Admin Guide to Supporting Work from Home with 探花大神

Offices in prior decades were built primarily with an on-premises state of mind. In order to do work, you had to drive to the office, work on a desktop or stationary computer, and authenticate locally to your on-prem Active Directory^庐 or LDAP server.

Beyond the fact it doesn鈥檛 easily accommodate remote work, the on-prem model has other downsides, including forcing admins to manage multiple different passwords for applications and connect their users to WiFi via an unsecured passphrase like WPA2. As technology evolved, cloud applications, varying operating systems, and disparate resources became more common in the workplace, and they challenged the on-prem model as well.

Desktops evolved into laptops, installed versions of applications became web browser-based, and WiFi protocols evolved to become more secure. Offices, too, have started evolving to allow for work-from-home or multiple remote branch offices.

The 探花大神^庐 open directory platform was built to allow employees to work remotely from home, on the go, or at a remote branch office. This is made possible with a 100% cloud-based directory and secure solutions for the various IT resources at your company鈥檚 disposal.

General Security Best Practices

When working in any IT environment, especially environments with remote workers, there are several things you should consider configuring and enforcing. This guidance applies whether you are using 探花大神 or not, so we鈥檒l go through this before going through 探花大神-specific guidance.

Strong Password Policies:

Different security compliance regulations may require different levels of password complexity. For example, section 8.x in the recommends the following list be enforced on passwords used in a secure environment:

Minimum of seven characters, generally 10 characters or more is best
- Numbers
- Lowercase and uppercase
- Special characters (examples: . ! ; _ -)
90-day password expiration
Prohibited reuse of previous four passwords used for the account
User lockout after six failed login attempts

It should be noted that you can always make these requirements stricter based on the security compliance and policies you want to enforce in your environment. Our advice has alway been and continues to be to create long, strong passwords. Ideally, end users are creating a sentence or combining multiple words together for a long password (greater than 16 characters is always preferable, but note that Office 365 limits passwords to 16 characters).

Anti-Phishing Security Policies:

In recent years, there has been an increasing number of attacks and successful attacks using phishing or spear-phishing. In 2017 alone, according to a , there was a 237% increase in SaaS app mimic attacks. Beyond that, phishing and pretexting were responsible for 93% of breaches in social attack incidents, Verizon found in one . There are many ways bad actors can use social engineering, spam email, or URL redirection to get information out of your employees and into their own hands.

Ensure the safety of your users and your business by enforcing good security practices and taking measures against phishing and other cyberattacks. Create a policy that users must forward suspicious emails to your IT admins or security team, and remind them not to click suspicious emails or URLs. Manage your email with good spam filtering, and regularly check in with employees to assess whether they鈥檝e recently received phishing emails. Continually educate, train, and reinforce your employees鈥� understanding of the dangers of phishing attacks and how to be secure.

You can also recommend that employees limit their social media use at work, including Facebook, Twitter, and LinkedIn. This reduces your attack vectors and helps in securing your employees鈥� information and confidential corporate information.

To secure your employees鈥� identities and thwart attempted phishing attacks, enable local user password resets on the system itself. You can train employees and create a workflow for easy password resets on the system locally, which helps encourage users to properly update passwords and automatically distrust any suspicious password-reset emails.

Beyond educating your employees about and requiring strong passwords, you can enforce multi-factor authentication, keep anti-virus software updated, and use only HTTPS.

System Security Policies:

Locking down your employees鈥� systems is as important as creating strong passwords for their user accounts. A few of the top policies generally recommended to enforce include:

Set lock screen for 120 seconds or less
Disable USB mass storage devices
Disable CD/DVD drive (if applicable)
Disable control panel access/system preferences access
Restrict App Store
Implement strong password policy
Configure system MFA
Disable local guest and administrator accounts
Turn off AutoPlay
Disable sharing
Default users permissions as standard non-admin/non-sudoer accounts
Enforce full disk encryption

If you want to achieve a higher security standard across your systems, you can reference the for your operating system and leverage those policies too.

Multi-Factor Authentication:

Configuring multi-factor authentication (MFA) across IT resources is a good policy because it prompts users during authentication for something they know (password) and something they have (MFA via Duo, TOTP, or other methods). This creates a secondary required authentication method, which helps lock down systems, applications, and other resources and make access more secure.

