[SOLVED] Raid solution for small medical office server cont

[toboboto]

I've been building pcs for years. Not experieced in raid arrays

I am replacing the win10pro server in my good friend's small med office (HIPAA compliant) and would like to raid 1 the single boot/storage drive for DRIVE redundancy, in cart is: dell Optiplex MINITOWER 7070 i5-8500 win10pro

1. will software raid suffice?

2. can the optiplex minitower 7070 be setup with software raid?


Server needs to

1. host: windows Patient Management Software (50gb sql database)
2. host :shared drive (150gb)
3. host: printer
4. bitlocker required

additional info that may be helpful
serves 7 workstations, 2 printers
backups currently are done via script nightly to usb drives (odd day drive and even day drive) with cloud backup to HIPAA compliant google drive. will be adding another backup with versioning after server is replaced.

 

[USAFRet]

Software RAID is never a good solution. Especially for a work environment, double for anything medical.

Instead of building your own Win 10 Pro "server", why not a dedicated NAS box for this?
Data encrypted on and from the clients, stored in the multidrive NAS box.

Additionally, the OS and data storage devices should not be on the same physical drives(s). Especially in a Win 10 Pro situation.

Optiplex Minitower?
You're trying to shoehorn an office server function into a low level consumer PC workstation and OS version.

 

[kanewolf]

Is this a non-profit or charity clinic? It is difficult to understand why the ultra lowend solution for something that is "mission critical" to the business.

 

[toboboto]

Why the ultra lowend solution? great question!

The current "server" for the past 4-5 years has been an i3 4160 with a single 1tb 7200 HHD with 8gb ram and a HP 550-045t. Having watched the resource monitor, current server very rarely bottlenecks its 8gb ram and occasionally bottlenecks on sata 7200 HD
The practice is a small one doctor location with 3 FT / PT employees, is currently struggling to make ends meet.

old server -> 7070
gen 4 i3-> gen 8 i5
8gb -> 16gb ram stick that i can easily upgrade to 32gb if/when needed
1TB 7200 HHD -> 2x 1tb SSD (in raid 1 maybe a pipe dream), or alternatively, hardware raid or alternatively 1tb m2 nvme and forget the raid.

No roaming desktops, no email, just serving up the patient management database to the workstations.

Oh yeah, her intra-office network is long runs of cat5 so the network is effectively capped 100mb to the workstations. I did run gigabit from gigabit network switch to the server.

 

[toboboto]

Software RAID is never a good solution. Especially for a work environment, double for anything medical.

Instead of building your own Win 10 Pro "server", why not a dedicated NAS box for this?
Data encrypted on and from the clients, stored in the multidrive NAS box.

Additionally, the OS and data storage devices should not be on the same physical drives(s). Especially in a Win 10 Pro situation.

Optiplex Minitower?
You're trying to shoehorn an office server function into a low level consumer PC workstation and OS version.

ty, i'll ditch the software raid. The raid was envisioned to provide way to get back and running in minutes instead of many hours in case of a hard drive failure on the server. If not running a raid 1, I guess I would put the OS on nvme and data on Sata3 SSD and backup to NAS? Not sure how it would perform installing the patient management system on a NAS.

Just dug this up
Recommended Server Specifications( Revised 11/2019)
windows 8 or 10 pro or ultimate, windows server 2012-2019
intel i7 dual core or higher, or amd equivalent
4gb or more (1gb per client)
7200 rpm 500gb free space
graphics 1280x1024 or greater
ethernet 100mbps or gigabit

 

[USAFRet]

3.5 level network

Level 1, client workstations

Level 2, Windows Server 2019 Essentials, hosting the patient management system.

Level 3, commercial NAS box (Synology or QNAP), hosting the DATA from the level 2 server (BitLocker encrypted from the Level 2 OS), as well as other shared data from Level 1 systems. This may or may not include some sort of RAID array.

