How do companies keep records? Usually this is a 1C package installed on the accountant's local computer, in which a full-time accountant or an outsourced specialist works. An outsourcer can manage several such client companies at the same time, sometimes even competing ones.
With this approach, access to settlement accounts, crypto-protection tools, electronic document management and other important services are configured directly on the accountant's computer.
What does it mean? That everything is in the hands of the accountant, and if he decides to set up the business owner, he will do it once or twice.
film "RocknRolla" (2008)
In this article, we will tell you how to securely lock all services, including 1C, in one cloud so that you have the opportunity to cut off all services with one button, even if the accountant flew to fabulous Bali.
What can possibly happen? Two real cases
Wall Street sysadmin
Our co-founder's wife is an experienced accountant and was approached last month by a large restaurant chain in Moscow. The restaurant kept all the databases on its server, which was managed by a permanent system administrator from the restaurant team.
Right at the time of the accountant's work, the system administrator went to an online casino and picked up a virus that destroyed the entire database. Who was blamed for everything? That's right, on the accountant who just came.
The heroine is very lucky that her husband is a hosting managing partner and understands such things. After long bickering over the phone (our colleague was already ready to leave and clean the admin's face on his own), the evidence was found and the culprit was punished. But the database was lost, that is, there was no happy ending for the system administrator.
Laptop stuck in someone else's apartment
This is an old story of our other acquaintances.
An experienced woman, 64 years old, regularly kept the accounts of an online store of Chinese gadgets through 1C. The client and database were stored on a laptop she was given at work. It was convenient: it is easy to print from office printers, the base is small and fits on a netbook, you can take it with you to the country house or home.
Then tragedy struck: on Friday evening, she was taken away with a stroke in an ambulance. The netbook was left at home because the accountant was in charge and took work for the weekend.
The laptop, of course, was rescued, the accountant recovered, but if we transfer this situation to the current days and replace the stroke with the coronavirus, then the operation of rescuing a computer from a closed apartment takes on a completely different scale.
Can two cats and a Labrador open the door for you? Even if a neighbor waters flowers and feeds cats, will she give you a computer?
But let's move on to 1C in the cloud - what are the options for deploying and working in the cloud.
What are the options for working with 1C in the cloud?
Option 1. Client + corporate application server + database
Suitable for large companies that need the services of a whole team of accountants. This is a rather expensive option (many additional licenses are required), we will not consider it, because the article is about setting up an accountant for a small company.
Option 2. 1C: Fresh
1C: Fresh is a fairly convenient way to work in 1C through a browser. No settings are required: when renting such a license, the franchisee company will set everything up themselves, you will be given a login and password.
But there are two downsides:
β High price: the basic tariff for one application requires payment for at least 6 months for at least two jobs - 6808 rubles
β You cannot set up a VPS server itself, on which many companies work at once. You are given a key only to your dorm room, according to the principle of shared hosting.
The fresh also has a 1C: BusinessStart configuration, a subscription to which costs 400 rubles per share. per month. The configuration options are significantly limited, without a promotion, a subscription will cost 1000 rubles, and you also need to pay for it for at least six months.
Option 3: your own VPS with 1C client and database installed
This option is suitable for small companies where 1-2 accountants work - they can work quite comfortably without installing the 1C: Enterprise application server and SQL server.
The main beauty of this approach is that a rented VPS can act as a full-fledged work computer for an accountant with an RDP connection.
When all databases, documents and accesses are stored on a VPS controlled by you, you can not be afraid of laptops locked in an apartment, or a joint escape of an accountant with a system administrator to the islands, taking all the documents and money from the current account. You can disable one-button access by deleting a user.
This method is also good and here's why:
- When an accountant works in 1C products, 1C generates a lot of Word, Excel, Acrobat documents. When the 1C client is launched on the accountant's computer, all documents are saved on his laptop. When working on a VPS, everything is saved on a virtual machine.
- 1C databases and documents do not end up on the accountant's personal computer at all (when using 1C: Fresh, documents would have to be downloaded).
- The ability to connect the VPS to the corporate network via VPN and organize secure access to internal resources for the accountant (when using 1C: Fresh, the accountant's personal computer would have to be put into a secure LAN for this).
- You can set up secure integration of 1C: Enterprise with external systems: EDI, personal bank accounts, government services, etc. In the case of using 1C: Fresh, access to many critical services would have to be configured on the accountant's personal computer.
Well, the price, of course. Renting a virtual machine with a 1C license will cost about 1500 rubles. per month, if you take royal rates from expensive hosting. This is not much more expensive than the minimum basic package of services 1C: Fresh and significantly cheaper than other subscriptions. You can pay monthly.
A license can be bought from any franchisee, and the price depends on the configuration of the package of products and services, and after the expiration of the term, you will have to pay extra for support through the 1C: ITS portal so that there are updates.
If you take with us, for such purposes we offer a virtual machine with a pre-installed client 1C: Enterprise (just write to us in support with a description of your task). Renting a virtual machine costs about 800 rubles. per month, and the cost of renting a 1C license for one workplace will be another 700 rubles. We provide support at no additional charge, while 1C: Enterprise is updated by our specialists, if you write to technical support.
For an accountant, everything will look exactly the same - a familiar desktop, icons, you can even hang familiar wallpapers. And now to the point, how to create and configure such a cloud, access to which can be disabled with one button.
We order VPS with built-in 1C: Enterprise
For an accountant, the ideal OS is Windows. Regarding the power of VPS - in our experience, for comfortable work of one or two employees with a file server version of 1C: An enterprise will have enough configuration with two computing cores, at least 4-5 GB of RAM and a fast 50 GB SSD.