Enforcing MFA on systems is a great way to ensure users have both their password and MFA app ready before they鈥檙e fully able to log in to secure company resources. You can introduce several layers of security by applying other policies in addition to MFA 鈥� like enforcing full disk encryption 鈥� to ensure your data and user accounts are safe in the event something happens to the system.

Secure Network Authentication:

It鈥檚 highly recommended to move away from using WPA2 shared keys to authenticate to wireless networks. This is a key all users who need to connect to the network share. The passphrase is rarely if ever changed, which leaves the network vulnerable to disgruntled former employees and makes it easier for a bad actor to socially engineer and manipulate their way into getting the shared key from someone in your workforce.

Individualizing secure access to networks can be handled several ways, two of which are common standards: secure LDAP and RADIUS.

RADIUS allows your users to authenticate to the wireless network SSID via their own set of secure credentials. This makes it easier to track and manage who has access to your networks. Secure LDAP is another means of individualizing access, though it鈥檚 more common in VPNs than wireless access points.

Full Disk Encryption:

Data encryption is key to meeting virtually any type of compliance regulation. Full disk encryption (FDE) secures the data on systems at the lower levels. It keeps your data safe and secure when at-rest. If a system is stolen but has FDE enabled, an attacker cannot decrypt the data without the password or recovery key.

Both Windows^庐 and macOS^庐 have methodologies to encrypt the disk with utilities native to their operating systems. Windows鈥� BitLocker and macOS鈥� FileVault are both great tools to enable and leverage in your work environment.

Recovery Keys should be protected and secured as well. Having them on loose paper or spreadsheet on a shared drive are two ways to fail a security audit. Keeping Recovery Keys out of sight and secure can be done in a multitude of different ways, some better than others.

Many security compliances will require you to store your recovery keys in a secure vault. These vaults could be a physical safe or vault, 3rd party application which securely vaults recovery keys, or securely stored in a directory. You should keep these keys as safe as possible as these recovery keys are the only way to decrypt the disk in a recovery or repair scenario.

No Shared Accounts:

Shared accounts can be a security risk, impossible to audit appropriately, and out of compliance. If you鈥檙e currently leveraging shared accounts for any of the resources in your environment, WiFi or otherwise, consider migrating to individual accounts. If you audit your organization and find shared accounts are used widely, you鈥檒l struggle to tell who was accessing resources at any given time.

Secure Application Authentication:

There are thousands of cloud-based applications available on the internet today. Small and medium businesses might be using five to 50 鈥� or more 鈥� of these applications across their departments. In tandem with strong password policies, they should enable secure authentication methods backed by protocols such as SAML 2.0.

If you don鈥檛 have a central directory or access management platform in use, then it’s more than likely each of your users manages their own passwords, which may or may not meet your security compliance requirements. It鈥檚 crucial to centralize access control to these applications to dictate what types of passwords and authentication methods are used, as well as have the ability to suspend access across applications quickly for any reason.

You can also layer MFA on top of single sign-on (SSO) application authentication to increase the security of your cloud applications. We鈥檒l now explain how to put 探花大神 to work to manage remote workers as easily and securely as possible and put these guidelines into practice.

How does 探花大神 help me meet security requirements while allowing employees to work remotely?

探花大神’s cloud directory platform allows you to manage your company鈥檚 identities, resources, and systems via an easy-to-use Admin Portal via your favorite web browser. The above diagram outlines the different resources you can connect to 探花大神鈥檚 core directory.

This guide will help cover the following topics to ensure your 探花大神 organization follows some of the basic best practices for enforcing security while working remotely:

Building the Core Directory
- Setting secure password policies
- Utilizing user and system groups
Configuring Directory Integrations
Enabling Multi-Factor Authentication
System Management & Policy Enforcement
- Change passwords on system
- 探花大神 policies
- Full disk encryption
- 探花大神 commands
- Managing applications with 探花大神 & Chocolatey or AutoPKG
SAML 2.0 Application Authentication
Network Authentication
- RADIUS
- Secure LDAP

Building 探花大神鈥檚 Core Directory

Users are the core of any directory. With 探花大神, you can ensure users have access only to the specific resources they need, and are blocked from ones they shouldn鈥檛, and follow strict password complexity policies. With 探花大神, you can also create user groups that allow you to control which users have access to specific applications, systems, file servers, and networks.

