Staff Writer Malware risks are always present and Malware creators are always implementing new ways to exploit systems and users. Consider options to compartmentalize risks for your windows workstations by implementing local firewall rules that prevent workstations from accessing other workstations. This can be achived by blocking peer to peer access between workstations. In virtually all business environments workstations only need to communicate to servers, and not between workstations.
If workstations are unable to communicate with other workstations you can prevent malware from spreading to multiple workstations while they are connected to your corporate network, whether they are connected using a LAN connection or a remote (VPN) connection. The same firewall rules applied to workstations to protect from malware spreading can also be used to protect when laptops are connected on external networks (home, hotels, wifi hotspots).
To use this method, you will need to configure all of your workstation accessible servers on to a specific IP subnet or specific IP addresses in your corporate IP networks. Then create a new firewall rule that block all access except the specified subnets or IP address ranges. Workstations have to be assigned to IP subnets or IP addresses that are not included in ranges used by your servers. Any communication that is not a part of your server IP address range will be blocked by the local firewall rule configured on every workstation. Further protection can be added to limit access to a limited set up TCP\UDP ports necessary for the workstations to communicate to your servers. Ideally firewall rules on both the servers & workstations should be enabled such that if either a workstation or server is compromised, it reduces the risk of malware from spreading. For instance configure your workstations to only use the common TCP\UDP ports required such as https, http, DNS, SMB, RDP, ActiveDirectory, SQL, etc.
To reduce risks even more, using a non-windows machine for file sharing will reduce the risks of SMB exploits. Usually malware targeting the SMB (filehare) protocol are limited to systems running windows. Its unlikely that a windows system compromised is going to be able to spread to a NAS or other non-windows fileshare server.
If you are using Microsoft office 365, Microsoft has provided a document on all of the required IP network & TCP\UDP ports for all of the provided services. You can either configure your firewall rules to limit to specific Office 365 services your organization is using, or all Office 365 services. Please click on the link for the Microsoft Office 365 IP configuration information:
Microsoft 365 URLs and IP address ranges