By: Trend Micro June 27, 2023 Read time: 4 min (1183 words)
Organizations face increasingly sophisticated cyber threats and vulnerabilities in today’s rapidly evolving digital landscape. Traditional security models can no longer protect sensitive data and mitigate risks. This is where Zero Trust comes into play, offering a comprehensive approach to security that can help organizations tackle emerging challenges.
In this article, we will explore how Zero Trust can benefit your organization, focusing on its ability to enhance security, secure supply chains, and align with international regulatory frameworks.
How Zero Trust Helps Your Organization
Zero Trust is designed to seek and eliminate shadow IT and inefficiencies within an organization. This approach can help reduce both operational and capital costs, effectively minimizing enterprise risks. Zero Trust also improves data hygiene by identifying systems with higher-than-average data risks, ensuring a more secure data environment.
Implementing Zero Trust also allows organizations to reduce the risk of brand-impacting security incidents and customer-facing outages. Zero Trust ensures uninterrupted business operations. Moreover, it provides fine-grained control over roaming and data sovereignty, granting organizations greater flexibility and security.
Moreover, Zero Trust enables multiple business functions to utilize a single access method. This consolidation improves security measures while reducing customers’ effort to complete transactions, ultimately enhancing the overall customer experience.
Zero Trust can be leveraged in numerous use cases, addressing different organizational security and risk management needs. Its versatility and adaptability make it a practical approach to securing digital environments effectively.
Secure Supply Chain Assurance: Importance and Zero Trust Applications
Zero Trust is crucial in securing the supply chain, as it helps identify revenue-impacting vulnerability chains within an enterprise. These chains can include business processes, security processes, and supply chains, collectively referred to as the attack surface.
Organizations can proactively identify and break potential kill chains within the supply chain by utilizing Zero Trust principles. Attack Surface Mapping and Cyber Asset Attack Surface Mapping (CAASM) enable the scanning and mitigating of current, potential, and near-miss supply chain attacks, reducing the risk of cascading failures.
Attack Surface Mapping involves identifying and mapping all the possible entry points, weaknesses, and exposure areas in an organization’s network, systems, and applications. It provides a comprehensive view of the organization’s attack surface, including external-facing systems and internal assets and connections.
Cyber Asset Attack Surface Mapping (CAASM) focuses explicitly on the assets within an organization’s supply chain. It examines the digital assets and dependencies in the supply chain ecosystem, including third-party vendors, partners, and interconnected systems. By analyzing the attack surface of the supply chain, organizations can identify potential weaknesses and vulnerabilities that attackers could exploit.
These mapping techniques enable organizations to proactively scan and assess their current security posture, identify potential risks, and prioritize mitigation efforts. Organizations can take appropriate measures to strengthen their defenses, patch vulnerabilities, and implement security controls by understanding the attack surface and potential attack vectors.
Zero Trust Frameworks: DISA NSA vs. NIST
Zero Trust frameworks can vary based on organizational needs and security requirements. The DISA NSA Zero Trust Reference Architecture is suitable for large critical infrastructure entities, while the NIST approach caters to entities in the early stages of their security maturity journey.
The DISA NSA framework provides a comprehensive and adaptable blueprint, focusing on Device Trust, User Trust, Data Trust, and Network Trust. Organizations can establish trust across various infrastructure components by implementing rigorous authentication, authorization, and continuous monitoring. This approach enhances risk management accuracy and reduces infrastructure costs, making it suitable for large critical infrastructure entities.
On the other hand, the NIST approach follows a risk-based strategy, emphasizing continuous monitoring, granular access controls, and dynamic policy enforcement. It promotes a “never trust, always verify” mindset, advocating for robust authentication mechanisms, network segmentation, and encryption. This framework offers flexibility and scalability, making it well-suited for organizations at various stages of their security maturity journey.
To leverage the strengths of both frameworks, organizations can incorporate complementary design elements tailored to their specific needs. Organizations can establish a robust Zero Trust architecture that addresses their unique security requirements by combining the DISA NSA and NIST approaches.
Ultimately, implementing Zero Trust principles provides organizations with a proactive and holistic security approach, reducing the risk of breaches, protecting sensitive data, and ensuring the resilience of their infrastructure. By embracing these frameworks, organizations can strengthen their security posture and effectively combat the ever-evolving cyber threats of today’s digital landscape.
Zero Trust and International Regulatory Frameworks
Zero Trust is a security framework that has gained significant attention and adoption in recent years. It aligns with various international regulatory frameworks, ensuring organizations meet stringent data protection, privacy, and security requirements.
General Data Protection Regulation (GDPR)
Zero Trust principles align closely with the core principles of GDPR, which emphasize the protection of personal data, privacy, and accountability. By implementing Zero Trust measures, organizations establish robust security controls, mitigate the risk of data breaches, and protect personal data. Through solid authentication, access controls, data segmentation, and encryption, Zero Trust helps organizations meet GDPR requirements, ensuring compliance with data protection regulations.
California Consumer Privacy Act (CCPA)
The CCPA highlights the importance of safeguarding consumers’ personal information. Zero Trust principles provide valuable contributions to adequate data protection and privacy practices. With strong authentication mechanisms, data segmentation, and encryption, organizations can enhance their data security measures and meet CCPA obligations. Zero Trust’s emphasis on continuous monitoring and granular access controls ensures that organizations maintain control over the processing and sharing of personal information, thus meeting CCPA compliance requirements.
Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS establishes rigorous security measures to protect cardholder data. Zero Trust provides a solid foundation for meeting PCI DSS requirements by focusing on secure access controls, continuous monitoring, and encryption. Zero Trust’s “never trust, always verify” principle aligns with the need for stringent authentication mechanisms and restricted access to cardholder data. Organizations can establish a robust security posture by implementing Zero Trust and maintaining compliance with the PCI DSS standards.
