To give you an idea of our size, we have about 50 staff and manage around 100 workstations, a dozen servers and 20 printers. The tools I describe here are all perfectly suitable for smaller companies and significantly larger ones. No doubt there are equally good, or better, alternatives; I’m not claiming these are the best – just describing how they work for us.


Sophos has been our corporate endpoint AV for over 10 years. We also use it for application control, data leakage prevention and device control (although we operate the last two in monitor-only mode). The central management console works well, and Sophos have improved the somewhat tortuous console upgrade process over the years. Support is generally very good.

A common criticism (from competitors as well as some of our users) was that the client agent was “heavyweight” and would slow PCs down. Sophos are obviously sensitive to this and claim to have worked hard to keep the same footprint and speed up scanning while adding more functionality. It’s certainly never been bad enough to warrant us changing.

I also looked briefly at the Network Access Control offering but found it clumsy and slow – but maybe that was just me (or my aging server). So NAC remains a gap in our toolkit for now.


We’re still backing up to good ol’ tape. We’ve looked at disk-based and online backup and I suspect that will follow within the next year or so. Having gone as far as a trial of a Barracuda Backup appliance, we found our Internet connection couldn’t cope with the data and decided to stick to tape (despite the likely difficulty should we ever need to do a complete system restore!).

Tape backups are done by Yosemite Server Backup (also owned by Barracuda): It’s reasonably-priced, works well for 98% of the time and is easy to upgrade (update one master server and it pushes the upgrade to all other installs).

(For some archive and non-critical backup data we have a couple of Buffalo TeraStation NAS servers. They’re housed on different parts of the site and one replicates to the other for some disaster protection. In all honesty Buffalo aren’t really enterprise-standard devices but they’ll do us for now.)

Email and web filtering

Spam filtering is done in the cloud by Postini, now more commonly known as Google Message Security. This stops most junk or infected mail ever reaching our mail server, is highly configurable and well-supported by our Postini reseller.

For basic Web filtering we stick to the free version of OpenDNS. This cuts out the nasty stuff for everyone but allows us to whitelist (or blacklist) specific URLs. There’s no configuration or reporting for individual users but we’ve just deployed a SonicWALL router with reporting software and the option of content filtering.

Network auditing

We use Spiceworks to discover devices, audit software and record asset information. It’s free and comes with responsive support and an active user community. It also includes a ticketing / helpdesk function and is being constantly improved. It’s not perfect; recent “improvements” to software license management actually made life more difficult for a time – but the problems were fixed in a later release. Only today I read about several other alternatives, but this works well for us.

Patch management

Microsoft’s WSUS does the bulk of this, although some of our dedicated production machines don’t use it as we can’t risk them automatically rebooting during the tests they run. We also have no visibility of the patch status of non-Microsoft software so currently rely on users having automatic updates turned on for Adobe Reader, Java, etc. I’m looking at products like GFI LanGuard and eEye Retina Community to address this. (We also need a tool to scan for vulnerable security configurations as part of our PCI DSS compliance. Both of these packages look like they should be able to do that.)


Up to now we’ve used the free version of Splunk to take output from our router, SSL-VPN appliance and a few Windows server logs. (We added those after a couple of server crashes where the logs were wiped out!) It’s pretty complicated and not the fastest but it’s been OK for what we need. However, our new SonicWALL router has ViewPoint, which takes the router syslog files and processes them into meaningful, searchable reports. It looks a lot more promising.

…and the rest

  • For troubled PCs, we sometimes resort to the likes of MalwareBytes to scan for bad stuff Sophos might have missed or CCleaner to clean up the registry.
  • The only hard drive defragger we’ve ever paid for is a copy of Diskeeper on an SQL Server as we were advised that database files are notorious for becoming fragmented. (This is on Windows Server 2003. Server 2008, like Vista & Windows 7, runs scheduled defrag for you anyway – although Diskeeper would no doubt claim their product does it better.)
  • Our UPSs are mostly APC and they all talk to PowerChute. This has an agent on each protected server and a central console that lets you check the status across all the systems.


These are the tools we happen to use for managing our IT systems. If you don’t know where to start or are looking for suggestions, feel free to contact me about any of them.