We do not automate services until we are sure what customers need, so for now its connection is not yet automated and you need to order a server from 1C through the ticket system. We will set everything up for you manually.
When you connect to the created virtual machine via RDP, you can see something like this.
We transfer the database 1C
The next step is to unload the database from the 1C: Enterprise version previously installed on the accounting computer.
Then you need to upload it to the virtual server via FTP, through any cloud storage, or by connecting a local drive to the VPS using an RDP client.
Next, you need to add an infobase in the client program: we show how to do this in the screenshots.
After successfully adding the base 1C: Enterprise is ready to work on your own VPS. It remains to set up remote desktops for users and integration with various external systems such as personal accounts of banks or electronic document management services.
Setting up remote desktops
By default, Windows Server allows no more than two simultaneous RDP sessions for system administration. Using them for work is technically easy (just add an unprivileged user to the appropriate group), but this is a violation of the terms of the license agreement.
To deploy full-fledged Remote Desktop Services (RDS), you need to add server roles and features, activate a license server or use an external one, and install separately purchased client access licenses (RDS CALs).
Here we can also help: you can buy RDS CAL from us by simply writing . We will act further: we will install them on our licensing server and configure remote desktop services.
But of course, if you would like to customize everything yourself, we will not deprive you of the fun.
After setting up RDS, an accountant can start working with 1C: Enterprise on a virtual server as on a local machine. Do not forget to install standard accounting software on the VPS: an office suite, a third-party browser, Acrobat Reader.
Now it remains to take care of connecting the 1C client to bank personal accounts.
Setting up integration with banks
1C:Enterprise has DirectBank technology for direct data exchange with banks, without installing additional software. It allows you to upload statements and send payment documents without uploading them to files, if the bank supports such a standard of interaction (otherwise, you will have to do with text files in the 1C format in the old way, but that's okay - now they are saved on a virtual machine).
To begin with, a current account is created in the accounting program (if it has not yet been created), and then you need to open its form in the organization's card and select the "Connect 1C: DirectBank" command. Exchange settings can be loaded into 1C: Enterprise automatically or manually: for detailed instructions, you should refer to the bank's website. In some cases, integration with 1C products must be enabled separately in your account.
To set up, you may need a login and password for the company's personal account in the bank. Most often, two-factor authentication (2FA) via SMS is used.
Another popular option, a secure hardware token, is not suitable for us due to the use of a virtual server. In addition, the protected media would have to be removed from the company premises and handed over to a remote accountant, losing control over it.
The option with login/password and 2FA via SMS can also be insecure, although DirectBank technology only allows you to receive statements and send payment documents. To make a payment, they will have to certify with an EDS, which is stored on a secure physical medium of the client or on the side of the bank. In the first case, there are no problems: if the external accountant does not have access to the token, he will only be able to generate documents.
In the case of a cloud digital signature, an SMS with a one-time payment confirmation code is usually sent to the same phone number that is used to authenticate in the personal account. Some banks themselves have solved this problem by allowing customers to exchange data through DirectBank without 2FA. In this case, the accountant will only be able to download statements and send documents, but he will not get access to money or even to his personal account.
There is another option for separating access levels: many banks allow you to use an account on public services through a single identification and authentication system (). The manager just needs to go to the settings of his account, select the "Organizations" tab and invite the employee. When he accepts the invitation, in the "Access to systems" section, you can find your bank (after setting up integration with it) and give the user access to your personal account. At the same time, there is no need to transfer to him the phone or token used to sign payment documents.
Connecting to ED services
Services for the exchange of electronic documents are convenient, and the general remoteness has made them simply necessary. Client 1C: Enterprise integrates with them, but legally significant EDI requires the use of a qualified electronic signature.
It can only be written to a flash drive or stored in a cloud service that has the appropriate certificates from domestic regulators.
It is impossible to upload an electronic signature to any medium or store it on a VPS, so an accountant usually works with electronic document management from a local computer by plugging in a USB flash drive. A certified means of cryptographic information protection (the so-called cryptographic provider) and a public certificate of electronic signature are installed on it. Its closed part is stored on a flash drive, which must be physically connected to a computer in order to sign documents in programs that support this function. To work with EDI through the web interface, you will need plugins for browsers.
So that a business-critical system does not have to be deployed on a personal computer of a specialist working remotely, VPS is also useful, however, the option with a physical token will not work here.
It is difficult to say how the crypto provider will behave in a virtual environment, especially when trying to forward the USB port on the VPS through the RDP client. There remains a cloud-based EDS without a physical medium, but not all EDI services offer such a service. By the way, it costs about a thousand rubles a year, not counting the subscription fee for the document exchange service itself, which depends on the volume.
The good news is that almost all popular Russian services have long established mutual document roaming, so you can connect to anyone. There is also bad news: it will not be possible to completely get away from paper, since among counterparties there will definitely be those who do not use EDI.
Configuring access to services using certificates
Many services allow authentication and authorization without a login and password using SSL client certificates, which can also be installed on a VPS, not an accountant's computer.
Similarly, you can set up authentication on corporate web resources. How to do it:
- Buy a trusted Certificate Authority to use it to sign and verify client SSL certificates;
- Create client SSL certificates signed by a trusted certificate;
- Configure web servers to request and verify client SSL certificates;
- Install client certificates for remote desktop users on the VPS.
The topic of deployment 1C: Enterprises for small businesses on virtual servers is wide, we have described only one method suitable for ensuring the security of accounting.
A VPS can sometimes do a good job of avoiding the installation of critical IT solutions and the transfer of private corporate data to a remote specialist's personal computer.
We hope that the article was useful for you.
Source: habr.com