Zero Trust principles offer organizations a powerful approach to achieving compliance with international regulatory frameworks. By aligning with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and Payment Card Industry Data Security Standard (PCI DSS), Zero Trust enhances data protection, privacy, and security practices. Conclusion
In an era of increasing cyber threats and supply chain vulnerabilities, adopting a Zero Trust approach is essential for organizations aiming to strengthen their security measures and ensure the integrity of their supply chains. By implementing Zero Trust principles, organizations can enhance security, streamline business functions, and align with international regulatory frameworks.
The versatility of Zero Trust frameworks, such as DISA NSA and NIST, allows organizations to tailor their security strategies to their specific needs. Embracing Zero Trust is a proactive step towards safeguarding sensitive data and critical operations and a crucial component of building trust with customers and partners in an ever-evolving digital landscape.
Download our comprehensive report on Zero Trust frameworks and their implementation strategies today. Gain valuable insights, practical guidance, and actionable steps to strengthen security measures. Click here to download the report and stay one step ahead in the ever-evolving digital landscape.
CDNs help keep Microsoft 365 fast and reliable for end users. Cloud services like Microsoft 365 use CDNs to cache static assets closer to the browsers requesting them to speed up downloads and reduce perceived end user latency. The information in this topic will help you learn about Content Delivery Networks (CDNs) and how they’re used by Microsoft 365.
What exactly is a CDN?
A CDN is a geographically distributed network consisting of proxy and file servers in datacenters connected by high-speed backbone networks. CDNs are used to reduce latency and load times for a specified set of files and objects in a web site or service. A CDN may have many thousands of endpoints for optimal servicing of incoming requests from any location.
CDNs are commonly used to provide faster downloads of generic content for a web site or service such as Javascript files, icons and images, and can also provide private access to user content such as files in SharePoint Online document libraries, streaming media files, and custom code.
CDNs are used by most enterprise cloud services. Cloud services like Microsoft 365 have millions of customers downloading a mix of proprietary content (such as emails) and generic content (such as icons) at one time. It’s more efficient to put images everyone uses, like icons, as close to the user’s computer as possible. It isn’t practical for every cloud service to build CDN datacenters that store this generic content in every metropolitan area, or even in every major Internet hub around the world, so some of these CDNs are shared.
How do CDNs make services work faster?
Downloading common objects like site images and icons over and over again can take up network bandwidth that can be better used for downloading important personal content, like email or documents. Because Microsoft 365 uses an architecture that includes CDNs, the icons, scripts, and other generic content can be downloaded from servers closer to client computers, making the downloads faster. This means faster access to your personal content, which is securely stored in Microsoft 365 datacenters.
CDNs help to improve cloud service performance in several ways:
CDNs shift part of the network and file download burden away from the cloud service, freeing up cloud service resources for serving user content and other services by reducing the need to serve requests for static assets.
CDNs are purpose built to provide low-latency file access by implementing high performance networks and file servers, and by leveraging updated network protocols such as HTTP/2 with highly efficient compression and request multiplexing.
CDN networks use many globally distributed endpoints to make content available as close as possible to users.
The Microsoft 365 CDN
The built-in Microsoft 365 Content Delivery Network (CDN) allows Microsoft 365 administrators to provide better performance for their organization’s SharePoint Online pages by caching static assets closer to the browsers requesting them, which helps to speed up downloads and reduce latency. The Microsoft 365 CDN uses the HTTP/2 protocol for improved compression and download speeds.
Note
The Microsoft 365 CDN is only available to tenants in the Production (worldwide) cloud. Tenants in the US Government, China and Germany clouds do not currently support the Microsoft 365 CDN.
The Microsoft 365 CDN is composed of multiple CDNs that allow you to host static assets in multiple locations, or origins, and serve them from global high-speed networks. Depending on the kind of content you want to host in the Microsoft 365 CDN, you can add public origins, private origins or both.
Content in public origins within the Microsoft 365 CDN is accessible anonymously, and can be accessed by anyone who has URLs to hosted assets. Because access to content in public origins is anonymous, you should only use them to cache non-sensitive generic content such as Javascript files, scripts, icons and images. The Microsoft 365 CDN is used by default for downloading generic resource assets like the Microsoft 365 client applications from a public origin.
Private origins within the Microsoft 365 CDN provide private access to user content such as SharePoint Online document libraries, sites and proprietary images. Access to content in private origins is secured with dynamically generated tokens so it can only be accessed by users with permissions to the original document library or storage location. Private origins in the Microsoft 365 CDN can only be used for SharePoint Online content, and you can only access assets through redirection from your SharePoint Online tenant.
The Microsoft 365 CDN service is included as part of your SharePoint Online subscription.
Although not a part of the Microsoft 365 CDN, you can use these CDNs in your Microsoft 365 tenant for access to SharePoint development libraries, custom code and other purposes that fall outside the scope of the Microsoft 365 CDN.
Azure CDN
Note
Beginning in Q3 2020, SharePoint Online will begin caching videos on the Azure CDN to support improved video playback and reliability. Popular videos will be streamed from the CDN endpoint closest to the user. This data will remain within the Microsoft Purview boundary. This is a free service for all tenants and it does not require any customer action to configure.
You can use the Azure CDN to deploy your own CDN instance for hosting custom web parts, libraries and other resource assets, which allows you to apply access keys to your CDN storage and exert greater control over your CDN configuration. Use of the Azure CDN isn’t free, and requires an Azure subscription.
Microsoft’s Ajax CDN is a read-only CDN that offers many popular development libraries including jQuery (and all of its other libraries), ASP.NET Ajax, Bootstrap, Knockout.js, and others.
To include these scripts in your project, simply replace any references to these publicly available libraries with references to the CDN address instead of including it in your project itself. For example, use the following code to link to jQuery:
For more information about how to use the Microsoft Ajax CDN, see Microsoft Ajax CDN.
How does Microsoft 365 use content from a CDN?