Setting Strong Password Policies in 探花大神

It鈥檚 a best practice to configure your 探花大神 organization’s password complexity settings before getting started with creating or importing your users. By creating strong password policies up front, your new 探花大神 users will have to abide by those policies on day one. This way, users only need to set their password once to meet your requirements, and this password will then become their password for all other interconnected 探花大神 resources, systems, and applications.

探花大神 gives you the ability to configure password policies as you see fit under the Org Settings tab on the left side of the Admin Portal.

Password settings and Policies are under the User Accounts section within the Custom Password Settings dropdown. Here, you can set the minimum character limit, types of characters required, maximum number of failed login attempts, length of password history, and more.

Creating 探花大神 User & System Groups

探花大神 User Group Recommendations

User Groups in 探花大神 give you the control as an administrator to configure which users have access to which resources in your 探花大神 organization. is simple and quick within the 探花大神 Admin Portal. To begin, navigate to the Groups tab in the left menu.

Whether the group is based on department, location, or application need, you can create user groups with a few clicks. If you鈥檙e just starting out with 探花大神, there are no pre-created groups, which gives you the flexibility to create custom groups specific to your organization.

Generally, you鈥檒l want to create an 鈥淓veryone鈥� or 鈥淎ll Employees鈥� group. This group will make it easier to the entire company would require, such as the corporate HR application, chat solution, and conferencing application.

User groups can also be bound to RADIUS networks, whether they鈥檙e VPNs or WiFi access points. This helps secure your WiFi and the remote worker鈥檚 connection with a VPN, which you may already have implemented. Another example group might be 鈥淩emote Employees,鈥� to give them access to the secure VPN to use when they work with non-secure or public internet access.

Tip: You don鈥檛 need a VPN to use 探花大神. However, if you have a large user base who travels abroad and might need to use caf茅 or other public WiFi networks, then a VPN would be recommended for an extra layer of security.

Leverage Office 365 or G Suite? Using the Directories tab, you can easily sync your 探花大神 user groups with your O365/G Suite directory to consolidate users鈥� passwords, control user IAM, and provision new users to their target directories.

探花大神 System Group Recommendations

System Groups in 探花大神 are primarily used for two purposes: User Group access on multiple systems and enabling security policies on systems bound to the System Group.

, navigate back to the Groups tab on the left side in the 探花大神 Admin Portal.

Generally, it鈥檚 a best practice to organize your systems into different system groups based on operating system, location, or department. You can easily manage User Group access to multiple systems, such as with DevOps team members accessing multiple Linux servers.

Depending on the operating systems your organization uses, you should create System Groups for each OS. If you use System Groups labeled with their correlating OS, you could then apply the correlating on each system group. The group model of managing Policies and systems is much easier than configuring each system individually.

Configuring Directory Syncs in 探花大神

探花大神 has three primary directory integrations: , , and Active Directory. With these directory syncs in place, you can import pre-existing users into 探花大神. You can also provision new users directly in the 探花大神 Admin Portal, where they can then be provisioned in the connected directories via bi-directional syncing.

If you鈥檙e working remotely or from home, you can use 探花大神鈥檚 singular dashboard to easily import, create, revoke, or suspend user accounts. The User鈥檚 workflow is unaffected when logging into Office 365/Azure Active Directory, G Suite, and-or Active Directory. 探花大神 manages the user account and password sync at the API level with these Directories and their connected resources.

Connecting and configuring your current directories in 探花大神 will make it easier for you and your team to manage user accounts remote/abroad.

Enabling Multi-Factor Authentication in 探花大神

If you鈥檙e looking at moving into a more remote or full-time remote work environment, it鈥檚 highly recommended to set multi-factor authentication for all users who are accessing your company resources. MFA increases the security of your company鈥檚 users and resources because it ensures authentication requires not only a password but also a secondary factor.

探花大神 has TOTP MFA built into the platform natively. 探花大神鈥檚 TOTP MFA can be enabled on a connected with 探花大神, and it鈥檚 supported by , such as Google Authenticator, Duo Mobile, Authy, FreeOTP, and more.

You can also enable this secondary layer of security on user or into their 探花大神 portals.

