hardening the network of a small office

pcpete

pcpete

Well-Known Member
Reaction score
564
We were approached by a small accounting firm. They have about 7 workstations. They do not have a server, but use an online office/server for their accounting stuff(web based system). They wanted to make sure that the office was properly locked down and they do not have any glaring holes. They are just being proactive to prevent issues. They do not seemed concerned with money and just want it done correctly.

They mentioned these few items, I at a minimum want to make sure I address all of these things when I give them a basic proposal

They currently plug in flash drives from some clients which contain a QB file and are concerned about that transferring a virus. My first thought is at a minimum verify autoruns is turned off on drives, but maybe a host laptop with dropbox that is insulated from their network with the exception of dropbox

They are also concerned about hooking clients onto their personal wifi network. This could be done with a separate router or a router that has an insulated guest wifi. Should we be looking at a non consumer grade router for more security?

As to individual work stations. They said many are windows 7. This is obviously an issue and they need to be upgraded or replaced. We tend to be a shop that upgrades lots of computers for ssds which are a bit older for the non business clients, but I am thinking they would probably be a better fit for new desktops. Other than making sure the OS is fully updated along with third party software, what else should we be doing? Should we suggest complete encryption on everything?

Any suggestions here would be greatly appreciated. Thanks!
 
  • Widows 10 all round.
  • Full premium antivirus suite on workstations, also set to scan USB drives or block access to USB drives from all but allowed scan stations. Configure a scheduled weekly full scan of machines. Configure email alerts.
  • Get premium email filtering. Block executable attachments. Office 365 advanced threat protection has been rubbish in my opinion - Messagelabs or similar would be better.
  • Proper edge firewall/antivirus device (unified threat management) that has DNS blacklisting and other subscriptions to threat definitions. Email alerts again.
  • Block some non-business related categories of web access with the edge device
  • Segregated guest WiFi as you say
  • Full disk encryption on all workstations to protect data in event of device loss/theft.
  • For their own data transfer, consider encrypted password protected USB sticks.
  • Remove local Administrator permissions - leave them with normal user accounts and give the responsible person the pAdmin password for installs.
  • Two factor authentication on any online system..
  • Ensure SPF/DKIM set up for their email domain, to reduce the risk of spoofed emails
  • If Office 365 for email, consider an inbound mail rule to prepend a warning e.g. '** EMAIL FROM OUTSIDE OF BUSINESS **' on inbound emails. This helps spot spoofed emails.
  • Turn auditing on in office 365 if it is not on.
  • IP geographical block on any online system.. Not expecting people to log in from Russia or China? Block 'em!
  • User education - find a provider of cyber security awareness training who can give all them examples of hacks/attacks/fraudulent emails. Make basic training mandatory and nominate a member of staff to allocate time keeping up to date with current fraud methods.
  • IT Usage policy for staff - personal web browsing on personal mobile devices only, using WiFi - NOT from office equipment.
  • Limit the number of people with access to online banking transfers, to limit the attack surface. Ensure that any transfer to a new bank account number is verified by another means - i.e. if a request to send cash is received by email, phone the client back to verify.
  • Cyber attack insurance might cover the costs of dealing with a future incident and is worth considering.
  • Check their backup mechanisms. Cloud storage is OK but are their files being backed up? What if a file is corrupted and they don't notice for a month - can they recover it?
Edited to add, are different classes of files protected on their storage? I.E. Personnel/finance files accessible only to the relevant staff members?
 
Last edited:
TurricanII said:
  • Widows 10 all round.
  • Full premium antivirus suite on workstations, also set to scan USB drives or block access to USB drives from all but allowed scan stations. Configure a scheduled weekly full scan of machines. Configure email alerts.
  • Get premium email filtering. Block executable attachments. Office 365 advanced threat protection has been rubbish in my opinion - Messagelabs or similar would be better.
  • Proper edge firewall/antivirus device (unified threat management) that has DNS blacklisting and other subscriptions to threat definitions. Email alerts again.
  • Block some non-business related categories of web access with the edge device
  • Segregated guest WiFi as you say
  • Full disk encryption on all workstations to protect data in event of device loss/theft.
  • For their own data transfer, consider encrypted password protected USB sticks.
  • Remove local Administrator permissions - leave them with normal user accounts and give the responsible person the pAdmin password for installs.
  • Two factor authentication on any online system..
  • Ensure SPF/DKIM set up for their email domain, to reduce the risk of spoofed emails
  • If Office 365 for email, consider an inbound mail rule to prepend a warning e.g. '** EMAIL FROM OUTSIDE OF BUSINESS **' on inbound emails. This helps spot spoofed emails.
  • Turn auditing on in office 365 if it is not on.
  • IP geographical block on any online system.. Not expecting people to log in from Russia or China? Block 'em!
  • User education - find a provider of cyber security awareness training who can give all them examples of hacks/attacks/fraudulent emails. Make basic training mandatory and nominate a member of staff to allocate time keeping up to date with current fraud methods.
  • IT Usage policy for staff - personal web browsing on personal mobile devices only, using WiFi - NOT from office equipment.
  • Limit the number of people with access to online banking transfers, to limit the attack surface. Ensure that any transfer to a new bank account number is verified by another means - i.e. if a request to send cash is received by email, phone the client back to verify.
  • Cyber attack insurance might cover the costs of dealing with a future incident and is worth considering.
  • Check their backup mechanisms. Cloud storage is OK but are their files being backed up? What if a file is corrupted and they don't notice for a month - can they recover it?
Edited to add, are different classes of files protected on their storage? I.E. Personnel/finance files accessible only to the relevant staff members?
Click to expand...
Thanks! That is a great list to work from!
 