Regardless of what CDN you configure for your Microsoft 365 tenant, the basic data retrieval process is the same.
Your client (a browser or Office client application) requests data from Microsoft 365.
Microsoft 365 either returns the data directly to your client or, if the data is part of a set of content hosted by the CDN, redirects your client to the CDN URL.a. If the data is already cached in a public origin, your client downloads the data directly from the nearest CDN location to your client.b. If the data is already cached in a private origin, the CDN service checks your Microsoft 365 user account’s permissions on the origin. If you have permissions, SharePoint Online dynamically generates a custom URL composed of the path to the asset in the CDN and two access tokens, and returns the custom URL to your client. Your client then downloads the data directly from the nearest CDN location to your client using the custom URL.
If the data isn’t cached at the CDN, the CDN node requests the data from Microsoft 365 and then caches the data for time after your client downloads the data.
The CDN figures out the closest datacenter to the user’s browser and, using redirection, downloads the requested data from there. CDN redirection is quick, and can save users a lot of download time.
How should I set up my network so that CDNs work best with Microsoft 365?
Minimizing latency between clients on your network and CDN endpoints is the key consideration for ensuring optimal performance. You can use the best practices outlined in Managing Microsoft 365 endpoints to ensure that your network configuration permits client browsers to access the CDN directly rather than routing CDN traffic through central proxies to avoid introducing unnecessary latency.
Is there a list of all the CDNs that Microsoft 365 uses?
The CDNs in use by Microsoft 365 are always subject to change and in many cases there are multiple CDN partners configured in the event one is unavailable. The primary CDNs used by Microsoft 365 are:
CDN
Company
Usage
Link
Microsoft 365 CDN
Microsoft Azure
Generic assets in public origins, SharePoint user content in private origins
There are many factors involved in measuring specific differences in performance between data downloaded directly from Microsoft 365 and data downloaded from a specific CDN, such as your location relative to your tenant and to the nearest CDN endpoint, the number of assets on a page that are served by the CDN, and transient changes in network latency and bandwidth. However, a simple A/B test can help to show the difference in download time for a specific file.
The following screenshots illustrate the difference in download speed between the native file location in Microsoft 365 and the same file hosted on the Microsoft Ajax Content Delivery Network. These screenshots are from the Network tab in the Internet Explorer 11 developer tools. These screenshots show the latency on the popular library jQuery. To bring up this screen, in Internet Explorer, press F12 and select the Network tab, which is symbolized with a Wi-Fi icon.
This screenshot shows the library uploaded to the master page gallery on the SharePoint Online site itself. The time it took to upload the library is 1.51 seconds.
The second screenshot shows the same file delivered by Microsoft’s CDN. This time the latency is around 496 milliseconds. This is a large improvement and shows that a whole second is shaved off the total time to download the object.
Is my data safe?
We take great care to protect the data that runs your business. Data stored in the Microsoft 365 CDN is encrypted both in transit and at rest, and access to data in the Microsoft 365 SharePoint CDN is secured by Microsoft 365 user permissions and token authorization. Requests for data in the Microsoft 365 SharePoint CDN must be referred (redirected) from your Microsoft 365 tenant or an authorization token won’t be generated.
To ensure that your data remains secure, we recommend that you never store user content or other sensitive data in a public CDN. Because access to data in a public CDN is anonymous, public CDNs should only be used to host generic content such as web script files, icons, images and other non-sensitive assets.
Note
3rd party CDN providers may have privacy and compliance standards that differ from the commitments outlined by the Microsoft 365 Trust Center. Data cached through the CDN service may not conform to the Microsoft Data Processing Terms (DPT), and may be outside of the Microsoft 365 Trust Center compliance boundaries.
For in-depth information about privacy and data protection for Microsoft 365 CDN providers, visit the following:
Learn more about Microsoft 365 privacy and data protection at the Microsoft Trust Center
Learn more about Azure privacy and data protection at the Azure Trust Center
How can I secure my network with all these 3rd party services?
Using an extensive set of partner services allows Microsoft 365 to scale and meet availability requirements and enhance the user experience when using Microsoft 365. The 3rd party services Microsoft 365 leverages include both certificate revocation lists; such as crl.microsoft.com or sa.symcb.com, and CDNs; such as r3.res.outlook.com. Every CDN FQDN generated by Microsoft 365 is a custom FQDN for Microsoft 365. If you’re sent to a FQDN at the request of Microsoft 365, you can be assured that the CDN provider controls the FQDN and the underlying content at that location.
For customers that want to segregate requests destined for a Microsoft 365 datacenter from requests that are destined for a 3rd party, we’ve written up guidance on Managing Microsoft 365 endpoints.
Is there a list of all the FQDNs that leverage CDNs?
The list of FQDNs and how they leverage CDNs change over time. Refer to our published Microsoft 365 URLs and IP address ranges page to get up to date on the latest FQDNs that leverage CDNs.
Can I use my own CDN and cache content on my local network?
We’re continually looking for new ways to support our customers’ needs and are currently exploring the use of caching proxy solutions and other on-premises CDN solutions.
Although it isn’t a part of the Microsoft 365 CDN, you can also use the Azure CDN for hosting custom web parts, libraries and other resource assets, which allows you to apply access keys to your CDN storage and exert greater control over your CDN configuration. Use of the Azure CDN isn’t free, and requires an Azure subscription. For more information on how to configure an Azure CDN instance, see Quickstart: Integrate an Azure storage account with Azure CDN.
I’m using Azure ExpressRoute for Microsoft 365, does that change things?
Azure ExpressRoute for Microsoft 365 provides a dedicated connection to Microsoft 365 infrastructure that is segregated from the public internet. This means that clients will still need to connect over non-ExpressRoute connections to connect to CDNs and other Microsoft infrastructure that isn’t explicitly included in the list of services supported by ExpressRoute. For more information about how to route specific traffic such as requests destined for CDNs, see Implementing ExpressRoute for Microsoft 365.