System Management & System Policy Enforcement

One of the greatest benefits of using 探花大神 is the ability for deep system management and control over user access, system policies, and on your remote fleet without the need for RDP, VPNs, or SSH. This is all done through . Users can easily change their password natively within Windows using ctrl-alt-del and macOS users can use the 探花大神 Mac App in their menu bar. If you enable users to change their password with common workflows in the OS, you help dissuade users from clicking any suspicious email that asks them to change their password via the web.

The 探花大神 system agent communicates to 探花大神 through , which ensures all updates, changes, removals, and additions to systems are carried out in a secure method. The agent communicates with 探花大神 in a 60-second cadence, meaning any changes you make to the system, bound users, or Policies are all updated within 60 seconds.

Many current 探花大神 customers leverage the system agent to ensure remote offices, work-from-home employees, and company-owned systems are secure, managed, and following the best practices for security. All system management can be done 100% from the Admin Portal in your favorite web browser.

Need to do something a bit more advanced like custom scripting? Not a problem. 探花大神 also gives admins the ability to write, execute, and schedule custom bash, PowerShell, and command-line commands all from the Admin Portal. These commands could be anything from mapping printers to mounting file shares, or pulling information off a system.

Pairing 探花大神鈥檚 system agent with the premium gives you a much deeper look into the health and status of your systems. You can see installed applications, hardware information, hard disk space, and more for systems 鈥� directly from the Admin Portal. This way, you can take inventory of your systems and resources, as well as troubleshoot as needed.

With a few clicks you can ensure your company鈥檚 employees have access only to the systems they need, enforce security policies across your fleet, run remote commands, enforce system MFA, and more.

Changing Passwords on the System

As 探花大神 manages systems through the lightweight agent, Users are able to change their password through their logged in session within the operating system. By enforcing password changes and reminders inside of the operating system, users will easily adapt to this already standard workflow knowing to change it locally. Whether your users are using or , they鈥檒l be able to change passwords locally.

Mac Password Change

Windows Password Change

Local password changes can help dissuade users from falling for phishing attacks. Users are less likely to be swayed to change their password if it comes through a suspicious email, knowing it鈥檚 changed locally in-system. The ease-of-use and convenience of changing your password locally keeps it easy for the users, but also easier for the admins as reminders, self-serve, and changes can all be done self-serve for the end-users.

探花大神 System Policies

Built to be vendor-agnostic, 探花大神 allows you to for Mac, Windows, and Linux systems remotely. There are many different system Policies you can configure within 探花大神鈥檚 Policy menu. When creating new Policies, we recommend applying them to System Groups, so all associated systems are covered. This can be done within the Policy鈥檚 System Group tab.

To get started enforcing good security practices and locking down systems, we recommend configuring and implementing these beginning policies below that were annotated in the first section of this Admin Guide.

Set lock screen for 120 seconds or less
Disable USB mass storage devices
Disable CD/DVD drive (if applicable)
Disable control panel access/system preferences access
Restrict App Store
Implement strong password policy
Configure system MFA
Disable local guest and administrator accounts
Turn off AutoPlay
Disable sharing
Default users permissions as standard non-admin/non-sudoer accounts
Enforce full disk encryption

You can enforce more policies as needed, which is a great way to ensure your work-from-home users鈥� systems are as secure and locked down as possible. It鈥檚 also recommended users are set to 鈥渟tandard user鈥� when you bind users to systems. You should only give sudo/administrator-level permissions to users who require it, such as developers and administrators.

Enabling Full Disk Encryption on 探花大神 Systems

If you鈥檙e running Mac and/or Windows systems in your 探花大神 organization, you can easily enable full disk encryption via 探花大神 Policies: Create the BitLocker (Windows) or FileVault 2 (macOS) policy within the Policies menu in 探花大神 and apply it to your 探花大神鈥淲indows System鈥� and 鈥淢ac System鈥� groups to fully encrypt the disks.

Once the Policy is applied, the recovery key is securely escrowed into 探花大神 and appended to the system. The recovery key can be viewed through the 鈥淪how Recovery Key鈥� link within the System鈥檚 Details tab. If you already have FileVault 2 or BitLocker enabled before 探花大神, 探花大神 cycles the key and escrows the new key into 探花大神.

This way, you don鈥檛 have to manage any spreadsheets, sticky notes, or other legacy means of managing your recovery keys 鈥� and the whole process can be done 100% remotely and easily through 探花大神鈥檚 Admin Portal while being highly secure.

