How I implemented the first rule of doing business in Russia

"1. Keep the server abroad ”
(c) 9.5 rules for conducting safe business in Russia.

Introduction.

We are a small company of 10 employees, half of which periodically works remotely.
What we had initially: a server with Windows and terminal access, which was in the office. All users had laptops. We do not have any particularly confidential information, except for information important to business.
At one point, I was completely “finished off” by paranoia and it was decided to move the server outside the office.



1) We rented two servers: one in Germany, the second in the Netherlands.
The configurations are the same: Intel Xeon Quad Core E3-1230 3.20 GHz / 8GB / 2x 1TB.
Prerequisites were: IP-KVM 24x7, a guarantee of technical support response up to 4 hours around the clock, a guarantee for replacing the server on the next business day (NBD) and unlimited traffic.
Additional software requirements: Windows 2008 standard, Windows 2008 enterprise, terminal licenses and MS Office (Word, Excel, PowerPoint)
These wishes determined a rather immodest budget: 756 euros / month.

Hosters will be left unnamed. I can only say that because of the desire to pay via Webmoney (i.e. not by credit cards), I had to turn to resellers.

2) The setup of both servers at the initial stage was completely identical. After gaining access to the servers, the entire first day was spent on updating the OS. After it was installed Hyper-V.
Immediately, a virtual machine on CentOS was created, which became a router: it was she who had a “white” IP. All other machines (including the host system) worked on gray addresses.
To carry out this focus with IP, a permanently connected IP-KVM came in handy. In this case, the built-in IPMI and iLo on each of the servers.
An Open VPN server was raised on the router, only it was accessible from the outside. All other ports were closed.
Also, NAT and proxy server were raised on the router.

3) On the first server for all available memory, a virtual machine was created with Windows 2008 Standard, which became our new office server.
7 GB for simultaneous work of 10 people in the terminal - more than comfortable conditions. The Internet is accessible to office server users only through a proxy.
Dr.Web works, licenses for which we got by subscription from the network to which our office is connected.
Standard set of office software: MS Office, Acrobat Reader, PDF Creator, WinRAR, InfranView, KeePass, Chrome, Firefox.
In order to prevent users from getting confused, a Bginfo file was attached to the startup, which changes the color of the desktop and writes on it what kind of server it is.

4) On the second server, everything is a little more interesting.
The host server has Windows 2008 Enterprise, which allows you to install up to 4 virtual machines with Windows 2008 Standard for free.
Thus, this is, in fact, a server for the accountant: four virtual machines work here - CRM / billing, 1C8 (we switch to it), 1C7 (we work with it), and client-bank.
All four servers are separated from each other: they are located in different virtual Hyper-V networks that cannot see each other.
This is done so that in a situation when one of the machines picks up some infection, the infection does not spread beyond it.
From the same machines we send tax reports through MeDOC and Podatkov Zvitnit. The tax office sees that the reports come from the IP of our office and not from Europe, since traffic from the “accounting” servers is routed through the VPN tunnel to the office.
Just like on an office virtual machine, on servers with 1C, the Internet is accessible through proxies, Dr.Webs and standard software work.
In 1C, the 7th key works through the Usb-over-network, with 1C 8 we use the software key.
On the client-bank server, the Internet is disabled: access is only to the banks' servers. The bank also sees our office IP and not the real IP server.

5) All these servers are accessible through Remote Desktop (RDP) after authorization on the Open VPN server (either of the two).
And one more fruit of my paranoia: when connecting to an Open VPN server, it is impossible to see a single server on your network.
By RDP, servers can be accessed only through a non-standard port, which is “forwarded” (DNAT) to the RDP port of the corresponding virtual machine.

6) In the office we have a Wi-Fi router D Link DIR-320. We reflash it, and then configured the OpenVPN client on it.
The DIR-320 includes a USB printer, on which all virtual machines can print through the tunnel.
Office employees can work without changing anything on their laptops.
Employees who want to work remotely were given Open VPN keys and the following instructions: how to configure the tunnel on MacOS / Windows, how to access the remote desktop, how to print to an office printer, how to print to a home printer, and the like.

7) The most important thing is backup.
Since host systems have nothing but Hyper-V, we don’t backup them.
On Friday afternoon, all employees receive a newsletter (an event reminder from Google Calendar) asking them not to forget to close all applications and save all documents.
On the night of Friday to Saturday, the Power Shell script turns off all virtual machines, copies their VHD images to a separate folder, and from where it copies to the backup server via the VPN tunnel + to my server in Ukraine.
But this is only half the battle.
Every day on all virtual machines a script is launched that archives the data that changed during the day; and every week it archives all user data (really everything - from documents to 1C databases).
Archiving is based on this instruction: habrahabr.ru/blogs/personal/82185 , but we make archives password-protected, multi-volume and with the addition of information for recovery. Archives are stored in DropBox and Google Drive premium accounts and through these services they get to both servers (+ the director on a laptop).

What we have in the end:
“Upon request, I can restore any document for any day.”
- All archives with a password of hundreds of random characters. Even if DropBox shows someone all their files again, opening my archive will be extremely difficult.
- With any force majeure with one of the DCs, I, in less than an hour, will be able to launch a copy of the server a week ago on another server in another country + roll up the changes from the archives.

Everything described has been working with us for almost a year now. There are no special complaints, except that updating the software on four servers takes four times as much time :).
I restored data from backup archives a couple of times on demand - it works like a clock.
For the test, it simulated several times the DC shutdown: lifted all servers from backup on one of the servers. Everything works, except for 1C8 with a software key it is important to make a completely similar configuration on the new server.
An accountant once “lost” a laptop - they restored work in half an hour, simply issuing a new one and setting up shortcuts for connecting to servers.
Data centers were unavailable several times for half an hour due to the upgrade of routers, but during working hours this was never the case.
Also, once there was an attack on the DC in the Netherlands: everything "lagged" for about an hour during working hours.
Theoretically, it would be possible to add up encrypted FS and distribute servers across different continents, but in our case, I do not see any sense in this.


I hope this information was interesting. I would be glad if it is useful to someone.
If you decide to repeat this configuration, do not hesitate to ask: I will gladly help with advice and disclose any unobvious details.