Can I use CDNs with SharePoint Server on-premises?
Using CDNs only makes sense in a SharePoint Online context and should be avoided with SharePoint Server. This is because all of the advantages around geographic location don’t hold true if the server is located on-premises or geographically close anyway. Additionally, if there’s a network connection to the servers where it’s hosted, then the site may be used without an Internet connection and therefore can’t retrieve the CDN files. Otherwise, you should use a CDN if there’s one available and stable for the library and files you need for your site.
Office 365 requires connectivity to the Internet. The endpoints below should be reachable for customers using Office 365 plans, including Government Community Cloud (GCC).
Start with Managing Office 365 endpoints to understand our recommendations for managing network connectivity using this data. Endpoints data is updated as needed at the beginning of each month with new IP Addresses and URLs published 30 days in advance of being active. This cadence allows for customers who don’t yet have automated updates to complete their processes before new connectivity is required. Endpoints may also be updated during the month if needed to address support escalations, security incidents, or other immediate operational requirements. The data shown on this page below is all generated from the REST-based web services. If you’re using a script or a network device to access this data, you should go to the Web service directly.
Endpoint data below lists requirements for connectivity from a user’s machine to Office 365. For detail on IP addresses used for network connections from Microsoft into a customer network, sometimes called hybrid or inbound network connections, see Additional endpoints for more information.
The endpoints are grouped into four service areas representing the three primary workloads and a set of common resources. The groups may be used to associate traffic flows with a particular application, however given that features often consume endpoints across multiple workloads, these groups can’t effectively be used to restrict access.
Data columns shown are:
ID: The ID number of the row, also known as an endpoint set. This ID is the same as is returned by the web service for the endpoint set.
Category: Shows whether the endpoint set is categorized as Optimize, Allow, or Default. This column also lists which endpoint sets are required to have network connectivity. For endpoint sets that aren’t required to have network connectivity, we provide notes in this field to indicate what functionality would be missing if the endpoint set is blocked. If you’re excluding an entire service area, the endpoint sets listed as required don’t require connectivity.You can read about these categories and guidance for their management in New Office 365 endpoint categories.
ER: This is Yes if the endpoint set is supported over Azure ExpressRoute with Office 365 route prefixes. The BGP community that includes the route prefixes shown aligns with the service area listed. When ER is No, this means that ExpressRoute is not supported for this endpoint set.Some routes may be advertised in more than one BGP community, making it possible for endpoints within a given IP range to traverse the ER circuit, but still be unsupported. In all cases, the value of a given endpoint set’s ER column should be respected.
Addresses: Lists the FQDNs or wildcard domain names and IP address ranges for the endpoint set. Note that an IP address range is in CIDR format and may include many individual IP addresses in the specified network.
Ports: Lists the TCP or UDP ports that are combined with listed IP addresses to form the network endpoint. You may notice some duplication in IP address ranges where there are different ports listed.
Note
Microsoft has begun a long-term transition to providing services from the cloud.microsoft namespace to simplify the endpoints managed by our customers. If you are following existing guidance for allowing access to required endpoints as listed below, there’s no further action required from you.
Default Optional Notes: Some Office 365 features require endpoints within these domains (including CDNs). Many specific FQDNs within these wildcards have been published recently as we work to either remove or better explain our guidance relating to these wildcards.
Default Optional Notes: Connection to the speech service is required for Office Dictation features. If connectivity is not allowed, Dictation will be disabled.
No
officespeech.platform.bing.com
TCP: 443
147
Default Required
No
*.office.com, www.microsoft365.com
TCP: 443, 80
152
Default Optional Notes: These endpoints enables the Office Scripts functionality in Office clients available through the Automate tab. This feature can also be disabled through the Office 365 Admin portal.
A TeamViewer company profile allows the ability within the TeamViewer Management Consoleto manage user permissions and access centrally.
Company admins can add existing users to the license and create new TeamViewer accounts. Both will allow users to log into any TeamViewer application and license the device so they may make connections.
Before starting
It is highly recommended to utilize a Master Account for a company profile, which will be the account that manages all licenses and users.
Each company profile must have one TeamViewer Core multi-userlicense activated; this license can be combined with other licenses of the TeamViewer product family (e.g., Assist AR, Remote Management, IoT, etc. ), but cannot be combined with another TeamViewer Core license.
📌Note: If a company admin attempts to activate a second TeamViewer license, they will need to choose between keeping the existing license or replacing it with the new license.
📌Note: In some cases (with older company profiles and an active perpetual license), multiple core TeamViewer licenses may be activated to one company profile. One subscription license may be added to an existing perpetual license for such company profiles.
License management
Through the TeamViewer Management Console, company admins can manage the licensing of their users directly, including:
Assign/un-assign the license to various members of the company profile.
Reserve one or more channels for specific teams or persons via Channel Groups.
💡Hint: To ensure the license on your company profile best matches your use case, we highly recommend reaching out to our TeamViewer licensing experts.You may find local numbers here.
How to create a company profile
To create a company profile, please follow the instructions below:
On the left-hand side, under the Company header, select User management
In the text box provided, enter the desired company name and click Create.
📌Note: The name of a company profile must be unique and cannot be re-used. If another company profile already uses a name, an error will appear, requesting another name be used instead.
Once the company profile is created, User management will load with the user that created the company profile as a company administrator.
How to add a new user
To add a new user, please follow the instructions below:
Under User management, click the icon of a person with a + sign. Click on Add user.
On the General tab, add the user’s name and email address and enter a password for the user and click Add user.
💡Hint: Other settings for the user can be adjusted under Advanced, Licenses, and Permissions.
The user will now appear under the User management tab. An email is sent to the user with instructions on activating their account.
📌Note: If the user does not activate their account via email, they will receive an error that the account has not yet been activated when trying to sign in.
