Home > Resources > System Admin Guide to a Secure Network > Revamp Your IT Infrastructure to Quickly Support Teleworkers

Revamp Your IT Infrastructure to Support Quarantine Telework/Work from Home

Table of Content


Telecommuting Overview

The United States and the world are working aggressively to stem the spread of the COVID-19 (Coronavirus). Many states and local governments have ordered a variety of businesses to close for a period of time and large public gatherings are either prohibit or discouraged. As part of this social distancing effort, federal agencies and businesses, large and small, are either quickly expanding or implementing a telecommuting program for their employees. If you are a systems administrator for a large company, you'll likely already have the IT infrastructure in place to support an expanding telecommuting work force. However, if you are a system administrator for a small company with no network or application support for telecommuting, this quick guide will help provide some guidance in implementing various network services and cloud-based applications to enable a securely work from home program.



What are the basic business technology and resource needs?

The majority of businesses all require the same basic set of technologies and resources for their employees to perform their job duties. For many, these resources and tools are only accessible while the employees are at the physical office. To ensure everyone is productive and efficient as possible when they work from home, it is important that these resources and tools are accessible to them remotely. The best way to do this is to set these up as cloud-based resources so can be accessed from anywhere with an Internet connection.

The basic set of resources and tools a business needs can be summarized as follows:

  1. Notebooks
  2. Remote access to email
  3. Productivity applications (e.g., word processor, spreadsheet, presentation software)
  4. Telephone/VoIP service
  5. Fax service
  6. Conferencing tools

These are discussed in more detail below.


What your employees need to effectively work from home?

Besides implementing and establishing the required cloud-based business resources to support your employees to work from home, your employees will also need to make sure their home office is suitable for telecommute. What they need to have are fairly easy to put in place. Despite that, it is important to discuss each item to ensure the best outcome.

  1. A signed telecommute agreement - Before you start allowing employees to work from home, it is important to have each sign your company's telecommute agreement. This
  2. A dedicated safe and ergonomic work space - Because employees are working from their own private home and not from your company's office that has space and furniture designed with safety and ergonomics in mind, it is important to ensure a dedicate room or area of a home is established for work. While it is impractical to manually inspect each employees home, it may be sufficient to have your employee attest they have a safe and ergonomic work space with their signed telecommute agreement. You will need to ensure your human resources department include guidance in the agreement for your employees to follow
  3. Basic office setup (e.g., desk, chair, lighting)
  4. Ability to perform their job duties remotely
  5. High-speed Internet access


How quickly can I build out my telecommute infrastructure?

The amount of time and effort to revamp your IT environment to support a remote workforce will be dictated by the technologies your organization already have to support telecommute, the size of your IT team to help with the build out, the number of employees in your work force, and the level of support you have from management and leadership. The goal of this article is focused in providing you, as a systems administrator, with options that you can employ quickly and easily build out or enhance your IT infrastructure to support remote workers. These solutions are only recommendations for you to consider.

Most of these recommendations are selected based on our past experiences in implementing and using them. They are fairly easy to implement, cost-effective, and easy to use for the administrator and the end users. You will need to evaluate and consult with your IT team and manager to review these to determine its suitability for your organization.


Building out your infrastructure

Before you can have your employees work from home, you will need to ensure the required technologies and resources are in place to support their work. We'll cover the common ones that most business would need and provide a summary of the benefits and the level of ease to implement.

1. Notebooks/Virtual Desktop

Your employees will need to have a platform to perform their work. Unless you already have policies and guidelines in place for employee to use their personal home computer for work, you will need to provide them with a computing platform. Notebooks are still common a platform for telecommuters as it is mobile, light-weight, and have plenty of computing power for most business needs. If you already have a relationship with Dell or HP, consult with your account representative to find the model laptop for your need and budget.

An alternative to provisioning a physical laptop is a virtual desktop. Physical mobile laptop can be lost, stolen, or damage. This adds a level of administrative effort to maintain them - particularly since these will be remote. However, a virtual Windows computer, such as those offered by Amazon AWS WorkSpaces or Microsoft Azure Virtual Desktop are much easier to manage and support. Unlike a physical notebook that can take several days to build and ship, providing a virtual desktop to your workforce can be accomplished as soon as a day. If your organization already subscribe to AWS or Microsoft Azure, you may already be set up to provision a virtual Windows desktop to a user within a matter of minutes.

