This is way over my head, so I am just going to ask some simple questions. First, it isn't necessarily a large setup (I know IT people who deal with hundreds of workstations). But, it does sound complicated.
When I hear 35 workstations and 5 servers, I immediately think that's great that a server isn't sharing the whole load, but I also think that five is a lot. I guess it is because I don't know the topology of the setup.
You say three offices and five servers and terminal services, but I don't know where the servers are, what office is connecting to where, what office is the main office (I suppose I would say "main office" "Sat1" and "Sat2"
Also, there seems to be TS and VPN, yet you still have people using remote desktop to log into AC.
I am not understanding why malware is getting by your antivirus programs and firewalls.
As mentioned, every user should be a domain user with no admin rights and logged into the domain. I know this is overboard, but I would be tempted to run all WIN7 with AUC on.
Also from your description it sounds like IT comes when you call them. If that is the case, spending upwards of $72,000 a year seems like a lot. If I spent that much, I would want a guarantee that no Trojans were coming into the system.
With 35 workstations, how many are infected? Do you just need to make an image and reformat every PC with the same setup?
Again, I don't know where all the servers are, and I am sure a real IT person would be excited that everything is separate. But, it seems a bit much to have billing software on one software with billing database on another. Then AC on another, etc.
The last thing I would like to know is the credentials of your IT. Do they have this after their name:
CCNP/CCDP/Cisco Wireless LAN specialist, Cisco Security Specialist, Cisco Sales Expert /MCSE. Major areas of expertise: frame-relay, LAN switching, Campus Network Design, PIX firewall, ASA firewall, VPNs, network management...
CCIE-Security Candidate (passed written exam 350-018)
Add Microsoft MVP 2004/2005/2006/2007/2008/2009 to the list
or just "Really smart IT guy." I really am not trying to be sarcastic, but one has to wonder what the credentials are.
I am not sure how many IT people are in the area where you live.
Well, you have three very knowledgeable people helping, but hope this helps.