How to add an existing user
Users that already have an existing TeamViewer account can request to join a company profile using a few simple steps:
Under User management, click the icon of a person with a + sign. Select Add existing account.
Once the user opens the link within a browser, they must sign in with their TeamViewer account. Once logged in, they will be prompted to enter the email address of the company administrator. Once completed, they must tick the box I allow to transfer my account and click Join Company.
The company admin will receive a join request via email. The user will appear in user management, where the company admin can approve or decline the addition of the user to the company profile
📌Notes:
Every user that joins a company profile will be informed that the company admin will take over full management of their account, including the ability to connect to and control all their devices. It is recommended never to join a company profile the user does not know or fully trust.
A user can only be part of one company profile.
How to set user permissions
Users of a company profile have multiple options that can be set by the current company admin, including promoting other users to administrator or company administrator. Permissions are set for each user individually. To access user permissions:
In the User management tab, hovering the cursor over the desired user’s account will produce a three-dots menu (⋮) to the far right of the account. Click this menu and select Edit user from the drop-down.
Once in Edit user, select the Permissions tab. Overall permissions for the account can be changed using the drop-down under the Role header.
Four options are available:
Company administrator: Can make changes to company settings, other administrator accounts, and user accounts.
User administrator: Can make changes to other user accountsbut cannot change company settings or company administrator accounts.
Member: Cannot change the company profile or other users.
Customized permissions: The company admin sets permissions for each aspect of the account.
Once the appropriate role is selected, click Save in the window’s upper-left corner.
📌Note: Changes to user permissions are automatic once saved.
How to remove/deactivate/delete users
Along with adding new or existing accounts, company admins can remove, deactivate, or even delete users from the company profile.
📌Note: A current company admin of that license can only remove a TeamViewer account currently connected to a company profile. TeamViewer Customer Support is unable to remove any account from a company profile.
To remove, deactivate or delete an account, please follow the instructions below:
In the User management tab, hovering the cursor over the desired user’s account will produce a three-dots menu (⋮) to the far right of the account. In the drop-down menu that appears are the three options
Select Delete account, Remove user or Deactivate user.
Consequences of deleting an account
When an account is deleted, the account is not only removed from the company profile but deleted from TeamViewer altogether. The user can no longer use the account or access any information associated with it as it no longer exists.
📌Note: When an account is deleted, the email address associated with the account can be re-used to create a new TeamViewer account.
When a TeamViewer account is deleted from a company profile:
Connection reports, custom modules, and TeamViewer/Remote management policies will be transferred to the current company admin.
Web API Tokens for the deleted user are logged out, and their company functionality is removed
License activations are removed from the deleted user’s account
Shared groups from the deleted user’s account are deleted.
Once the company admin checks the box to confirm that this process cannot be undone, the Delete account button becomes available. Once pressed, the account is deleted.
📌Note: Deletion of any TeamViewer account deletion is irreversible. Only a new account can be created after deletion. All user data will be lost.
Remove user
When an account is removed, the account is removed from the company profile and reverted to a free TeamViewer account. The account is reverted to a free account, and the user is still able to log in with the account. All information associated with the account is still accessible.
When an account is removed from a company profile:
Connection reports, custom modules, and TeamViewer /Remote management policies will be transferred to the current company admin.
Contacts in the contact bookare transferred to the current company admin
Web API Tokens for the user’s account are logged out and their company functionality is removed
License activations are removed from the user’s account
📌Note: Groups & devices in the Computers & Contacts of the removed user’s account are not affected. Any groups shared also will remain shared.
Once the company admin checks the box to confirm that this process cannot be undone, the Remove user button becomes available. Once pressed, the account is removed from the company profile and reverted to a free TeamViewer account.
📌Note: Once a user account is removed from the current company profile, it can request to join another company profile.
Deactivate user
When an account is deactivated, the account is reverted to inactive. The deactivated account is still associated with the company profile but cannot be used to log into TeamViewer on a free or licensed device. The account is rendered completely unusable.
📌Note: When an account is deactivated, the email address associated with the account cannot be used to create a new free TeamViewer account.
💡Hint: To view inactivated users within the company profile, select the drop-down menu under User Status and check the box for Inactive. All inactive users will now appear in user management.
How to reactivate inactive users
When Deactivate user is selected, the account disappears from user management. They are, however, still a part of the Company Profile and can be reactivated back to the license instantly at any time.
To view inactivated users within the company profile, select the menu under User Status and check the box for Inactive. All inactive users will now appear in user management.
Once the user is located, hover the cursor over the account. Select the three-dots menu (⋮) to the right of the user’s account and select Activate user
The user’s original permissions status is reverted, and the account can again be used with any TeamViewer device.
Troubleshooting
Below you will find answers to some common issues encountered when interacting with a company profile.
▹User(s) on a company profile show a free license
In some cases, older users on a company profile may appear as ‘free’ users, especially after upgrading or changing a license. The company admin can resolve this:
Click Company administration on the left-hand side:
Select the Licenses tab and locate the license. Hovering the cursor over the license will produce a three-dots menu (⋮). Click the menu and select Assign from the drop-down.
The users who show ‘free’ will appear in Unassigned. Select the desired users and click the Add button at the bottom of the page.
📌Note: Affected users should log out and then back in to see the licensing changes.
▹Your account is already associated with a company
If a user who is already associated with one company profile attempts to join another company profile, the following pop-up will appear:
The user’s account must be removed from the current company profile to resolve this. The steps required vary depending on whether it is their active or expired company profile or if they are associated with a company profile created by another account.
SCENARIO 1: As company administrator of an active company profile
If a user who created a company profile wishes to delete the company profile associated with their account, they will need to perform the following steps:
Remove all other accounts: Before deleting a company profile, the company admin must remove all other accounts. Perform these steps for each user on the company profile
Remove the company admin account: Once all other accounts have been removed, the company admin will remove their account. This will delete the company profile altogether
The user is immediately logged out and can now follow the process to add their account to an existing company profile
SCENARIO 2: As company administrator of an expired company profile
In some cases, the user may have created a company profile on an older license that is no longer used or active. In such cases, the company profile will appear as expired in the Management Console.
