The Wolff Computer Group

The Wolff Computer Group Maui's most experienced network consultants.

08/26/2025

Using a dynamic DNS service to secure remote access
I recently had to come up with an inexpensive and reliable way to secure remote access (RDP in this case) for my clients. We had been using non-standard ports to provide some security, but hackers were now scanning our network for those ports. I had introduced the use of VPN’s to many of my clients, but for the most part they proved to be too cumbersome for my clients to use. Almost every firewall on the market can restricted access by IP address and most firewalls can recognize fully qualified domain names (FQDN). I had my clients subscribe to a DDNS service, NO-IP.COM was the one we chose because it had a feature that allowed me to create a different login for each domain name, and I restricted access by the FQDN that we created on NO-IP.COM.

So for client XYZ I created several DDNS records such as XYZ1.DDNS.NET, XYZ2.DDNS.NET, XYZ3.DDNS.NET and so on. Then I restricted access through the firewall to the IP Address that resolved to that particular domain name. Then my clients could take their laptops anywhere in the world, run the Dynamic Update Client to update the DDNS service with the correct IP address, wait a couple of minutes for the firewall to update its records and they had access to our remote server.

At $25 a year for 25 domain names it has turned out to be the perfect solution for providing completely secure remote access to our network.

08/26/2025

Ransomware and Having a Plan

Ransomware is major pain in the ass, but if you have the right plan in place it doesn’t have to be the end of the world, and it doesn’t have to cost a king’s ransom.

Step One – Backup, backup, and backup.

I would recommend at least 2, if not 3 distinct and separate backups. I like Microsoft backup for any incidental file level recovery you might have to perform. I can recover a single lost file or folder in minutes. If you like an offsite cloud backup, that’s great. But both of these backups have been known to be targeted by certain ransomware variants. There can’t be much worse than having your backup encrypted at the same time your systems are encrypted. If you are running a physical server you might be stuck using backup that the system is aware of, but if you are running virtual servers you can back up the whole VM using a Synology device or a backup product like Unitrends.

I like the Synology’s Enterprise backup. It backs up the whole VM and your system is unaware of the backup so the ransomware is also unaware of the existence of the backup. (By the way, don’t turn on SMB on your Synology NAS. SMB will give the ransomware access to your Synology drives.) In a recent ransomware attack at one of my clients, we were able to recover 5 of their servers, with zero loss of data in just 11 hours. If you have a large amount of data, get 2 Synology devices, this will provide a second backup point, and double your recovery bandwidth. In most cases you can set up the enterprise backup program to backup hourly. Because the backup is incremental, after the first backup, subsequent backup should take very little time.

Step Two – Protect your workstations.

If you are like me and want to give your users the rights to install software and make changes on their own machine you might tempted to add “everyone” or “domain users” to the local administrators group. Don’t. That will give the ransomware the ability to encrypt every workstation on your network through the administrative share. That is the special share you can use to access remote disk drives. For the C: drive and administrative share is c$. You can give your users all the permission they need by adding “everyone” or “domain users” to the local Power Users group without giving them permission to the administrative share.

Step Three – Know how to shutdown access quickly.

If you see any sign of encryption, pull your internet connection immediately, pull the network connection out of your workstations, hard shutdown wireless laptops, power down all your switches. Once that is done you can start to assess the damage. In almost all cases the ransomware is going to be on one of your workstations or laptops, not on the servers. With all your endpoints off line you can start the recovery of your server and as that is happening try to figure out which endpoints are infected.

Step Four – Decide on your recovery workflow.

In most cases the first server need to recover is your Domain server. If your domain server is a dedicated domain server and not hosting any data it might have escaped undamaged. If you Domain server is a dedicated server, make sure there are no shares on the server, this is how the ransomware will get to it. Most of my domain servers are also fileservers, so they are on the top of my recover list. If you are using a Synology device you probably have a fairly large ISCSI drive hanging off of your VM host. My suggestion would be to recovery all your servers to a new locations, in other words, preserve the infected VM’s. Your lawyers, or somebody’s lawyers will want to see them later.