Level 3.5, a full daily (or twice daily) backup of all client systems, and the Patient management system. This data space is ONLY accessible from the NAS. The client systems don't even see it. They can't delete it, they can't infect it.


This is a solid, reliable config.



Network infrastructure - Cat5e is capable of gigabit performance for 100 meter runs (330 feet).


That's what I would build out for my friend.

 

[sidpost]

...
Level 3, commercial NAS box (Synology or QNAP), hosting the DATA from the level 2 server (BitLocker encrypted from the Level 2 OS), as well as other shared data from Level 1 systems. This may or may not include some sort of RAID array.

Level 3.5, a full daily (or twice daily) backup of all client systems, and the Patient management system. This data space is ONLY accessible from the NAS. The client systems don't even see it. They can't delete it, they can't infect it.
...

I'm not a Windows Server guy so, I'm probably missing some basics from your post.

I'm looking at the Synology NAS 4-drive or larger systems. Does BITLOCKER encrypt the NAS from the server? Or, are we talking about native AES encryption?

How do you get the backups on the NAS that can't be ransom-wared assuming they are on your network? Or is this just for malicious or accidental modification from authorized users on the system?

Right now I'm on a dual 8-core Xeon HP workstation with Gigabit ethernet. Initially, I'm looking at a full 2-disk mirror but, I'm also wanting to be able to backup up my workstation from hardware failures or a security lapse that lets ransomware in.

 

[USAFRet]

Actually, I made a little config mistake.

Level 2, WinServer, patient management system, AND its data. BitLocker encrypted via WIndowsServer.

Level 3, Gets routine full drive backups from the WinServer. Daily, twice daily, Incremental...whatever works.

Level 3.5, A second volume on the NAS, accessible ONLY from the NAS OS. Permission restricted.

The NAS storage space is split into two volumes.
Volume A is accessible from the client systems and WinServer.
Volume B is accessible ONLY from the NAS OS.
The NAS OS backs up from A to B on whatever schedule you set.

If a virus/malware propagates from the clients to Volume A, that's where it stops. It does not even know the existence of Volume B.

 

[sidpost]

Great, so a NAS only hard drive volume is safe. I would have thought with the lightweight processors onboard, the NAS could be attacked by malware and ransomware too. Especially the Synology versions since they support native apps and virtual machines.

 

[USAFRet]

Great, so a NAS only hard drive volume is safe. I would have thought with the lightweight processors onboard, the NAS could be attacked by malware and ransomware too. Especially the Synology versions since they support native apps and virtual machines.

No, they are quite secure.
And being Linux based, not susceptible to running/generating standard windows malware.

When I first setup my QNAP, it was accessible from the outside. uPNP, forwarded through the router.
It would get random access attempts on a regular basis. Weekly, daily, sometimes multiple times per day. From all over the planet. Russia, Portugal, Ohio, etc, etc.
All attempting to log in via the default username/password. All failed, because I disabled that account completely, as I was setting it.
After a while, I just shut that access off completely. Zero access attempts since then.

To be clear, they are not invulnerable. There have been published exploits.

Hundreds of thousands of QNAP devices vulnerable to remote takeover attacks

A firmware patch has been released last year, in November.

www.zdnet.com

https://medium.com/bugbountywriteup...ing-450k-devices-on-the-internet-d55488d28a05

But this requires access from "outside".
And QNAP/Synology push out regular updates. I see an update about once a month. The patch for the above vuln was one of those.

Now...if one of the client systems on your LAN is infected, AND data on the NAS is directly accessible from that client, then yes...those files are subject to the typical ransomware.

This is what the "3.5" level backup is for. That Volume and data space is accessible ONLY from and within the NAS OS.
The clients and the Windows server never know it exists. Can't see it, can't touch it.

Of course, it is never '100% perfect'.
This is why we also have offsite backups, and good computing practices.

 

[mundial]

No, they are quite secure.
And being Linux based, not susceptible to running/generating standard windows malware.