In such cases, it is still possible to delete the company profile:
Click Company administration on the left-hand side.
On the General tab, select Delete company.
A pop-up will appear confirming the request to delete the company profile. Check the box at the bottom to validate, and select Delete company.
SCENARIO 3: The account is a member of a company profile
📌Note: Only a company administrator can remove a user from their company profile – not even TeamViewer can remove a user from a company profile, regardless of the request’s origin.
If the user is a member of another company profile, they will need to contact the company admin of that license to request removal.
Once removed, they can then request to join the correct company profile.
You have the possibility to restrict remote access to your device by using the Block and Allowlist feature in the TeamViewer full version and the TeamViewer Host.
You can find the feature easily by clicking in your TeamViewer full version on the Gear icon (⚙) in the upper right corner of the TeamViewer (Classic) application, then Security ➜ Block and Allowlist.
Let´s begin with the difference between a blocklist and an allowlist.
This article applies to all TeamViewer (Classic) users.
What is a Blocklist?
The Blocklist generally lets you prevent certain partners or devices from establishing a connection to your computer. TeamViewer accounts or TeamViewer IDs on the blocklist cannot connect to your computer.
📌Note: You will still be able to set up outgoing TeamViewer sessions with partners on the blocklist.
What is an Allowlist?
If you add TeamViewer accounts to the Allowlist, only these accounts will be able to connect to your computer. The possibility of a connection to your computer through other TeamViewer accounts or TeamViewer IDs will be denied
If you have joined a company profile with your TeamViewer account, you can also place the entire company profile on the Allowlist. Thus only the TeamViewer accounts that are part of the company profile can access this device.
📌Note: To work with a company profile you will need a TeamViewer Premium or Corporate license
How to set up a Blocklist?
If you would like to deny remote access to your device to specific persons or TeamViewer IDs, we recommend setting up a Blocklist.
You can find the feature easily by clicking in your TeamViewer full version on the Gear icon (⚙) in the upper right corner of the TeamViewer (Classic) application, then Security ➜ Block and Allowlist ➜ Click on Configure…
A new window will open. Activate the first option Deny access for the following partners and click on Add
📌Note: If you activate the Also apply for meetings check box, these settings will also be applied to meetings. Contacts from your blocklist are excluded from being able to join your meetings.
After clicking on Add, you can either choose partners saved on your Computers & Contacts list or add TeamViewer IDs/contacts manually to your blocklist.
How to set up an Allowlist?
If you would like to allow only specific TeamViewer accounts or TeamViewer IDs remote access to your device, we recommend setting up an Allowlist.
You can find the feature easily by clicking in your TeamViewer full version on the Gear icon (⚙) in the upper right corner of the TeamViewer (Classic) application, then Security ➜ Block and Allowlist ➜ Click on Configure…
A new window will open. Activate the second option Allow access only for the following partners and click on Add
📌Note: If you activate the Also apply for meetings check box, these settings will also be applied to meetings. Only contacts from your allowlist will then be able to join your meetings.
After clicking on Add, you can either choose partners saved on your Computers & Contacts list, add TeamViewer IDs/contacts manually to your blocklist, or add the whole company you are part of (only visible if you are part of a company profile).
How to delete blocklisted/allowlisted partners?
If you no longer wish to have certain partners block or allowlisted, you can easily remove them from the list.
To do so navigate in your TeamViewer full version to the Gear icon (⚙) in the upper right corner of the TeamViewer (Classic) application, then Security ➜ Block and Allowlist ➜ Click on Configure… and choose whether you would like to remove partners from the Blocklist or from the Allowlist by choosing either Deny access for the following partners (Blocklist) or Allow access only for the following partner (Allowlist). Now click on the partners you would like to remove and finally click Remove ➜ OK
📌Note: You can choose multiple partners at once by pressing CTRG when clicking on the different partners.
This article provides a step-by-step guide to activating Two-factor authentication for connections (also known as TFA for connections).This feature enables you to allow or deny connections via push notifications on a mobile device.
This article applies to all Windows users using TeamViewer (Classic) 15.17 (and newer) and macOS and Linux users in version 15.22 (and newer).
What is Two-factor authentication for connections?
TFA for connections offers an extra layer of protection to desktop computers.
When enabled, connections to that computer need to be approved using a push notification sent to specific mobile devices.
Enabling Two-factor authentication for connections and adding approval devices
Windows and Linux:
1. In the TeamViewer (Classic) application, click the gear icon at the top right menu.
2. Click on the Security tab on the left.
3. You will find the Two-factor authentication for connections section at the bottom.
4. Click on Configure… to open the list of approval devices.
5. To add a new mobile device to receive the push notifications, click Add.
6. You will now see a QR code that needs to be scanned by your mobile device.
Below please find a step-by-step gif for Windows, Linux, and macOS:
Windows
Linux
macOS
7. On the mobile device, download and install the TeamViewer Remote Control app:
8. In the TeamViewer Remote Control app, go to Settings → TFA for connections.
9. You will see a short explanation and the option to open the camera to scan the QR code.
10. Tap on Scan QR code and you will be asked to give the TeamViewer app permission to access the camera.
11. After permission is given, the camera will open. Point the camera at the QR code on the desktop computer (see Step 6 above).
12. The activation will happen automatically, and a success message will be displayed.
13. The new device is now included in the list of approval devices.
14. From now on, any connection to this desktop computer will need to be approved using a push notification.
📌 Note:TFA for connections cannot be remotely disabled if the approval device is not accessible. Due to this, we recommend setting up an additional approval device as a backup.