Notebooks

Recommended Minimum Specifications

  • 15" Display
  • 8GB RAM
  • Solid state hard drive (SSD)
  • Trusted Platform Module (TPM) (for Bitlocker)
  • Built-in Wi-Fi with optional Bluetooth (for use with wireless mouse, keyboard, or headset)
  • Built-in camera (for video conferencing)
  • Microsoft Windows 10 Professional
  • USB ports
  • 15-pin VGA port (to facilitate support for an external monitor)

2. Remote Access to Email

In the unlikely scenario your organization has an on-premise email server and is not setup to enable employees access their mailbox from outside of the company office, you'll need to identify how best to open up access. Email is an essential form of communication for any business. For your telecommute program to work, you will need to ensure your employees can access their emails remotely.

The quickest way to accomplish this is to identify within your organization what is needed to make it happen. Perhaps it is purchasing additional equipment, revising a policy, or requesting a configuration change for your network firewall. If this is not possible, an option to consider is to migrate your mailboxes to a cloud-based service provider. We recommend Microsoft Office 365. Along with providing your with an Exchange email server, Office 365 provides access to a plethora of cloud-based business applications that will support your telecommuters - more on this later in this article.

Performing any migration requires time and effort. If your workforce is small and you have the resources, it may be manageable. The good news is that there are third-party software that can help you easily and automatically migrate your on-premise mailboxes to Office 365. The solution we've had successful with is BitTitan MigrationWiz.

 



3. Productivity Applications

Your work force, regardless whether they work at company office or from their home, they all need access to business productivity software. To provide and support these applications to your remote workers with the least amount of administrative effort, cloud-based service apps such as those offered by Google G Suite and Microsoft Office 365 are worth considering. Essentially, they offer these software as a service (Saas).

The advantage IT professionals find valuable with SasS is that all the administrative work to keep applications updated and patched and readily available on-demand 24x7 from anywhere in the world are all handled by the provider. As a systems administrator, you and your IT team only need to administer the environment with respect to adding/removing users, assigning permissions, configuring security policies, and similar.

Both Google G Suite and Microsoft Office 365 offer their own version of a word processor, a spreadsheet, a presentation program, tools for collaboration, and other useful applications. For many organizations, both vendors provide a business the required basic applications. Since we only use and are familiar with Office 365, we'll share our thoughts from this perspective.

With Microsoft Office 365, you have the ability to purchase only the required licenses you need based on the number of employees you have. As an example, an Office 365 Enterprise Level 1 costs only $8 per month per user and will provide you with a web-based version of Outlook (with 50GB mailbox storage), Word, Excel, PowerPoint, and Teams (a collaboration tool). Additionally, each user will have their own dedicate 1TB of cloud storage with Microsoft OneDrive. Our experience with Office 365 technical support is positive and they are available 24x7 via the email or by phone.

If your organization is in the healthcare industry, Microsoft Office 365 is HIPAA compliant and you'll be able to enter into a BAA (Business Associates Agreement) with them. Additionally, they are also HITECH and FedRAMP complaint if your organization requires it.

The only issues that we've found with Office 365 is that some non-urgent administrative changes can take several minutes to a couple of hours to take effect. Additionally, some of the applications, such as Teams and Power Automation, do not provide a consistent experience (at the time of the writing). In our experience, they aren't critical issues but can sometime cause frustrations among users. Microsoft is fairly good at improving their products based on feedback. We feel confident issues will be resolved in due time.


4. Telephone/VoIP Service

As with email, access to a telephone whether working on-premise at your company office or at home is an essential tool for day-to-day business activities. While some may operate successfully by having their employees use their personal smartphone for calls related to work, others require the staff to use a dedicated company-issued phone. If you have an on-premise PBX phone system, you'll likely need to replace or augment it with a cloud-based hosted VoIP (voice over IP) system to effectively provide your remote workforce a phone.

There are many VoIP solutions in the market place. We have experience with the VoIP solution offered by Jive Communications and we'll share our thoughts about them here. Some of the key features Jive Communications offers that meet our client's needs are listed in the sidebar.