So here is my recovery list for most of my clients.

Domain server
Any mission critical application servers
Exchange server
Then RDP servers, web servers, and any other incidental server.
Once your servers are recovered, or during the recovery process, start to bring up each workstation off the network. If you are using laptops, turn off your wireless access points just to be absolutely sure they can’t re-infect the network. Bring each workstation up and look for any files that may have been encrypted. If there are any signs of encryption rebuild that machine from scratch. If there are no encrypted files on that workstation run a full virus scan. In most cases if the machine passes the scan it is clean, but of you are not 100% sure then rebuild that machine.

You are never going to be 100% protected against an attack, but if you have a recovery plan in place you should be able to get back up and running in days if not hours.

08/26/2025

Amazing power with VMWare ESXI 8.0.3 on the new Minisforum MS-A2

I just received my Minisforum MS-A2 from Amazon last week. After installing 96GB of memory, (it can handle up to 128GB), a 4TB NMVE drive and 2 SFP ethernet modules, I was easily able to install ESXI 8.0.3 with the only problem being the VMWare did not recognize the TPM. This was so easy it almost isn’t worth writing about it other then to point out how much power you get from these little machine. The entire setup was about $1,300. With that I have the power to run enough servers to accommodate a small business. A second machine setup the same way will fit in a 3d printed rack mount and with a Synology NAS connected with ISCSI, holding your VM’s, you really can get rid of all your expensive HP and Dell server.

This setup, with the Synology NAS offers solid redundancy, a great backup solution, and more power the most people will ever need.

[Update]

I install another 1TB NVME drive and used memory tiering, which in now available in ESXI 8.0.3. Memory tiering allows VMWare to use a portion of the 1TB NVME drive as slower RAM. You can add between 25% and 400% more RAM this way. The memory tiering function will automatically shift off slower processes to the slower RAM.

It is very easy to configure memory tiering. SSH into you ESXI host and issue the following commands.

esxcli system settings kernel set -s MemoryTiering -v TRUE
esxcli storage core path list
esxcli system tierdevice create -d /vmfs/devices/disks/t10.NVMe____CT1000P310SSD8__________________________4BE9F64F0175A000
esxcli system settings advanced set -o /Mem/TierNvmePct -i 200

Replace the blue type with your storage device that you will find from the prior command. Be careful not to pick the wrong NVME device, this command will repartition the drive. Replace the red type with the percentage of memory you want to add. In this case I increase my memory by 200 percent.

01/21/2022

Ransomware and having a plan

Ransomware is major pain in the ass, but if you have the right plan in place it doesn’t have to be the end of the world, and it doesn’t have to cost a king’s ransom.

Step One – Backup, backup, and backup.
I would recommend at least 2 if not 3 distinct and separate backups. I like Microsoft backup for any incidental file level recovery you might have to perform. I can recover a single lost file or folder in minutes. If you like an offsite cloud backup, that’s great. But both of these backups have been known to be targeted by certain ransomware variants. There can’t be much worse than having your backup encrypted at the same time your systems are encrypted. If you are running a physical server you might be stuck using backup that the system is aware of, but if you are running virtual servers you can back up the whole VM using a Synology device or a backup product like Unitrends.
I like the Synology’s Enterprise backup. It backs up the whole VM and your system is unaware of the backup so the ransomware is also unaware of the existence of the backup. (By the way, don’t turn on SMB on your Synology NAS. SMB will give the ransomware access to your Synology drives.) In a recent ransomware attack at one of my clients, we were able to recover 5 of their servers, with zero loss of data in just 11 hours. If you have a large amount of data, get 2 Synology devices, this will provide a second backup point, and double your recovery bandwidth. In most cases you can set up the enterprise backup program to backup hourly. Because the backup is incremental, after the first backup, subsequent backup should take very little time.

