6 Ways Reduce the Risk of Open Public WiFi

Posted on October 13, 2016


As a network admin, there’s several dialogs we find ourselves repeating over and over again when it comes to advising our users such as “don’t click a link in an email unless you are absolutely positive what it is.”  (And even then you should click with complete apprehension).  Another is cautioning users to utilize public open wireless.  As an IT professional, we naturally envision the many vulnerabilities and risks associated with open WiFi such as the exposure to packet sniffing and device intrusions.  For users though, it’s a matter of convenience, and convenience is a hard habit to break.  The key is to ensure that the solution to combat open WiFi exposure just as convenient.  Below are 6 ways to reduce the risk of open public WiFi.

  1. VPN

VPN is the all-inclusive complete coverage solution to protect devices in open WiFi environments.  A VPN connection of course creates an encrypted tunnel that allocates a highly secure and protected data stream between the user’s device and the VPN server that resides within the safe compound of the corporate datacenter.  The key is to offer a VPN connection not as an option, but as a mandated requirement.  VPN connections also offer protection from third party local proxy servers.

Windows 10 has some great features such as “Always On VPN” which enables an active VPN profile to be implemented automatically based on a triggered action.  The triggered action can be a user sign-on or a network change.  You can also have a VPN profile be triggered by the launching of a specific application such as a web browser or PowerShell session.  For user devices running the Windows 10 mobile OS there is also a VPN LockDown feature which will not allow network connectivity at all if the VPN profile is not connected.

For organizations lacking a VPN infrastructure, a plethora of VPN subscription services are available in the market today.  These subscription services are especially beneficial when traveling abroad, allowing users to connect directly with a designated geographical region in order to obtain an IP address local to that area.

  1. Turn off File Sharing

Network discovery works both ways, allowing a computing device to discover other devices on the network but also allowing them to locate and observe your device as well.  Windows 10 lets you manage your network discovery and file sharing settings for each network profile – private, public and domain (when applicable).  By properly configuring these settings, you can ensure that only users in a trusted network can access shared resources.  The screenshot below illustrates this feature.  For users who have a MAC, you can simply disable sharing in the system preferences.

  1. Enable the Local Host Firewall

Many admins don’t like to enable the local host firewall in Windows because it can create a lot of helpdesk tickets when it blocks legitimate traffic.  However, just like the advanced sharing settings, you can enable the local firewall for the public profile only, ensuring that the computer blocks all traffic but the most basic service and application functions.

  1. HTTPS Anywhere

HTTPS Anywhere is a third party web browser extension that enforces HTTPS traffic for all websites that offer an SSL connection.  Not every website offers this feature but it is one step to ensure that users are always utilizing the most secure connection possible when accessing websites.  HTTPS Anywhere was originally designed for the Chrome and Firefox browsers but some versions of Internet Explorer are supported as well.

  1. Two-factor Authentication

Many IT security professionals feel that password only authentication is antiquated and should be avoided if at all possible.  Two factor authentication should be enabled whenever possible.  Many cloud services such as Office 365 offer this extra layer of protection from compromised or captured passwords.

  1. Make an Open WiFi Connection a One-Time Event

Sometimes it is unavoidable to not utilize the local public WiFi for a work related emergency or last minute task.  In those cases, make sure that the selection “Connect automatically when in range” is disabled.  This will prevent user devices from reconnecting haphazardly to these exposed networks such as may be the case added time the user may walk across the hotel lobby.  For MAC computers, make sure that the “Remember networks this computer has joined” selection is disabled.

Of course no list would complete without the constant mantra of ensuring that all devices are properly patched and updated.  No compilation of measures can ever protect devices from all of the “convenient” things that users may do, but this is a great start.