Computer Considerations for Data Stations

A high-level summary is presented here in quick, bulleted form.  More details are provided below.

• Keep it simple. Don't try to force-fit a solution that a few "techies" might like on the vast majority of users who might need to use the equipment.
• Use a currently supported version of Microsoft Windows. Currently, that means Windows 8 or later. (Windows 10 is recommended.)
• Avoid the added complexity of emulation or virtual machine configuration. Again, keep it simple.
• PC Hardware:
  • 15" laptop preferred (13" minimum); 1920 x 1024 pixels
  • Minimum 8 GB RAM
  • Minimum 256 GB storage
  • Ethernet port (or USB3 or USB-C dongle)
  • WiFi card recommended
  • Minimum 4 additional USB ports (or fewer with USB hub); USB3 or USB-C preferred
    • Used for: external mouse, USB-to-serial adapater, printer, extra port for USB drive to share files
  • External mouse
  • USB-to-Serial adapter
  • For higher traffic stations, like an EOC, an external monitor and keyboard can be helpful
• Always use anti-X software to keep the machine free of malicious software.
• Maintain a separate Administrator account from the day-to-day user account(s). Don't use the Administrator account except to install software or perform other system maintenance.
• For Windows Domains, grant Local Administrator rights to at least one amateur radio operator.

Keep it Simple

The Incident Command System (ICS) provides an consistent approach to organizing resources and managing an event or emergency incident. The standardization of organizational structure, procedures and tools allows both personnel and equipment to be swapped in/out at shift changes without disrupting the delivery of services.

The same concept applies to the tools we use for data communications. Stick to simple, standard and straight-forward configurations. Avoid complexity. Use components that are used by the vast majority of potential users of the system.

 

Operating System

• The recommended operating system is Microsoft Windows
  • The vast majority of people know how to use Microsoft Windows
• As of December 2017, approximately 89% of all desktop stations use Microsoft Windows. This number hasn't changed much in the past 10 years.
• MacOS is a distant second, at < 8%. Linux is in third place at < 3%.
• Users of MacOS and Linux often have experience with Windows, usually from work. The reverse is not true.
• MS Windows is what you'll find in any Emergency Operations Center. So, backup/replacement PCs, technical support from EOC IT folks, and even additional users are all geared toward an MS Windows environment.
• All of the basic applications that we use in Emergency Communications run on Windows.
• In an emergency communications environment, it's best to keep it simple. Use the OS that the applications were designed for and the users are training for.
• Use only currently supported versions of the operating system
  • All operating systems have a specific period of time over which they are supported by the OS development team. This support includes bug fixes and security updates.
  • Today's data networking threat environment is more complicated and dangerous than ever before. There are nearly constant attempts to attack systems with viruses and malware and other hacking methods in an effort to penetrate the system, steal information, and even use the system to attack other systems.
  • Therefore, it is absolutely CRITICAL that our data devices run a currently supported version of the operating system. This is especially true if that device may be used to interact with city or county information systems.
  • This is especially true of a machine that has a network connection to anything. Such machines are vulnerable to attack and create a danger to everyone else on the network.
  • But its also true of non-networked machines, since they can still share infected files with USB thumb drives.
  • For MS Windows, this means the following:
  • Windows 7 support expired in January 2020.
  • Windows 8.1 is OK to use until January 2023
  • Windows 10 is OK to use until October 2025.
  • For See https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet for more information.
  • IMPORTANT NOTE: The use of an unsupported operating system on a standalone (non-networked) packet-only station does not eliminate the risk to others. At some point during operations, someone is going to want to copy a file or install a new application. So they will insert a USB drive or other device, providing a means to transfer a virus or malware to or from the device.
• Avoid emulation
• An emulator, such as Wine, can be used to run some Windows applications on POSIX-compliant operating systems, such as Linux. It works by translating Windows system calls to POSIX calls on-the-fly. But there are problems with this approach.
• First, several years of using this configuration have shown it to be buggy at best. It takes someone with advanced Linux knowledge to get the configuration to work. And if it can be made to work, unexplained and erratic behavior can occur, especially when printing or using external devices. For emergency communications we don't want something to work most of the time. It needs to work all of the time.
• Less than 3% of the user population uses Linux. That means that 97% of the potential user base is relying on just 3% of users to be able to configure, upgrade and manage the configuration. That's just not a responsible way to design and operate a station that is expected to work during emergencies.
• Even if the Windows application can be made to work under Wine, the user is still left dealing with the Linux user environment for everything else, including launching and switching between applications, printing, terminal emulation, office productivity applications (word processing, spreadsheets, etc.), and more. And again, with < 3% of the user population experienced in that environment, it just doesn't make good sense to introduce this type of complexity into the emergency communications workflow.
• Avoid virtual machines (except on personal machines)
  • Virtual machine software allows one operating system to be run on top of another operating system. For example a Windows virtual machine could be created on top of an existing MacOS or Linux machine. The virtual machine software running on the "host" operating system allocates memory, disk space and other resources to the "guest" operating system. The "guest" operating system is then installed and used within that virtual machine, just as if they were running on native hardware. The applications are then installed and used in the "guest" operating system.
  • Virtual machines are widely used by service providers to increase the hardware utilization and efficiency of their servers, so the software has become very stable. And applications run within their native operating system, resulting in far fewer problems than with the emulation approach.
  • But virtual machines create two additional levels of complexity that just don't need to exist, especially on a machine used for emergency communications.
    • The user must first be familiar with the "host" operating system to be able to log in, manage printers and other devices and to launch, restart and close the virtual machine software
    • The user must be familiar with the virtual machine software to be able to start up the guest operating system, and configure or manage connectivity to devices and resources on the "host" OS, such as printers, serial adapters, USB drives, etc.
    • The user population that is an experienced user of Windows, *and* an experienced user of the "host" operating system (Linux or MacOS), *and* an experienced user of the particular type of virtual machine software in use will be very, very small -- perhaps less than 1%!
  • Virtual machines are a good solution for a personal station where the user prefers a non-Windows operating system. It allows the Windows application to run in their native environment. And it helps to keep the user familiar with the Windows environment, which will be important if he/she is assigned to work an existing station at an EOC or other location.
  • But like emulation, the added complexity of virtual machines should be avoided for shared stations, such as at EOCs, ICPs, fire stations, shelters, etc.