It's worth emphasizing your employees do not need to use a physical phone with Jive Communications. A soft phone app installed onto their computer or smartphone will provide much of the basic calling features most would need on a day-to-day basis.

 

VoIP Features

  • Support hard/physical phones (support for Cisco and Polycom)
  • Browser based phone
  • Windows/MAC desktop phone (softphone)
  • Mobile soft phone app (support for Android and iPhone)
  • Forwarding of calls to another phone number
  • GUI-based IVR
  • Supports a call center (e.g., call queues) with analytics
  • Voicemail to email
  • Direct dial-in numbers
  • Music on hold
  • Call recording
  • Call monitoring


5. Fax Service

If your organization needs the ability to send and receive faxes, a cloud-based faxing service will easily provide on-premise and remote workers the ability to fax. We have worked with the Scrypt Sfax cloud faxing service in the past and have had positive experience with it. Getting an account set up was fairly easy and quick for us and you can typically have this service set up for use within one day. Scrypt Sfax will provide you with a phone number and, if needed, a toll-free number. If you require your existing fax numbers to be ported over to Sfax, this will take a few extra days for the transfer to happen.

With Scrypt Sfax, you send and receive faxes like you would emails. Incoming faxes are delivered into your inbox in Adobe PDF. To send a fax, you will need to have your document as a digital computer file. If your document is already in one of the many supported file formats, you simply atach the file, enter the recipient's fax number and your fax will be sent. If you need to fax a printed document, you will first need to scan it to either TIF or PDF.

If you are in the health care industry, Scrypt Sfax is a HIPAA complaint faxing service to ensure you meet compliance standard.

The only area that we see Scrypt Sfax can improve is in the area of login security. Currently, an administrator does not have the ability to enforce the use of two-factor authentication (2FA) as part of a user's login as a policy. Currently, an administrator has to enable this feature on a per user basis. However, the individual user themselves can actual disable this setting in their account profile.

Regardless, Scrypt Sfax is a reliable cloud-based faxing service that you can quickly set up and administer with ease.



6. Conferencing Tools

Having a remote worker will limit the amount of face-to-face interactions among your staff. For some organizations, this may be acceptable. For some, it may conflict with the company's culture and collaboration needs. Regardless of your work environment, having a conferencing tool established and ready for use for when or if needed if worth considering.

Most conferencing tools in the market today enable you to hold audio or video calls with multiple people simultaneously from either a computer or a smart phone. More importantly are the tools available to provide you such as the ability to distribute files to your participants, the ability to share your computer screen to host and record a presentation, and a whiteboard (analogous to a digital dry erase board) to allow participants to easily draw or write content during a web-based meeting for all to see.

Popular conferencing tools to consider include:

  1. FreeConferenceCall.com 
  2. Google Hangouts 
  3. Microsoft Skype 
  4. Microsoft Teams 
  5. Slack Video Calls 
  6. WebEx 
  7. Zoom (Do not use Zoom. In a Yahoo article dated April 2, 2020, Zoom has a major security and privacy issue. Zoom acknowledges this and are working on addressing these issues. We recommend you not to use Zoom until the security and privacy issues are adequately addressed.)

If you already subscribe to or plan on subscribing to Office 365, you will have access to Teams, Microsoft's version a collaboration tool, at no additional cost to your subscription price.


Securing Your Remote Endpoints

For some organizations, having employees work remotely from home is a new concept and can introduce some cyber security concerns. Organizations often will employ on-premise resources to secure their network and endpoints when their computer assets are all plugged into their on-premise domain. Microsoft Windows Server group policy is often used to push security configurations to the workstations. A Windows Server Update Services (WSUS) may be responsible for pushing critical operating system updates. An endpoint protection server may be relied upon to ensure virus definitions are being delivered to the anti-virus software to all the computers. Regardless of how your environment is set up, having computer assets used on a daily basis while detached from a well established secure network domain is concerning from a security standpoint.

The good news is that there are cost effective and easy-to-administer tools to help harden your remote computers.We'll touch on several of these below that will help you quickly shore up your security posture.

hacker cyber crime


1. Bitlocker

If you do decide to provision a physical notebook to your remote workforce instead of a virtual desktop, there is a risk it can be lost or stolen. Proprietary company information or sensitive information that may be regulated by HIPAA, PCI, CCPA, and other acts can significant cost your company in reputation, money, and competitive edge if they are not properly secure.