Step Two – Protect your workstations.
If you are like me and want to give your users the rights to install software and make changes on their own machine you might tempted to add “everyone” or “domain users” to the local administrators group. Don’t. That will give the ransomware the ability to encrypt every workstation on your network through the administrative share. That is the special share you can use to access remote disk drives. For the C: drive and administrative share is c$. You can give your users all the permission they need by adding “everyone” or “domain users” to the local Power Users group without giving them permission to the administrative share.
Step Three – Know how to shutdown access quickly.
If you see any sign of encryption, pull your internet connection immediately, pull the network connection out of your workstations, hard shutdown wireless laptops, power down all your switches. Once that is done you can start to assess the damage. In almost all cases the ransomware is going to be on one of your workstations or laptops, not on the servers. With all your endpoints off line you can start the recovery of your server and as that is happening try to figure out which endpoints are infected.
Step Four – Decide on your recovery workflow.
In most cases the first server need to recover is your Domain server. If your domain server is a dedicated domain server and not hosting any data it might have escaped undamaged. If you Domain server is a dedicated server, make sure there are no shares on the server, this is how the ransomware will get to it. Most of my domain servers are also fileservers, so they are on the top of my recover list. If you are using a Synology device you probably have a fairly large ISCSI drive hanging off of your VM host. My suggestion would be to recovery all your servers to a new locations, in other words, preserve the infected VM’s. Your lawyers, or somebody’s lawyers will want to see them later.
So here is my recovery list for most of my clients.
1. Domain server
2. Any mission critical application servers
3. Exchange server
4. Then RDP servers, web servers, and any other incidental server.
Once your servers are recovered, or during the recovery process, start to bring up each workstation off the network. If you are using laptops, turn off your wireless access points just to be absolutely sure they can’t re-infect the network. Bring each workstation up and look for any files that may have been encrypted. If there are any signs of encryption rebuild that machine from scratch. If there are no encrypted files on that workstation run a full virus scan. In most cases if the machine passes the scan it is clean, but of you are not 100% sure then rebuild that machine.
You are never going to be 100% protected against an attack, but if you have a recovery plan in place you should be able to get back up and running in days if not hours.

02/10/2019

Using a dynamic DNS service to secure remote access

I recently had to come up with an inexpensive and reliable way to secure remote access (RDP in this case) for my clients. We had been using non-standard ports to provide some security, but hackers were now scanning our network for those ports. I had introduced the use of VPN’s to many of my clients, but for the most part they proved to be too cumbersome for my clients to use. Almost every firewall on the market can restricted access by IP address and most firewalls can recognize fully qualified domain names (FQDN). I had my clients subscribe to a DDNS service, NO-IP.COM was the one we chose because it had a feature that allowed me to create a different login for each domain name, and I restricted access by the FQDN that we created on NO-IP.COM.

So for client XYZ I created several DDNS records such as XYZ1.DDNS{dot}NET, XYZ2.DDNS{dot}NET, XYZ3.DDNS{dot}NET and so on. (Please forgive the {dot}, Facebook kept turning my examples into actual links). Then I restricted access through the firewall to the IP Address that resolved to that particular domain name. Then my clients could take their laptops anywhere in the world, run the Dynamic Update Client to update the DDNS service with the correct IP address, wait a couple of minutes for the firewall to update its records and they had access to our remote server.

At $25 a year for 25 domain names it has turned out to be the perfect solution for providing completely secure remote access to our network.

03/02/2018

Using a dynamic DNS services to secure remote access

I recently had to come up with an inexpensive and reliable way to secure remote access (RDP in this case) for my clients. We had been using non-standard ports to provide some security, but hackers were now scanning our network for those ports. I had introduced the use of VPN’s to many of my clients, but for the most part they proved to be too cumbersome for my clients to use. Almost every firewall on the market can restricted access by IP address and most firewalls can recognize fully qualified domain names (FQDN). I had my clients subscribe to a DDNS service, NO-IP.COM was the one we chose because it had a feature that allowed me to create a different login for each domain name, and I restricted access by the FQDN that we created on NO-IP.COM.

