature or some viewer to look at content on their site.

It is better to go to the source and get the program from there. Here are pointers to the common ones:

• Microsoft - Windows Media, Visual Web Developer Express, Office Viewers
• RealNetworks - free RealPlayer
• Apple - Quicktime, iTunes
• Sun Microsystems - Java Run Time Environment
• OpenOffice.org - Open Office
• Adobe - Acrobat Reader, Flash player
• Mozilla.org - FireFox, Thunderbird (email)

I used to think that there is no really good solution for SPAM. ISPs and Anti-Spam tools either don't filter enough, or filter out VALID emails. I have been looking for an acceptable tool that works with MS Outlook, the tool that I use for reading mail. I want most of the filtering to be done locally, so I can easily see if any real email went into the SPAM folder. Since my ISP and Anti-Virus software are both scanning the email for viruses and some Spyware, SPAM is only an inconvenience and no longer a serious danger. 

GoDaddy.com had been our email provider from 1999 until 2007. We finally had to move because their Anti-Spam system ate too many emails that were valid and we had no way to know this was happening. They block by IP address and by content; some mail is marked as spam while, othermail is burned!  

While looking for a new email provider, I came across Google Apps and switched to them for our email services.  They offer 100 accounts / domain and 6 GB+ mailboxes / account. They do have a maximum attachment size of 20 MB. The price is right - $0.   After six months I can say that Google doesn't burn any mail, that mail from open relays goes to the spam folder, contacts is the whitelist and filters can be used for the blacklist. In December 2007 I switched my account from using thier "pop" servers to "imap" servers.  This gives me some extra capabilities and so far I am happy.

My goals for an anti-spam solution are modest: 90%+ spam goes in the spam folder, <1% valid emails go in the spam folder; I get to easily see the spam folder, and add to the whitelist and blacklist.  I am very happy with Google's spam filters.

If your computer setup includes lots of little network boxes such as DSL/Cable Modem, DSL/Cable Router, 802.11g Wi-Fi Access point, VOIP phone adapter, cordless telephone; then each should be clearly labeled with colored labels at the box, power brick and power cord. If the box has a MAC address then display it on the label. Often these boxes have similar connectors with widely varying AC and DC voltages. Plugging one into the wrong box can be disastrous! By having each box and cable with its own colored labeling, you reduce the risks of miss-plugging one.  Also label the Ethernet and phone cables if you have several.

If you live in an area with frequent power spikes and outages be sure to have a small battery backup unit. Each of our computers has a 350-750 VA APC unit that cost $49-$99. It covers us for spikes, dips etc. It gracefully shuts the computer down if the power is out for 3 minutes. It also powers my wireless phones, router, and VOIP phone adapter, so they don't go dead right away.

Once a month, I clean the junk off of my system test for Spyware, De-frag and backup to DVDs all the on same evening.
Note: Vista has a defrag program that will do your disk once as day or once a week. It no longer shows you a map of the defragmentation nor provides any reports.  I have had to switch to Diskeeper 2008 Personal ($30) because Vista's defrag did such a poor job. Note: Defragging has an adverse impact on the number of restore points that the system can maintain. All of the moving around of data eliminates some or all of your restore points. Diskeeper 2008 has a feature that helps with this problem. I have since located IObit's free Smart De-frag tool. It schedules de-frag'ing, does it in the background, and runs on WindowsXp and Vista.

On my 500 GB Backup Disk I have a Kits directory tree where I store a copy of all of my software on-line. I structure it in hunks that are less than 4 GB so I can burn them to a DVD - if required. This keeps the software on-line when I need it, allows me to load and update it easily from multiple computers.  If you set your folders viewing options to include "show hidden files and folders" you can usually copy a complete CD/DVD to the hard drive and install the software without any problem. Since most the applications I use are downloaded over the Internet, this is where I copy them to. If the software has a key, I type it into key.txt and place this file in the top-level directory so that I don't lose it. If and when I burn a CD or DVD, I write the key on the disk along with the title and date. I also write the key on the CD/DVD that I purchase, so I don't loose it.

Since many software products offer competitive rebates and upgrade rebates keeping proof of purchase of software products becomes important. I scan the receipt, UPC code and other logos that are used in the rebate code into a Gif or Jpeg file and store it with the kit on-line. Then when a product wants proof of purchase for a rebate I have something.  Some companies are really very limiting in what they will accept for proof of purchase. Kaspersky wanted the UPC code from the original AV product box as proof. If you got a rebate on the original product you had already mailed in the UPC code.  Nero won't give you a Nero 8 upgrade rebate it you bought the original product from www.nero.com rather than a store! Some other companies still make it easy to collect the rebate.

Hardware reliability decreases 50% with each 10 degree C rise in temperature. When I get a new computer I install SpeedFan and look at the temperature when the system is idle. Then I load this system by running an Anti-Virus scan and a disk de-frag and see how much the temperature raises. I am not happy if the CPU core temp gets up to 50 degrees C. I would like it to be less than 45. High quality computer cases are worth the extra money. I skimped and saved $20 once and it made a 10 degree C difference!  Note: Laptops often run hotter than desktops, especially when they are charging the battery and running at the same time. My HP laptop doesn't shutdown until the core reaches 80 degrees C!