By making sure you purchase notebooks that include a Trusted Platform Module (TPM) and Microsoft Windows Professional/Enterprise, you will have access to Bitlocker. This is an easy-to-use drive encryption technology developed by Microsoft. It will protect your data by ensuring only those with the correct Bitlocker 'password' will be able to decrypt and access the content of the hard drive. Without the correct password, the computer will not boot into Windows.

Thus, if a notebook is stolen, your data is inaccessible to the thieves. Even if the hard drive was removed from the notebook and plugged into a different computer as a secondary drive, the content will still remain encrypted and inaccessible without the correct Bitlocker password.

Bitlocker is easy-to-use and adds a strong layer of security to protect sensitive data. When employing Bitlocker, it is critical that you, as the systems administrator, maintain a secure and accurate list of all your Bitlocker passwords and recovery keys. If a user forgets their Bitlocker password and you do not maintain a list, the content of the drive will be inaccessible, and the notebook itself will be unusable and will require a drive format and the re-installation of Windows.

2. Anti-virus/Anti-malware

Computer viruses and malware are always a threat to any computers. You need to ensure your remote notebooks are protected by a reliable endpoint protection software. However, not any solution will do. As a system administrator, you need the ability to to remotely asses the health of our endpoints and be automatically alerted if a potential threat is discovered. Most comprehensive security solutions in the market today offer a cloud-based centralized administration console to keep tabs on your endpoints. Along with Windows, most will also support MacOS and Android and iOS smartphones.

Some endpoint security solutions with cloud-based administrator portal we recommend for your consideration include Sophos, Trend Micro, and Webroot. These can require some time to acquire and setup in order for you to fully managed all your devices under the administration console.

For more immediate and unmanaged install, consider the security solutions listed on the sidebar.

Security Solutions

Popular antivirus and security solutions for your computer. Click on the Amazon affiliate links below to learn more.

3. Patching/vulnerability remediation

Applications, operating systems, other software are continually being updated or patched by the developer. Updates often include fixes to bugs in code or to add enhancements to the software. Patches (sometimes called hotfixes) are issued to resolve a bug in the software that security or functionality. In either case, it is best practice to apply the updates or patches when they become available.

Not keeping your software up-to-date can potentially open your organization up to cyber attacks. Your IT department needs to have visibility to vulnerabilities that may be on your servers, workstations, notebooks, and other computing platforms. This will ensure you have awareness and can take action to remediate. A security scanning tool that we enjoy using is called Nessus by Tenable. It scans for vulnerabilities (via an agent software you install on each computer) on a regular schedule and provide you with a report of issues found (a cloud-based web portal is available).

The report provides detailed information on the vulnerabilities, the steps needed to remediate, and a list of computers affected. Additionally, vulnerabilities are assigned a severity level (e.g., critical, high, medium) to help you gauge its criticality and prioritize your remediation efforts.

If you employ remote access tools as described below, you'll be able to connect to your remote workforce computers to effectively address vulnerabilities as they arise. Keeping your servers, workstations, and mobile devices updated and patched will greatly enhance your cyber-security posture and minimize your chances of being breached.

Many organizations aren't prepared or positioned to have employees work from home. Cyber criminals are taken advantage of the reduced cyber-security posture in an attempt to more easily breach a system, as reported in the Microsoft article Microsoft works with healthcare organizations to protect from popular ransomware during COVID-19 crisis.

On The Prowl
COVID-19 Ransomware

Even as the world struggle to fight COVID-19, cyber criminals are hard at work launching ransomware attacks, as reported by Microsoft Threat Protection Intelligence Team.


Well-Known Breaches

Hacks and data breaches happen regularly. We only hear of the larger incidents on the news. Here are a few well-known breaches.



4. Two-factor authentication (2FA)

Regardless whether you have a remote workforce or not, employing two-factor authentication (2FA) in your environment is one of the best way to significantly enhance your overall security posture. In most cases, the cost is minimal and administration is fairly easy. The only potential heavy lift in implementing this is end user set up and training. If the employees are not familiar with 2FA, it may take some effort on your part to educate them on the benefits of 2FA and how it is implemented and used in your environment. However, we suspect that most people are familiar with the concept of 2FA.