Removing approval devices
1. Select an approval device from the list and click Remove or the X.
2. You will be asked to confirm the action.
3. By clicking Remove again, the mobile device will be removed from the list of approval devices and won’t receive any further push notifications.
4. If the Approval devices list is empty, Two-factor authentication for connections will be completely disabled.
Below please find a step by step gif for Windows, Linux and macOS:
▹ Windows:
▹ Linux:
▹ macOS:
Remote connections when Two-factor authentication for connections is enabled
TFA for connections does not replace any existing authentication method. When enabled, it adds an extra security layer against unauthorized access.
When connecting to a desktop computer protected by TFA for connections, a push notification will be sent to all of the approval devices.
You can either:
accept/deny the connection request via the system notification:
accept/deny the connection request by tapping the TeamViewer notification. It will lead to you the following screen within the TeamViewer application to accept/deny the connection:
Multiple approval devices
All approval devices in the list will receive a push notification.
The first notification that is answered on any of the devices will be used to allow or deny the connection.
TeamViewer offers the possibility to activate Account Recovery based on the zero-trust principle.
This is a major security enhancement for your TeamViewer account and a unique offering on the market.
This article applies to all users.
What is Zero Knowledge Account Recovery
In cases where you cannot remember your TeamViewer Account credentials, you click on I forgot my password, which triggers an email with a clickable link that leads you to the option of resetting your password.
The regular reset process leads you to a page where you can set a new password for your account.
The Zero Knowledge Account Recovery acts as another layer of security for this process as the reset process requires you to enter the unique 64 characters Zero Knowledge Account Recovery Code for your account to prove your identity. Important to note is that this happens without any intervention and knowledge of the TeamViewer infrastructure.
Activate Zero Knowledge Account Recover
To activate Zero Knowledge Account Recovery please follow the steps below:
2. Click Edit profile under your profile name (upper right corner).
3. Go to Security in the left menu
4. Click the Activate Zero knowledge account recovery button
📌 Note: The password recovery code is a unique 64 characters code that allows you to regain access if you forgot your password. It is absolutely essential that you print/download your recovery code and keep this in a secure place.
⚠ IMPORTANT: Without the recovery code you won’t be able to recover your account. Access to your account will be irreversibly lost. The data is encrypted with the key and you are the only owner of this key. TeamViewer has no access to it.
5. A PopUp window appears sharing the above information. Click on Generate Recovery Code to proceed.
6. The Recovery Code is shown. You have to download or print the code as well as you tick the check box confirming that you acknowledge and understand that if you lose your zero knowledge account recovery code, you won’t be able to recover your password and you will lose access to your account forever
⚠ Do not tick the box unless you understand the meaning.
7. Once you either downloaded or printed the recovery code and ticked the acknowledge box, you can activate the Zero knowledge account recovery by clicking Activate.
Deactivate Zero Knowledge Account Recovery
To deactivate Zero Knowledge Account Recovery please follow the steps below:
2. Click Edit profile under your profile name (upper right corner).
3. Go to Security in the left menu
4. Click the Deactivate Zero knowledge account recovery button
5. A PopUp appears. You have to tick the check box confirming that you acknowledge and understand that if you will be deactivating your zero knowledge account recovery
6. Click Deactivate to deactivate the Zero Knowledge Account recovery for your TeamViewer Account.
Reset your password
To reset your password for your TeamViewer account, please follow the steps below: (More info here: Reset account password)
TeamViewer is designed to connect easily to remote computers without any special firewall configurations being necessary.
This article applies to all users in all licenses.
In the vast majority of cases, TeamViewer will always work if surfing on the internet is possible. TeamViewer makes outbound connections to the internet, which are usually not blocked by firewalls.
However, in some situations, for example in a corporate environment with strict security policies, a firewall might be set up to block all unknown outbound connections, and in this case, you will need to configure the firewall to allow TeamViewer to connect out through it.
TeamViewer ‘s Ports
These are the ports that TeamViewer needs to use.
TCP/UDP Port 5938
TeamViewer prefers to make outbound TCP and UDP connections over port 5938 – this is the primary port it uses, and TeamViewer performs best using this port. Your firewall should allow this at a minimum.
TCP Port 443
If TeamViewer can’t connect over port 5938, it will next try to connect over TCP port 443.
However, our mobile apps running on iOS and Windows Mobile don’t use port 443.
📌Note: port 443 is also used by our custom modules which are created in the Management Console. If you’re deploying a custom module, eg. through Group Policy, then you need to ensure that port 443 is open on the computers to which you’re deploying. Port 443 is also used for a few other things, including TeamViewer (Classic) update checks.
TCP Port 80
If TeamViewer can’t connect over port 5938 or 443, then it will try on TCP port 80. The connection speed over this port is slower and less reliable than ports 5938 or 443, due to the additional overhead it uses, and there is no automatic reconnection if the connection is temporarily lost. For this reason port 80 is only used as a last resort.
Our mobile apps running on Windows Mobile don’t use port 80. However, our iOS and Android apps can use port 80 if necessary.
Windows Mobile
Our mobile apps running on Windows Mobile can only connect out over port 5938. If the TeamViewer app on your mobile device won’t connect and tells you to “check your internet connection”, it’s probably because this port is being blocked by your mobile data provider or your WiFi router/firewall.
Destination IP addresses
The TeamViewer software makes connections to our master servers located around the world. These servers use a number of different IP address ranges, which are also frequently changing. As such, we are unable to provide a list of our server IPs. However, all of our IP addresses have PTR records that resolve to *.teamviewer.com. You can use this to restrict the destination IP addresses that you allow through your firewall or proxy server.
Having said that, from a security point-of-view this should not really be necessary – TeamViewer only ever initiates outgoing data connections through a firewall, so it is sufficient to simply block all incoming connections on your firewall and only allow outgoing connections over port 5938, regardless of the destination IP address.
