Secure windows 10 users

Question

Hi all,

We are in process of educating users how to protect themselves on the internet and I hope that someone can help us with these questions. Users are between 45 and 55 years old so it is very hard to change their thinking of security and work.

• How to protect business laptops on the open wifi networks? What is the best practice, what you guys do to protect users who travel a lot and who connect to hotel/airport or any other public network? (Is tools like hotspot shield way to go)
• Is there any best practice on what to think when securing users (like don't click on the links that look suspicious or if you receive some link check it first)

Thank you in advance

Answer 1

Not exactly best practice, but...

How to protect business laptops on the open wifi networks?

We usually set up connection shortcut to corporate VPN so connections to corporate servers are encrypted. No plans to restrict access for other websites.

Is there any best practice on what to think when securing users

The easiest I can think of is to just buy them laptops with Win10 in S mode. In this way only UWP application downloaded from Microsoft Store can run and it means virus and malware can do no harm. However this also mean non-UWP LOB applications cannot be run locally and you should prepare RDS server for them to "Remote Desktop" in and run those applications. This is the best solution from IT support's perspective if your business already moved all the LOB application to cloud as web applications, and you company uses Azure-AD.

If this is not an option, then you go through the usual Least-User-Privilege checklists so any possible damage is on that user's file only. Of course proper backup with versioning is also required to prevent damage from ransomwares. Usual security advise such as "install antivirus" or "configure firewall to allow file share related ports on domain network only" applies.

(like don't click on the links that look suspicious or if you receive some link check it first)

This is not what I considered as securing users, but educating them so they know better. In this aspect some newsletter updating staffs what they should aware/suspect would be great.

Just note that even if you tell the users don't watch dancing bunnies, most likely some of them will still do it. (This link contains lots of advise that should be helpful for you, so you're recommended to read)

Answer 2

Hi,

Thanks for posting in Q&A platform.

As cheong00's suggestion, you could configure the Wi-Fi security settings on their laptops to run the company's VPN automatically when at a hotspot.

To ensure other users can't connect to a laptop being used in public, file sharing needs to be turned off prior to connecting to a hotspot.

Users also should turn off the wireless and Bluetooth services on their laptops when not in use, and change the network configuration to manually select each wireless network they join.

The organization's classification policy should restrict what information can be carried on a laptop. One option is for sensitive data to be carried on an external encrypted drive, which is only used when the laptop is disconnected or connected to a secure network.

Here is an article talking about how to protect your laptop when using public Wi-Fi, you could refer to methods in it:

PROTECT YOUR LAPTOP WHEN USING PUBLIC WI-FI
Please Note: Since the websites are not hosted by Microsoft, the links may change without notice. Microsoft does not guarantee the accuracy of this information.

Best Regards,
Sunny

----------

If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.