Some service providers may actually include 2FA as part of your subscription. For example, Microsoft Office 365 and Scrypt Sfax both include 2FA at no additional cost. If your system or application does not include 2FA built in, you may be able to subscribe to Duo, a third-party 2FA service provider, and integrate it to add this security feature. It does require time to set up but the cost is affordable. We highly recommend you employ 2FA security wherever possible.

5. Online password vault

Your employee's passwords are entry points into your company's network and data. Because passwords can be cumbersome to manage, people tend to become relax and not exercise best practices in securing their login information. We've seen people keep their passwords in a 'little black book' that is kept in their briefcase or handbag, on a Post-it Note affixed to their bottom of their keyboard, or simply memorizing one password but using it across multiple systems or applications. These practices pose a risk to your organization that can potentially lead to a breach and the loss or exposure of sensitive data.

To remediate this, you need to provide your workforce with an online password manager tool to help them store their passwords easily and securely. We use LastPass with much success. Each user securely store their passwords in their own personal cloud-based vault. LastPass offers a web browser plugin that will assist you by automatically auto-filling your username and password when logging in to your web sites. Because this feature removes the need for a person to manually enter their passwords, there is no need to memorize them. This helps to enforce the practice of making a password complex - using a combination of upper- and lower case letters, numbers, and symbols - and thus making it harder to crack.

If your organization requries high security, LastPass offers business plans with features and tools to help you administer and maintain security. With their business plans, you 'll be able to:

  1. Enable 2FA
  2. Enforce a password change cycle
  3. Defined password complexity
  4. Shared common passwords securely
  5. Set up email alerts
  6. Report on weak passwords

 


Top 10 Hacked Passwords

In 2019, the ten most common passwords revealed from hacks as reported by Fox Business were:

  • 123456
  • 123456789
  • qwerty
  • password
  • 111111
  • 12345678
  • abc123
  • 1234567
  • password1
  • 12345

Don't get hacked, secure your passwords with LastPass, a secure online password manager.

6. Internet access through virtual private network (VPN)

Your employees will likely be logging into various websites throughout a work day to access sensitive data as part of their job duties. When they are working remotely, they will be using the Wi-Fi/Internet connection at the venue they are located. They may be at their home, an airport, a hotel room, or a coffee shop. Regardless of the venue, unless you configured the network yourself, you cannot be sure how secure it is. The Wi-Fi/Internet access points at these locations are designed and configured for ease of use - not for security.

The concern is that these access points may have vulnerabilities - such as an unpatched router, is compromised (man in the middle), or is a fake hotspot set up by a criminal to lure unsuspecting people. Vulnerabilities can potentially risk exposing your company's and your customer's sensitive data to criminals. If your organization needs to comply with federal regulations, such as HIPAA and PCI, you may putting your company at risk to some hefty fines and penalties.

If your company's on-premise network supports VPN service, you may already have what is necessary to provide your workforce with a secure Internet connection when working remotely. What is needed is the ability to configure your VPN server, and maybe your VPN client applications, to force the routing of all remote user's Internet traffic through their VPN tunnel. This effectively makes your VPN server acts as a proxy Internet gateway and funnel all of your VPN user's Internet traffic through your corporate Internet connection.

Your remote workforce will still connect to the unsecure Wi-Fi hotspot at their venue. However, if they immediately establish a VPN connection to your corporate network afterward, all of the user's Internet activities will be secure from that point forward. Because a VPN tunnel encrypts all traffic, regardless if the hotspot is compromised or fake, the cyber criminal will not be able to "see" your data as it will be encrypted.

Setting up Internet access through an encrypted VPN tunnel can be a no- to low-cost solution to offer your remotely workforce a connection that is secure from prying eyes. Having employees work remotely with mobile devices bring on additional cyber risks that must be addressed. Implementing this, or a solution similar in concept, will significant enhance your organization's cyber security exposure.