So for client XYZ I created several DDNS records such as XYZ1.DDNS.NET, XYZ2.DDNS.NET, XYZ3.DDNS.NET and so on. Then I restricted access through the firewall to the IP Address that resolved to that particular domain name. Then my clients could take their laptops anywhere in the world, run the Dynamic Update Client to update the DDNS service with the correct IP address, wait a couple of minutes for the firewall to update its records and they had access to our remote server.

At $25 a year for 25 domain names it has turned out to be the perfect solution for providing completely secure remote access to our network.

05/09/2017

Replacing Small Business Server with Windows Server Essentials and Exchange server

Since Microsoft announced several years ago that they would be discontinuing Small Business Server we have been trying to wring as much life out of it as we could. Small Business Server was a platform that allowed our customers to manage most of their computing needs on premise. Many customers in the medical and financial sectors are still leery of the “cloud”. Not trusting medical and financial information to a mysterious place for safekeeping.

In responding to those need we had to put together a cost effective way to keep most of the services provided by SBS on premise. We looked toward VMWare to provide the platform to deliver multiple servers with the same functionality as Small Business Server. The first piece of the puzzle came with Windows Server Essentials that provides a dashboard that handles many of the tasks the Small Business Server Console incorporated. But the real bonus was the ability to have that dashboard integrate with a separate on-premise Exchange server that allowed for the easy creation and administration of user accounts and mailboxes. We round the VMWare host off with a Symantec Brightmail Anti-Spam server and we were in business.

Now we can deliver on one physical machine all the services they valued on Small Business Server.

01/30/2017

Designing a cost effective phone system for small businesses

We have been implementing an asterisk phone system for clients with a T1/PRI for quite some time now. Unfortunately, we really couldn’t provide a cost effective solution for small business that had less then 6 incoming lines. The solution has always involved SIP trunking, but it was a technology that until recently was not stable or mature enough to trust with a companies communications needs. Recently SIP trunk providers have started to address the need for concurrent calls over the same SIP connection, DID’s, local phone numbers, and local number portability (moving existing numbers). With that in place it was just a question of finding affordable hardware to build a phone system. Because we are relying on a SIP connection we don’t need any extra analog or T1/PRI card in our system, so we can go with a really small form factor computer. We chose the Intel NUC with 4GB of RAM and a 128GB solid state drive. For phones we looked at the Polycom VVX311, a six line phone which can be purchased for roughly $110 a piece.

Using that equipment we can design and implement a small business phone system with all the features of an enterprise PBX for less the $3000. And the advantage of a system like this is that expanding it at a later date just involves the cost of buying more phone. There are no licensing fees for adding extensions. If you need more incoming lines that can be arranged with your local SIP Trunk provider.

In Hawaii a local SIP Trunk provider, Pacific Wave Telecom, charges $24 per month per concurrent connection on a 5 year contract. Four incoming lines will cost less then $100 per month. Compared with most B1 lines from the phone company at roughly $40 per month or $160 for 4 lines.

10/12/2016

High Speed Wireless Bridge

We just finished a project connecting a client to a remote office at the University of Hawaii, Maui Campus. Our client was working in one for the University’s building and needed a secure connection between their offices and the University. The cable company wanted $10,000 to bring a line to the building and $400 a month for a 5MB connection. Hawaiian Telcom could give us a point to point T1 line running at 1.44MB for $800 a month. Neither of these solutions were fast enough to meet our needs. Working with Ubquiti Networking products, we were able to install a wireless bridge that span the 1 mile distance between the 2 sites and transferred our data at 300MB for under $3,000. That was our total cost, with no monthly reoccurring costs.

If you would like any more information about this project, give us a call, we would be happy to discuss it in greater detail.

Address

Lahaina, HI
96761

Telephone

(808) 283-4460

Website

Alerts

Be the first to know and let us send you an email when The Wolff Computer Group posts news and promotions. Your email address will not be used for any other purpose, and you can unsubscribe at any time.

Contact The Business

Send a message to The Wolff Computer Group:

Shortcuts

Share