Full disk encryption enforces strong methods built in natively within Windows 8.1/10 and macOS 10.13.6 or higher. If the system were to be lost or stolen, you have the assurance the data on the disk is safe because of the 探花大神 FDE policies applied to the systems. Only the user or admin can decrypt the volume, and the recovery key is only available to view for 探花大神 admins through the Admin Console.

Generally, if the system travels outside of the office, including in remote work scenarios, it鈥檚 highly recommended to enforce full disk encryption. This way you are implementing security at the lower levels on the disk and the laptop is secure-at-rest. Check out 探花大神鈥檚 guides on full disk encryption for and for more details.

探花大神 Commands

If you鈥檙e looking for more granular control or the ability to run scheduled tasks, 探花大神 gives you the ability to configure for Mac and Linux^庐 (Bash) and Windows (PowerShell or command-line). These commands are remotely executed on either singular or multiple systems, all backed by the 探花大神 agent. To get started, navigate to the Commands tab in the left menu in the 探花大神 Admin Portal.

In a work-from-home or remote work environment, you can pull system or user information on the system using these remote commands. If you leverage , you can do this natively within the Admin Portal.

探花大神 has a , so you can copy and paste example commands. These are basic commands to get you started, but if you鈥檇 like to write your own custom commands or tasks via Bash or PowerShell, you have the possibility to do so, all from the Admin Portal in your favorite browser.

Managing Applications with 探花大神 & Chocolatey or AutoPKG

Although 探花大神 does not function as a system鈥檚 application manager, it can pair with third-party, open-source package managers such as Chocolatey for Windows systems and AutoPKG for macOS systems in your 探花大神 environment. This is done leveraging 探花大神鈥檚 Commands in the Admin Portal.

Managing Applications with Chocolatey with 探花大神 Commands

For Windows systems, using is straightforward and simple. You can install Chocolatey remotely and then begin to provision applications to your users鈥� systems remotely through 探花大神. For example, if you want to install Notepad++ or Chrome, you can use the following two lines in a 探花大神 command once Chocolatey has been installed.

choco install googlechrome -y
choco install notepadplusplus -y

With 探花大神 Commands, you can also call Chocolatey to update Chocolatey-managed applications on a specific schedule, such as everyday at 0500 UTC as shown in the following example.

This allows you and your IT admins to ensure the appropriate applications are installed and available for your remote workers, even though your users might be standard users within Windows. Chocolatey鈥檚 open repository has more than 7,000 applications in their public list, and they continually update what鈥檚 available.

Although 探花大神 doesn鈥檛 natively manage the installed applications on Windows, it acts as the vehicle to pair with Chocolatey鈥檚 package manager to help consolidate your administrative tasks in 探花大神鈥檚 Admin Portal.

Managing Applications with AutoPKG with 探花大神 Commands

For macOS systems, 探花大神 Commands can be paired with AutoPKG to help manage and install applications remotely on the macOS systems in your company鈥檚 fleet.

Once AutoPKG has been installed, you can then create specific 探花大神 Commands which will use AutoPKG to deploy applications across your macOS fleet. To leverage AutoPKG to the fullest, you鈥檒l want to ensure your environment has the appropriate requirements in place. For example, if your repository has the latest version of Firefox, you can install it across your systems using the following AutoPKG recipe:

autopkg install firefox.install

By combining both solutions, 探花大神 and AutoPKG, you can create application installs and updates for your macOS environment without needing your macOS users to have sudo privileges. Although 探花大神 isn’t a full application manager, like with Chocolatey, it acts as the vehicle for AutoPKG to do its magic.

SAML 2.0 Application Authentication with 探花大神

Most companies use a catalog of web applications, such as Slack, Zoom, Salesforce, AWS, GitHub, and more. In most scenarios, you can access these applications from anywhere in the world, as long as you have internet access. 探花大神 was built in the same way of being 100% cloud-based.

探花大神 allows you to configure SAML 2.0 application connectors for SSO to the resources your company uses. There are hundreds of pre-configured connectors for applications in 探花大神鈥檚 catalog, with Just-in-Time provisioning for select apps, as well as a generic connector for applications not already pre-configured.

