question

DeniGaro-2275 avatar image
0 Votes"
DeniGaro-2275 asked SunnyQi-MSFT commented

Secure windows 10 users

Hi all,

We are in process of educating users how to protect themselves on the internet and I hope that someone can help us with these questions. Users are between 45 and 55 years old so it is very hard to change their thinking of security and work.

  • How to protect business laptops on the open wifi networks? What is the best practice, what you guys do to protect users who travel a lot and who connect to hotel/airport or any other public network? (Is tools like hotspot shield way to go)

  • Is there any best practice on what to think when securing users (like don't click on the links that look suspicious or if you receive some link check it first)

Thank you in advance





windows-10-securitywindows-10-network
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Please try to mark the replies which help you. It will encourage the person who help you. Appreciate your understanding. :)

0 Votes 0 ·
cheong00 avatar image
0 Votes"
cheong00 answered cheong00 commented

Not exactly best practice, but...

How to protect business laptops on the open wifi networks?

We usually set up connection shortcut to corporate VPN so connections to corporate servers are encrypted. No plans to restrict access for other websites.

Is there any best practice on what to think when securing users

The easiest I can think of is to just buy them laptops with Win10 in S mode. In this way only UWP application downloaded from Microsoft Store can run and it means virus and malware can do no harm. However this also mean non-UWP LOB applications cannot be run locally and you should prepare RDS server for them to "Remote Desktop" in and run those applications. This is the best solution from IT support's perspective if your business already moved all the LOB application to cloud as web applications, and you company uses Azure-AD.

If this is not an option, then you go through the usual Least-User-Privilege checklists so any possible damage is on that user's file only. Of course proper backup with versioning is also required to prevent damage from ransomwares. Usual security advise such as "install antivirus" or "configure firewall to allow file share related ports on domain network only" applies.

(like don't click on the links that look suspicious or if you receive some link check it first)

This is not what I considered as securing users, but educating them so they know better. In this aspect some newsletter updating staffs what they should aware/suspect would be great.

Just note that even if you tell the users don't watch dancing bunnies, most likely some of them will still do it. (This link contains lots of advise that should be helpful for you, so you're recommended to read)


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Cheong00,

Many thanks to your answer.

All users already have windows 10 Pro so investing in new OS is not the option.

"We usually set up connection shortcut to corporate VPN so connections to corporate servers are encrypted. No plans to restrict access for other websites.strong text"
If we only encrypt connection to server, user can still browse to other sites / or use outlook and click on the wrong link and all files / onedrive can be in danger. Attacker can still get access to passwords on open networks. Is it good to install something like hotspot shield so that users browse secure, or we can accomplish that with corporate VPN as well? Antivirus program and firewall are always running and all programs and PC is up to date.

0 Votes 0 ·

For that matter, we usually just trust the link scanners installed with antivirus will do its job.

IMO, "hotspot shield" or other public VPN server is not much different than corporate VPN in terms of protection, and with VPN server nearer than your corporate VPN it's probably going to offer better speed. However you may need to pay additional free for its use, so your company need to judge whether it worth the cost.


0 Votes 0 ·
SunnyQi-MSFT avatar image
0 Votes"
SunnyQi-MSFT answered SunnyQi-MSFT edited

Hi,

Thanks for posting in Q&A platform.

As cheong00's suggestion, you could configure the Wi-Fi security settings on their laptops to run the company's VPN automatically when at a hotspot.

To ensure other users can't connect to a laptop being used in public, file sharing needs to be turned off prior to connecting to a hotspot.

Users also should turn off the wireless and Bluetooth services on their laptops when not in use, and change the network configuration to manually select each wireless network they join.

The organization's classification policy should restrict what information can be carried on a laptop. One option is for sensitive data to be carried on an external encrypted drive, which is only used when the laptop is disconnected or connected to a secure network.

Here is an article talking about how to protect your laptop when using public Wi-Fi, you could refer to methods in it:

PROTECT YOUR LAPTOP WHEN USING PUBLIC WI-FI
Please Note: Since the websites are not hosted by Microsoft, the links may change without notice. Microsoft does not guarantee the accuracy of this information.

Best Regards,
Sunny


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.