When I first setup my QNAP, it was accessible from the outside. uPNP, forwarded through the router.
It would get random access attempts on a regular basis. Weekly, daily, sometimes multiple times per day. From all over the planet. Russia, Portugal, Ohio, etc, etc.
All attempting to log in via the default username/password. All failed, because I disabled that account completely, as I was setting it.
After a while, I just shut that access off completely. Zero access attempts since then.

To be clear, they are not invulnerable. There have been published exploits.

Hundreds of thousands of QNAP devices vulnerable to remote takeover attacks

A firmware patch has been released last year, in November.

www.zdnet.com

https://medium.com/bugbountywriteup...ing-450k-devices-on-the-internet-d55488d28a05

But this requires access from "outside".
And QNAP/Synology push out regular updates. I see an update about once a month. The patch for the above vuln was one of those.

Now...if one of the client systems on your LAN is infected, AND data on the NAS is directly accessible from that client, then yes...those files are subject to the typical ransomware.

This is what the "3.5" level backup is for. That Volume and data space is accessible ONLY from and within the NAS OS.
The clients and the Windows server never know it exists. Can't see it, can't touch it.

Of course, it is never '100% perfect'.
This is why we also have offsite backups, and good computing practices.

Great post USAF but how did you achieve segregation between Vol A and Vol B? What settings did you apply?

Secondly, I presume you disabled all "outside world" access to your NAS?

 

[sidpost]

No, they are quite secure.
And being Linux based, not susceptible to running/generating standard windows malware.

...

But this requires access from "outside".
And QNAP/Synology push out regular updates. I see an update about once a month. The patch for the above vuln was one of those.

Now...if one of the client systems on your LAN is infected, AND data on the NAS is directly accessible from that client, then yes...those files are subject to the typical ransomware.

This is what the "3.5" level backup is for. That Volume and data space is accessible ONLY from and within the NAS OS.
The clients and the Windows server never know it exists. Can't see it, can't touch it.

Of course, it is never '100% perfect'.
This is why we also have offsite backups, and good computing practices.

Awesome post! Thank you very much as this is super helpful to me.

 

[USAFRet]

Great post USAF but how did you achieve segregation between Vol A and Vol B? What settings did you apply?

Secondly, I presume you disabled all "outside world" access to your NAS?

Just set up 2 different volumes and Storage pools (as QOS calls it). Permissions for each are independently configurable.
Very fine grained permission. You can restrict down to the folder level for a particular user.

In a small business setting, each user can have their own "Home" folder, accessible only to them from their Win PC.
And Vol B not accessible to ANYTHING other than the NAS OS.
The NAS OS has its own backup software and schedules. Again, fine grained down to individual folders and target locations.

And yes, no access for anything outside my internal LAN.

 

[toboboto]

Awesome! This has been sooo helpful.

shortlisted QNAP TS-230 (two-drive slots, ARM quad-core 1.4 GHz, 2GB DDR4) for the NAS

In a small medical office setting, is there much benefit to upgrade from optiplex 7070 to T140 that would add ECC and hardware raid to server? (instead of non-raid os and data still on separate drive on the optiplex 7070) It's over budget but I could pull the "you really need this" card)

• Dell Outlet PowerEdge T140 Server
• Intel Xeon E-2224 Processor (Quad Core, Up to 4.60GHz, 8MB Cache, 71W)
• No Operating System (2019 server essentials- installed by me)
• Two SATA SSD 120gb 250gb raid1 for OS (installed by me)
• Two sata SSD 512gb raid1 for DATA (installed by me)
• 16GB 2666MT/s DDR4 ECC UDIMM
• Chassis with up to 3.5inch x4 Cabled Hard Drives
• TPM 2.0
• EITHER (choose 1)
  • PERC H330 RAID Controller Card
  • HBA330 Controller, 12Gbps Adapter, Full Height

edit- added bold/font size, and adjusted 120gb to 250gb

 

[USAFRet]

For the OS drive, RAID 1 or not....250GB or larger.
SQL and other WinServer log files may become large. A 120GB will run out of space quickly.