By leveraging 探花大神 user groups, you can associate specific application access only with the groups that need those applications. As seen in the example below, Group 1 has access to Box, AWS, and Zendesk, but does not have access to Slack, Salesforce, or Atlassian Cloud. Keep in mind, 探花大神 users can be placed in both Group 1 and Group 2 to gain access to both sets of resources, depending on the requirements and use cases.

With this workflow, 探花大神 becomes the identity provider to the SAML application (otherwise known as service provider). 探花大神 users can then access the applications they need through the . This allows access to all of their cloud-based applications using their individual, secure credentials for 探花大神.

You can easily control all your , on SSO Apps, and all from a single pane of glass with 探花大神鈥檚 Admin Portal. With 探花大神, you鈥檒l gain assurance all application access is secure for all employees, even those who are working from home or remote.

Network Authentication with 探花大神

If you鈥檙e currently using either WiFi, firewall, or VPN, you can point your network resources to 探花大神 for authentication. There are two main methodologies when connecting networking hardware to 探花大神: and .

Both of these authentication mechanisms help secure your network, as well as the traffic by your users. Enabling a VPN for remote workers, though not mandatory with 探花大神, is a great way to ensure your employees鈥� traffic is encrypted through your company鈥檚 VPN tunnel.

In this scenario, remote employees launch the VPN client and connect to your company鈥檚 VPN by authenticating using their 探花大神 username and password. The authentication request is then sent to 探花大神 to ensure they have the appropriate credentials and rights to gain access to the VPN.

Again, just like all other modules in 探花大神, you can enable this remotely through the 探花大神 Admin Portal.

Network Authentication via 探花大神鈥檚 RADIUS-as-a-Service

You can also easily work with the networking gear your company is already using by pointing either your VPN or wireless access points to 探花大神鈥檚 RADIUS servers. 探花大神 will then handle all network authentication to the specified network via the RADIUS protocol.

In a work-from-home environment, you can point your VPN to server for authentication. 探花大神鈥檚 RADIUS works with any VPN vendor, as long as the VPN server can be configured to authenticate using the RADIUS protocol. For example, if you鈥檙e using , you can easily direct authentication to 探花大神.

Along with individualizing access for networks, 探花大神 has the ability to configure authentication. Harden your VPN鈥檚 security by requiring both a user鈥檚 strong password and their MFA token during authentication through the VPN client.

Network Authentication via 探花大神鈥檚 Secure LDAP

Another route to take is through . In this methodology, you would point your networking hardware or software to 探花大神鈥檚 secure LDAP servers to handle authentication. This methodology is common among most VPN and firewall vendors.

You鈥檒l have to configure 探花大神鈥檚 LDAP-as-a-Service before configuring your network to point to 探花大神. This methodology is also secure and easy, as we use OpenLDAP RFC-2307 over the secure port of LDAPS/636. This way, any authentication to and from the VPN or firewall is encrypted and secure. is another example of a vendor that can integrate with 探花大神鈥檚 secure LDAP-as-a-Service.

A Secure Domainless Enterprise Directory

Moving into a domainless enterprise or full work-from-home model is secure and efficient with 探花大神’s cloud directory platform. Protect your IT resources and employee identities with an entirely cloud-based solution, backed by secure protocol standards. Enforce security policies and allow users to change passwords on the system to help prevent web-based phishing attempts. Whether a company is five or 5,000 users, 探花大神 allows IT admins to manage their resources from anywhere on the planet from a single pane of glass via the Admin Portal.

You can secure systems with 探花大神鈥檚 lightweight agent, enforce security policies, and ensure good security practices across your system fleet with a few clicks. You can also integrate your current applications, network hardware, and other directories with 探花大神 to consolidate your users鈥� credentials safely. 探花大神 is specifically designed to increase security without sacrificing simplicity.

探花大神 was built to be the first cloud-based directory solution, and we can also assist a migrating company looking to move into a flexible, work-from-home environment. You can and begin testing on your own. If you鈥檙e looking at implementing 探花大神 for an organization with more than 10 users, check out 探花大神鈥檚 various pricing plans and only pay for what you need.

Additional Resources

If you鈥檙e looking for additional reading beyond what鈥檚 included here, we鈥檝e compiled other resources to help ensure you get the most out of your 探花大神 experience and make the transition to remote work as seamless as possible:

探花大神