Securing Windows and Office in a time of COVID-19: update policies, remote options

Delayed updates and a rush to support remote workers have forced IT and security teams to scramble. This information and advice will help them better deal with the crisis.

The stay-at-home alerts for many large cities, US states, and countries is putting information technology and security professionals on the forefront of the battle to keep businesses up and running with most employees working remotely. Technology has risen to the challenge in some ways, but for some things there’s just too much on our plates to deal with right now. Here’s how the COVID-19 pandemic is impacting our Windows security in that regard:

Releases and servicing changes

Google was first to announce that the work-from-home mandate was impacting Chrome’s ship schedule. Chrome 81 did not ship on schedule and Google announced that it is “pausing upcoming Chrome and Chrome OS releases.” They emphasized instead that they will ensure releases are stable, secure, and reliable. Google is prioritizing security over feature releases.

Microsoft has announced that it is pushing back the end of life for Windows 10 1709 as a result as well. The end of life for 1709 was scheduled for April 14, 2020, but now security updates will be released from May to October. The final update will be released October 13, 2020. It remains to be seen if Microsoft Office click-to-run releases and Office 365 features will also be impacted. Keep an eye on the Microsoft Office 365 roadmap to see if any of these releases will be impacted.

On March 24, Microsoft announced that it is pausing all optional non-security (C and D) updates for all versions of Windows client and server products that it still supports.

Introducing remote technology

To allow for remote technology, we’re madly rolling out virtual private network (VPN) and Remote Desktop Protocol (RDP) connections, often at the expense of security. One alternative is to deploy an 180-day trial version of Windows Server 2016 or 2019 and use Remote Desktop Services with Remote Desktop Gateway (RD Gateway) along with RDWeb technologies to allow remote connectivity.

You can also use OpenVPN solutions to stand up a temporary VPN server as a solution. Don’t forget to review what solutions are in your firewall to allow for VPN connectivity.

Microsoft came out with instructions on how to split the traffic for your network so that the Office 365 traffic does not have to go back through the office connection. Look to your VPN solution for documentation if any additional configuration is needed for your external clients to automatically direct to the internet for downloads and internet traffic.

In the Sophos VPN solution, for example, the VPN interface adds a route to the IP address of your work computer, which is routed through the SSL-VPN interface. Then any other traffic, like downloads, will be routed by your standard home router and its internet connection. If you want to ensure your VPN solution also provides web filtering, review your VPN solution for options. For Sophos VPN, to provide web filtering to the remote clients, you must add "VPN Pool (SSL)" to “Allowed Networks”. Review your options with your VPN vendor as to what you can do to route traffic and protect accordingly.

Other options for secure remote access

Azure AD can also secure remote desktops. For example, you can secure RD Gateway infrastructure using the Network Policy Server (NPS) extension and Azure Active Directory. You can secure the the RDP connection Using Azure Multi-Factor Authentication for Windows Server 2012, Windows Server 2012 R2 and Windows Server 2016 RD Gateway and NPS server by following these instructions. Finally, review these instructions to protect RD Gateway with Azure MFA and the NPS Extension.

Dealing with network traffic slowdowns

Recently the CEO of AT&T indicated that all the work-from-home traffic has impacted network performance. Netflix is throttling the bandwidth in various locations to limit the impact on the internet. If your home users have bandwidth issues, you might suggest that they adjust home cameras to use lesser video quality. You may want to send out tech tips to your home users to walk them through quality of service adjustments, or use remote access tools such as Splashtop SOS to obtain temporary access to home PCs to better fine-tune them.

Your help desk staff should also be ready to help educate home users about the numerous examples of COVID-related malware. Send out prevention tips to your employees to keep them aware of the risks.

All of us here at CSO know that we will get through this. Stay safe and stay strong. Don’t forget we have tips on optimizing remote video conferencing setups.

Copyright © 2020 IDG Communications, Inc.

The 10 most powerful cybersecurity companies