Since they are just using the flash drives to get QB files from clients. Would a dedicated linux laptop work well as a usb station. My thought is it would be immune from any windows viruses that might get transferred when plugged in. Then this laptop could share over the network. Then they could just scan the qb file before opening it
 
Last edited:
pcpete said:
They currently plug in flash drives from some clients which contain a QB file and are concerned about that transferring a virus.
Click to expand...
USB infections are rare nowadays. Disabling autorun is in most cases all you need.

Get them to have the clients email the file or upload it zipped with a password for extra security somewhere.
 
TurricanII said:
  • Widows 10 all round.
  • Full premium antivirus suite on workstations, also set to scan USB drives or block access to USB drives from all but allowed scan stations. Configure a scheduled weekly full scan of machines. Configure email alerts.
  • Get premium email filtering. Block executable attachments. Office 365 advanced threat protection has been rubbish in my opinion - Messagelabs or similar would be better.
  • Proper edge firewall/antivirus device (unified threat management) that has DNS blacklisting and other subscriptions to threat definitions. Email alerts again.
  • Block some non-business related categories of web access with the edge device
  • Segregated guest WiFi as you say
  • Full disk encryption on all workstations to protect data in event of device loss/theft.
  • For their own data transfer, consider encrypted password protected USB sticks.
  • Remove local Administrator permissions - leave them with normal user accounts and give the responsible person the pAdmin password for installs.
  • Two factor authentication on any online system..
  • Ensure SPF/DKIM set up for their email domain, to reduce the risk of spoofed emails
  • If Office 365 for email, consider an inbound mail rule to prepend a warning e.g. '** EMAIL FROM OUTSIDE OF BUSINESS **' on inbound emails. This helps spot spoofed emails.
  • Turn auditing on in office 365 if it is not on.
  • IP geographical block on any online system.. Not expecting people to log in from Russia or China? Block 'em!
  • User education - find a provider of cyber security awareness training who can give all them examples of hacks/attacks/fraudulent emails. Make basic training mandatory and nominate a member of staff to allocate time keeping up to date with current fraud methods.
  • IT Usage policy for staff - personal web browsing on personal mobile devices only, using WiFi - NOT from office equipment.
  • Limit the number of people with access to online banking transfers, to limit the attack surface. Ensure that any transfer to a new bank account number is verified by another means - i.e. if a request to send cash is received by email, phone the client back to verify.
  • Cyber attack insurance might cover the costs of dealing with a future incident and is worth considering.
  • Check their backup mechanisms. Cloud storage is OK but are their files being backed up? What if a file is corrupted and they don't notice for a month - can they recover it?
Edited to add, are different classes of files protected on their storage? I.E. Personnel/finance files accessible only to the relevant staff members?
Click to expand...

That is a very complete list, and most of it is included in Microsoft 365.
 
You must log in or register to reply here.

Similar threads

thecomputerguy
Office Apps in a Gsuite company...
Replies
10
Views
362
Sky-Knight
Sky-Knight
HCHTech
Slow opening times for files on a network drive
Replies
10
Views
345
trevm999
trevm999
thecomputerguy
Super small accounting client needs new server/workstation.
Replies
8
Views
387
YeOldeStonecat
YeOldeStonecat
Appletax
Bent New Mobo, A-XMP vs EXPO
Replies
12
Views
611
Appletax
Appletax
ThatPlace928
Dropbox Security Breach
Replies
9
Views
590
YeOldeStonecat
YeOldeStonecat
Back
Top