 

Hardware

• Laptops are ideal
  • Because of their built-in screen, keyboard, and mouse (trackpad or equivalent), laptops are highly portable and take up less desk space than a regular desktop machine with separate screen, keyboard and mouse.
  • Laptops have their own internal battery which can take over if AC power is lost.
• Tablets are not recommended
  • Tablets are nice for consuming content, such as browsing web pages or watching videos.
  • But, unless the tablet is fitted with an external keyboard and mouse, it is a terrible device for content creation, such as working with multiple windows, editing documents, and operating the menus and controls of the typical desktop applications used for emergency communications.
• Screen size - larger is better
  • For desktop environments, most people find an external monitor best.
  • Most people find a laptop screen size of 15" to be comfortable for portable operations.
• Most people find a laptop screen size smaller than 13" to be too small. Even if the text size is adjusted larger, there is not enough screen real estate left, requiring the user to scroll up/down and left/right much more than they should have to.
• Screen Resolution - more is better
  • The higher the resolution, the more screen real estate is available to work in multiple applications at the same time
  • For example, when using Outpost, it's common to have the main window, plus a message window, plus a browser window (for forms) open at the same time.
  • It's also common to be using other office-support applications (word processing, spreadsheet, etc.), and another browser, all at the same time.
  • 1920 x 1024 pixels is fairly common now on laptops.
• Processor, RAM, Storage - more is better
• Our packet software requires only minimal processor, RAM and storage.
• But those with high-speed network connections will want to run more applications.
• And each new version of operating system requires more processor, RAM and storage than the previous version.
• For maximum lifetime, select more processor, RAM and storage than you need right now. Unfortunately, defining a minimum recommendation for these parameters is nearly impossible because it depends on far too many factors, such as which version of Windows you're running, which applications you're using, how responsive you want the machine to be, and what you plan to do with it in the future. See the list of recommended software and consult Microsoft and manufacturer's recommendations.
• Battery life - more is better
  • From a practical standpoint, the battery should last at least one hour during normal use. This allows the PC to continue to run when the AC power fails until a backup generator can be started, or while the generator is being refueled. And it gives some leeway to fix any generator problems that may occur.
• Serial connectivity is required
  • No matter where you go in the county, you'll be able to make an AX.25 (packet) connection using a serial TNC. Most modern PCs don't have native serial ports. But USB-to-Serial adapters work every well.
• Ethernet connectivity is strongly recommended
  • More services are available with a higher-speed connection. Some very thin laptops don't have a native Ethernet port, but they support a "dongle"/adapter to connect Ethernet to one of the native ports (usually USB).
  • If you're going to use an Ethernet dongle, USB3 or USB-C is best.
• External Mouse is strongly recommended
  • Most people find navigating with a track pad difficult. And it's definitely slower than using an external mouse. Even portable users can benefit from an external mouse.
• USB - more is better
  • USB connections will be needed for USB-to-Serial Adapters, USB-to-Ethernet adapters, connecting to local printers, and using USB drives to transfer files. The more native ports the better.
  • For supporting USB-to-Etherent adapters, USB 3 is much better than USB 2. USB 3.1 is even better.
  • Machines with only one or two USB ports will probably need a small (3-5 port) USB hub. In order to avoid an additional power connection, be sure the USB port on the PC can supply the necessary power to the hub and all devices that are attached to the hub.
• Keep a USB flash drive handy
  • Even standalone machines will have the occasional need to transfer a files. For example, you might need to update a device driver, install an updated version of software, or share a file with someone else.
• Anti-X software
  • All laptops should be configured with anti-X (anti-virus, anti-malware, anti-...) software to protect it from other machines and to protect other machines from it. Even standalone machines aren't really standalone, since software needs to be installed/updated and files need to be transfered. Protect the machine and prevent damage to other machines by keeping the machine free of malicious software. Windows includes antivirus software. In Windows 7 it is called Microsoft Security Essentials. In Windows 8 it is Windows Defender (now called Windows Defender Antivirus in Windows 10). You or your IT department may have a different preference.
• Firewall
  • Firewall software controls what can make connections into and out of your computer. Windows ships with Windows Firewall (now called Windows Defender Firewall in Windows 10). You or your IT department may have a different preference.