Watchguard Firebox T70 with VPN

Firebox T70 Features
  • Ideal for small to midize businesses
  • Support 60 users
  • 4Gbps firewall throughput
  • 740Mbps VPN throughput
  • Mobile VPN with SSL or IPSec
  • 800,000 concurrent sessions
  • Intrusion prevention
  • 24x7 support
  • More at Watchguard



Providing technical support remotely

You may be already using or have used tools to remotely connect to another computer for the purpose of providing technical support. However, with a larger remote workforce, you may find your current solution for remote access may not give you specific features needed or the ability to support multiple concurrent connections or technician sessions.

There are a variety of available remote desktop utilities. We'll list some of the popular solutions and solutions that we've used and like below for your consideration. They all fundamentally do the same thing, namely to give you the ability to remotely access a computer. However, some may offer specific features that you may find useful. Additionally, some solutions may be free for your specific needs and requirements. We enjoy using ConnectWise Control (formerly ScreenConnect) and we've highlighted some of the features we enjoy on the sidebar.

Popular remote desktop utilites include:

  1. ControlWise Control (formerly ScreenConnect) 
  2. GoToMyPC 
  3. LogMeIn 
  4. Splashtop 
  5. RemotePC 
  6. TeamViewer 
  7. UltraVNC 

Remote Support & Access

ConnectWise Control Features
  • Unlimited endpoints
  • Multi-technician license
  • Multi-monitor support
  • Web-based portal
  • Remote MSI installer
  • Remote control
  • Screen sharing
  • Run command
  • Thumbnail screenshot of remote machines
  • Definable triggers
  • Expandable with extensions
  • Discrete execution of defined commands
  • More information at connectwise.com 


Employee oversight/monitoring

Employee oversight or monitoring allows a business to track employees time and computer activities as a way to boost productivity or engagement. This is a touchy subject and should be evaluated carefully with respect to legal, ethics, privacy, and the company's overall culture. We recommend that you consult with your IT manager and human resources department to determine if it's suitable in your environment and compliant with company policies or guidelines.

Popular employee monitor tools include:

  1. ActivTrak 
  2. Kickidler 
  3. StaffCop 
  4. Teramind 
  5. Time Doctor 

User Activity Monitoring

ActivTrak Features
  • Remote discrete monitoring
  • Pre-built or custom alarms
  • User activity logs
  • Website blocking
  • Video playback
  • Analytical reports
  • Web-based portal
  • More information at activtrak.com 


Other considerations

Employees working from home or with a notebook may not be in the an ideal setup to ensure ergonomic, productivity and efficiency. Addressing these concerns may be as easy as providing your workforce simply accessories. For example, many find it difficult to use a notebook's built-in touchpad and small keyboard screen, particularly for a prolong period of time. However, a separate mouse and keyboard will provide a much more comfortable setup.

Additionally, staring at and working of a small notebook screen is cumbersome. A secondary monitor plugged into an available VGA port at the back of the notebook will provide your users a much larger Windows desktop. Most users will likly have multiple application windows at a giving time. The additional of a large secondary monitor provides better productivity and efficient among the workforce.

These accessories, along with those listed on the sidebar are low-cost investments to ensure your users well equipped to perform their work effectively.


Summary

As organizations across the nation work to reorganize their operation and IT network to accommodate a new or expanded remote workforce amid COVID-19 and social distancing, it is important to realize that many I.T. tools, resources and service providers are readily available to help your business continue with operations the best way possible. Certainly not all industries can benefit with telework, such as those in manufacturing. But for service providers such as those in insurance, education, accounting, online stores, consulting, and many more can still effectively deliver their services to their customers despite working from home.

How telework looks like in your organization and how effective it will be is something you will need to evaluate with your stakeholders. The good news is that many of the suggestions listed in this article are easy to implement, administer, and fairly priced. This help make it easy to switch providers if needed or make configuration changes with minimal pain.

Working from home is not new, it's been practiced using technology at least since the 1990s. If telework is suitable for your organization, you will likely find the tools suggested here, and others that you may find yourself, will address many of the concerns you, the management team, and leadership may have. Regardless whether you are ready to or not to implement a telework program, it is unfortunately being forced upon us out of necessity to protect everyone from the new cornavirus. It can be done, even if you are a one-person IT department. We hope this article provides the groundwork for your build-out.