Physically Secure includes not allowing your kids or grandkids to play games or install software from an account with Administrator privileges. We have a Kids Account for the grandchildren on the computer that we allow them to use. This way the can't install or delete software. Any trash that they leave on the desktop is on their desktop not ours. This way they can't see or delete any personal files or information.

You can install/enable Parental Controls on this account to limit where they can visit and how long they can use the Internet.

While I often use this as an opportunity to test my Backup Strategy and Disaster Plan, most people don't, won't or can't.

Today most people buy systems with the operating system already installed and without the Operating System CD/DVD and hardware manufacturer's disk with drivers - they usually only get a restore disk. So below is my strategy for moving your data to a new system and dealing with the bloat-ware that was likely installed by the hardware manufacturer.

1. On your old system, presumable Windows XP, install Windows Easy Transfer for Windows XP.  Use this to backup the data that you want to migrate. This is a good time to delete junk so you don't move it. This tool will transfer data to disks, CDs & DVDs, over the network, or via some special cable. I have always used a shared network disk and haven't tried the other methods. This tool defaults to taking too much data. Be selective; start with My Document and Settings. You can always come back for more. 
2. On the new system, look for bloat-ware (games, 30 day trials etc.) get rid of the worst of it. On one system that I set up for a friend, this took almost half a day and several reboots!
3. Install your Spyware and Anti-virus programs. Run them and get rid of the Spyware. If you are upgrading XP to Vista you may discover that you now need newer versions.
4. Create a user account on the new system. It is best if it is the same name as the one on the old system, but it doesn't have to be. Note: You may lose all of your cookies, if it isn't the same since cookies include the username.
5. Install the software for your printers and other hardware that you depend on. You want to know that this all works BEFORE you are committed to the migration. You may need new drivers, and possibly a new printer if the manufacturer doesn't provider drivers for the new OS. If you have a local network or Wi-Fi get these working now before you are committed.
6. Using Windows Easy Transfer, which comes with Vista, migrate your data for the first time. You want the data placed in your directories BEFORE the programs are installed that might use it, especially with MS Outlook.
7. Install the most common of the applications that you use, such as Office, graphics programs, iTunes, etc.
8. Test the new system out, and see what, if any, data you are missing and what applications and utilities you are missing and transfer / install them. Repeat until complete.  Don't trash the old system until you are sure that it doesn't contain data that you need.
9. Before you give away or recycle your old system make sure that all of your personal data is removed. Reformatting or physically destroying the old disk is the easiest way.

A Disaster Plan outlines how you would recover your equipment and data after a disaster so that you could continue operations with minimum interruptions. It is basically a list of the steps that you would need to restore a usable set of capabilities.  The Test-It in the Backup Strategy above, is really disaster planning. Only when you know how to recover can you know that what you are backing up is the correct stuff. If one of our computers totallyfried, we would need to the following to recover it:

• Replace or repair any damaged hardware (1 day to replace locally - 1 week on-line - ~$1,200)
• Install the Operating System and Nero from the off-site backup DVDs and software keys (.5 day).  With Nero's or Vista's Image Backup that time should be greatly reduced, however I still store software kits and keys as if I didn't have any image backups.  I had occasion to try a full restore; Image, Full & Incremental. The process took 2.5 hours and worked well. On a larger system with several SATA disks matching the Linux names with the Windows partition names would be dicey, but with a single disk and two partitions it didn't take much thought. I did still have to re-install the software that I had install between the image backup and the restore, but not too bad.
• Restore the data from the most recent Full Backup and any required Incremental - Differential Backups available on-site or off-site. (1-3 hours)
• Install the remainder of the applications from the On-line Kits or CD/DVDs, if required. (.5 day )
• Test that it works. Figure out what information was lost, and how best to deal with that loss. Hopefully, the loss should only be the new data since our last backup and the disaster, and much of that we could recover via other means.

After recovery was complete, it is likely that we would have a newer faster more capable computer system and lose very little data. This is all because we planned ahead and do backups regularly. This is precisely how our last computers were setup after they were purchased. I did have the luxury of having the old computers available if our backups didn't contain all of the data. This is a good way to test both your backup Strategy and Disaster Plan!

A computer or two is the easy part of a disaster plan. The hard part has to do with the physical plant. (Building, phones, phone lines, other required services, employees, paper documents, etc.) That is outside of the scope of these guidelines. This is an area that even many Fortune 500 companies don't do very well.

Note: www.AgingSafely.com's  web hosting systems are located in a secure data center in the mid-west, backed up daily, have off-site backups, hot-spare hardware and a disaster plan. The level of care, physical security, network connectivity and 24 hour staffing that they receive is much greater than is recommended here for SOHO systems. The facility we selected to house them was selected for these very reasons.