 

Administrative Control

• Separate Administrator vs. Day-to-Day User Accounts
  • The Windows user account used to run Outpost and other applications and to perform day-to-day operations should NOT have Windows Administrator permissions. This helps prevent unintentional installation of malicious software. When the non-Administrative user attempts to install an application, Windows will prompt for the Administrator credentials (username and password).
  • Out of the box, Windows usually disables the build-in Administrator account and gives Administrator privileges to the user that initially sets up the Windows PC.
  • To set up the stand-alone Windows machine more securely, the following steps need to be completed. Consult Microsoft documentation for details before proceeding:
    • Create a separate Administrator account(s) or enable the built-in Administrator account and assign it a password
    • Log out of the day-to-day user account.
    • Log into the Administrator account. Verify that it has Administrative rights.
    • Remove Administrative rights from the day-to-day user account.
  • Don't use the Adminsitrator account except to install software and perform other Windows maintenance functions.
  • Consider creating two Administrator accounts, one for your primary PC administrator and one for a backup administrator, in case the primary is not available (such as during a disaster or when the primary is on vacation or out sick).
  • Limit access to Administrator account(s) to the most knowledgeable and trusted individuals on the team. The IT organization will usually require Administrators to sign an application and may require training on policies.
• Independent Administration
  • Ideally, the PC(s) used in the amateur radio station should be administered independently from the rest of the enterprise IT domain. There are several reasons, including:
    • During a emergency, Domain Administrators are busy or otherwise unavailable to help with the PC(s) in the amateur radio station. The amateur radio team may need to load an updated version of software, or add an application that was not previously used at that station. So, the very station that should be available during an emergency won't be able to make necessary changes.
    • Making the amateur radio station PC(s) dependent on the same Domain Controller and other central servers as the rest of the enterprise creates a common point of failure (perhaps multiple common points of failure!). If a problem occurs (equipment failure, network failure, power failure, misconfiguration, cyber attack, etc.), the amateur radio station, which is supposed to be available when other systems fail, is disabled at the same time.
    • Amateur radio operators are volunteers that operate the equipment on nights and weekends. They need to be able to update software and deal with problems after hours, when the Domain Administrators are not available.
    • The rest of the enterprise network is protected since access from the amateur radio station PC(s) is typically blocked. Usually, only Internet access is available to the amateur radio station PCs, via the enterprise firewall. For more details, see: Network Considerations for Data Stations
  • Of course, the local enterprise IT group should maintain a Windows Administrator account on the PC(s).
  • At least one local Windows Administrator account should be set up for a responsible amateur radio operator (usually the unit leader and his/her designee). A second, backup administrator is ideal for redundancy.
  • Of course, granting Local Administrator rights is serious business. So IT groups usually have the individual who will receive these rights vetted by the organization and require them to follow certain policies.
• Local Administrator Access for Domains
  • The enterprise IT group may require the amateur radio station PC(s) to be controlled under a Windows Domain.
  • The Windows Domain Controller makes it possible to enforce consistent policies across all PCs.
  • Domain Administrator accounts can install/delete/update software on all PCs in the domain.
    • This type of approach works well for day-to-day operations.
    • But allowing ONLY the Domain Administrator(s) to manage the PCs creates several problems for an emergency communication station, as described above in "Independent Administration".
  • Local Administrator privileges should be granted to allow administration of individual PCs.
    • Whenever possible and practical, Local Administrator privileges should be granted for the PC(s) in the amateur radio station to at least one responsible amateur radio operator (usually the unit leader or his/her designee).
    • This lets the local amateur radio team update the software that they use, add new software and drivers, and deal with problems, whether after hours or during a disaster.
    • Of course, granting Local Administrator rights is serious business. So IT groups usually have the individual who will receive these rights vetted by the organization and require them to follow certain policies.