As institutions capitalize on the numerous advantages that telework offers, IT departments must remain vigilant in meeting the challenges inherent in supporting remote users in a variety of environments. Here are six tips for keeping your staff members out of trouble when they are out of the office:
1. Secure home setups. When deploying machines to users who work from home, it’s a good idea to perform a brief audit of the connection hardware they are using and determine whether it will provide an acceptable level of security. Before they connect for the first time, have your users send your help desk the model number of their connection equipment, and do a little research. Ensure that the hardware is running Network Address Translation — and, if they are using wireless at home, that there is an acceptable degree of wireless security enabled. Consider setting up a standard bundle of equipment that can be sent to users whose configurations are lacking.
2. Consider policy management software. Staff members who work outside the institution’s network bring added security concerns, which means IT departments must enhance protection wherever possible. While antivirus and firewall software can minimize these threats, employing third-party policy management (PM) can offer yet another layer of critical protection. Policy management software works by installing a small program on users’ machines that monitors application launches. When a user attempts to launch an application, the PM checks the application against a whitelist of approved applications and lets the program launch only if it is found on the whitelist. This can be an invaluable tool to stop malware attacks, prevent users from installing unauthorized applications and keep your institution free of licensing compliance liabilities.
3. Monitor web traffic for suspicious activity. If your institution uses Internet filtering software and employs a virtual private network (VPN) that routes Internet traffic through your gateway, make an effort to regularly scrutinize logs of your remote-user activity. Watch for attempts to access malware websites — or even an unusually high number of hits to IP addresses. Both can be signs of trouble, but if caught early can result in a simple cleanup of one machine instead of the reimaging of several.
VPN logs also can alert administrators that something is amiss. Most VPNs will log at the very least a given user’s tunnel name, time connected and sent/received packet counts. Discovering that a user has counts that are disproportionately high relative to their session time may be your first sign that something is awry. Consider making a quick audit of VPN logs a daily best practice to ensure that your machines and network stay healthy.
4. Put network access protection to work. Network Access Protection is included in the Business version of Windows Vista. When this service is enabled and a Health Registration Authority (authenticating server) is in place, a policy can be enacted that will audit workers’ machines for security threats and effectively lock them out of the network until problems are remedied. This accomplishes two things: First, it keeps rogue machines off your network, thereby protecting the rest of your infrastructure and users; and second, it brings remote users to your doorstep who may otherwise have gone undetected, only to return later with more serious issues.
5. Enable system restore. All versions of Windows XP and Windows Vista come with a handy utility called System Restore. When enabled, System Restore will automatically create “restore points” any time a major change is detected on a user’s system, such as the installation or removal of device drivers or software. If a catastrophic problem is discovered after the change is made, a user can simply boot into Safe Mode and run the System Restore utility to return the computer to the state it was in when the selected restore point was created. While System Restore is normally intuitive enough to leave user data files alone, it is still a smart idea to run a backup before restoring a restore point.
6. Force those critical updates. While Vista machines by default will download and install critical updates to make machines less susceptible to malware and exploits, the majority of today’s business machines are still running older versions of Windows. It is imperative that critical updates be installed automatically on these machines; do not rely on the end user to do so. While this policy may carry a chance of inconveniencing some users (through unattended reboots), the benefits outweigh the risks. This is especially important for teleworkers because of the threats they encounter when connecting to public networks, which may host infected machines.