Predictable by Design.
Reliable by construction.

Approved platforms are selected for supportability and defined replacement cycles. Consumer hardware is not approved for production use.

• Servers: Dell PowerEdge R740 or R750 — iDRAC9, current support lifecycle
• Virtualization: Microsoft Hyper-V on Windows Server — no mixed hypervisor environments
• Firewalls: Fortinet FortiGate F-series with active UTM bundle licensing
• Switching: Fortinet FortiSwitch — managed via FortiGate, no per-device license
• Wireless: Fortinet FortiAP 231F — managed via FortiGate, no per-AP license
• Storage: Business-class NAS for onsite backup; Wasabi S3 for offsite immutable storage
• Endpoints: Dell OptiPlex 7090/5090 — Windows 11 Pro, TPM 2.0, Intune Autopilot ready

• Centralized identity via Microsoft Entra ID — no local-only accounts
• Device enrollment via Microsoft Intune MDM — policy-enforced, Autopilot where possible
• BitLocker full-disk encryption enforced on all endpoints via Intune compliance policy
• MFA required for all user accounts and all applications — no exceptions
• Conditional Access: non-compliant devices blocked from organizational data
• Virtualization-first server builds — all workloads run as Hyper-V VMs
• Network segmentation: users, servers, management, and guest/IoT on separate VLANs
• Standard Veeam backup job structure: daily incremental, weekly synthetic full, 30-day retention

• Monthly patch cycle: Windows endpoints, servers, and network devices
• Defined maintenance windows — communicated in advance, not applied ad hoc
• Monitoring via Atera RMM — alerts tuned to surface meaningful issues, not noise
• Critical security patches (CVSS 9.0+) applied within 72 hours outside normal cycle
• Quarterly backup restore verification — tested restores, not assumed restores
• Annual hardware and software lifecycle review with written report and budget estimates
• All support requests logged as tickets — full audit trail of issues and resolutions

• MFA enforced for all accounts and applications via Entra ID Conditional Access
• Legacy authentication protocols blocked — prevents password spray attacks that bypass MFA
• Endpoint detection via Huntress Managed EDR — 24/7 human SOC triage, not raw alerts
• Microsoft Defender for Business included via M365 Business Premium
• Huntress ITDR: identity threat detection for Microsoft 365 tenant
• FortiGate UTM: IPS, DNS filtering, web filtering, application control — active on all VLANs
• Password management via Keeper Security — all users, admin-managed, audit logs retained
• Backup systems isolated from the primary identity plane — ransomware cannot reach them
• No unmanaged personal devices accessing protected systems

• Three-tier recovery: onsite NAS (fast restore) → Wasabi S3 offsite (immutable) → host replication (sub-15 min)
• Veeam Backup & Replication (VCSP licensing) for VM-level backup and Hyper-V replication
• Wasabi S3 with Object Lock — immutable backups that ransomware cannot encrypt or delete
• Veeam Backup for Microsoft 365 — Exchange Online, SharePoint, OneDrive
• Recovery time objectives defined per workload before deployment — not during an incident
• Quarterly restore tests — documented, verified, signed off
• Critical workloads: Hyper-V replication to secondary host, sub-15-minute failover

• All exceptions require documented business justification before approval
• Exceptions are tracked with expiry dates — they do not silently become the default
• New platforms evaluated centrally before deployment in any managed environment
• All changes logged: what changed, when, by whom, and why
• Exception review included in annual lifecycle review