Your site needs to have a defined structure because, without it, it’ll just be a random collection of pages and blog posts. Your users need this structure to navigate on your site, to click from one page to another. Google also uses the structure of your site to determine what content is important and what is less relevant. This guide tells you everything you need to know about site structure.
Site structure refers to organizing and arranging a website’s pages and content. It defines the information hierarchy within the site and serves as a roadmap for search engine crawlers. A well-structured site facilitates easy navigation, enhances user experience, and helps search engines like Google understand and effectively index the site’s content. This, in turn, can improve the site’s performance by making it easier for users to find and engage with the content. Ultimately, an optimized site structure helps achieve higher rankings, more traffic, and better conversion rates.
Importance for usability
The structure of your website significantly impacts the experience for your visitors (UX). If visitors can’t find the products and information they’re looking for, they’ll not likely become regular visitors or customers. In other words, you should help them navigate your site. A good site structure will help with this.
Navigating should be easy. You need to categorize and link your posts and products so they are easy to find. New visitors should be able to grasp what you’re writing about or selling instantly.
Importance of your site structure for SEO
A solid site structure vastly improves your chances of ranking in search engines. There are three main reasons for this:
a. It helps Google ‘understand’ your site
The way you structure your site will give Google vital clues about where to find the most valuable content on your site. It helps search engines understand what your site is mainly about or what you’re selling. A decent site structure also enables search engines to find and index content quickly. A good structure should, therefore, lead to a higher ranking in Google.
b. It prevents you from competing with yourself
On your site, you might have blog posts that are quite similar. If, for example, you write a lot about SEO, you could have multiple blog posts about site structure, each covering a different aspect. Consequently, Google won’t be able to tell which of these pages is the most important, so you’ll be competing with your content for high rankings. You should let Google know which page you think is most important. You need a good internal linking and taxonomy structure to do this, so all those pages can work for you instead of against you.
c. It deals with changes on your website
The products you sell in your shop will likely evolve. So does the content you’re writing. You probably add new product lines as old stock sells out. Or you write new articles that make old ones redundant. You don’t want Google to show outdated products or deleted blog posts, so you need to deal with these kinds of changes in the structure of your site.
Are you struggling with setting up your site’s structure? Don’t know the best strategy to link from one post to another? Check out our Site structure training, part of the Yoast SEO academy. Access to Yoast SEO academy is included in the price of Yoast SEO Premium. Before you know it, you’ll be able to improve your rankings by creating the best structure for your site!
How to set up the structure of your site
So, how do you construct a solid site structure? First, we’ll look at an ideal site structure and then explain how to achieve this for your site.
What’s an ideal site structure?
Let’s start by looking at an ideal situation: How should you organize your site if you’re starting from scratch? We think a well-organized website looks like a pyramid with several levels:
Homepage
Categories (or sections)
Subcategories (only for larger sites)
Individual pages and posts
The homepage should be at the top. Then, you have some sections or category pages beneath it. You should be able to file your content under one of these categories. You can divide these sections or categories into subcategories if your site is larger. Beneath your categories or subcategories are your pages and posts.
Your homepage
On top of the pyramid is the homepage. Your homepage should act as a navigation hub for your visitors. This means, amongst others, that you should link to your most important pages from your homepage. By doing this:
Your visitors are more likely to end up on the pages you want them to end up on;
You show Google that these pages are important.
Further down this article, we’ll help you determine which pages are essential to your business.
Beware not to link too many pages from your homepage, which will cause clutter. And a cluttered homepage doesn’t guide your visitors anywhere. If you want to optimize your homepage further, you can do many other things. Read our article on homepage SEO to find out what.
Navigation
In addition to having a well-structured homepage, it’s also important to create a clear navigation path on your site. Your site-wide navigation consists of two main elements: the menu and the breadcrumbs.
The menu
First, let’s take a look at the menu. The website menu is the most common aid for navigation on your website, and you want to make the best possible use of it. Visitors use your menu to find things on your website. It helps them understand the structure of your website. That’s why the main categories on your site should all have a place in the menu on your homepage.
Furthermore, putting everything in just one menu is not always necessary. If you have a big site with lots of categories, this may clutter your website and makes your main menu a poor reflection of the rest of your site. Where it makes sense, creating a second menu is perfectly fine.
For instance, eBay has one menu at the top of the page – also called the top bar menu – and, in addition to that, a main menu. This top bar menu links to important pages that aren’t categories in the shop, like pages that relate to the visitor’s account on the site. The main menu reflects the most important product categories on eBay.
Finally, just like on your homepage, you shouldn’t add too many links to your menu. They will become less valuable for your users and search engines if you do.
Adding breadcrumbs to your pages can make your site’s structure even clearer. Breadcrumbs are clickable links, usually at the top of a page or post. Breadcrumbs reflect the structure of your site. They help visitors determine where they are on your site. They improve your site’s user experience and SEO, as you can read in our guide on breadcrumbs.
You can use one of the many breadcrumb plugins for your WordPress site. You can also use our Yoast SEO plugin, as we’ve implemented a breadcrumb functionality in our plugin as well.
Taxonomies
WordPress uses so-called taxonomies to group content; other CMSs have similar systems. The word ‘taxonomy’ is a fancy term for a group of things — website pages, in this case — that have something in common. This is convenient because people looking for more information on the same topic can find similar articles more easily. You can group content in different ways. The default taxonomies in WordPress are categories and tags.
Categories
You should divide your site’s blog posts or products into several categories. If these categories grow too big, you should divide these categories into subcategories to clear things up again. For example, if you have a clothing store and sell shoes, you can divide this category into subcategories: ‘boots’, ‘heels’, and ‘flats’. These subcategories contain products, in this case, shoes, of that specific type.
Adding this hierarchy and categorizing your pages helps your user and Google make sense of every page you write. Add your main categories to your site’s menu when implementing your category structure.
Your site’s structure will also benefit from adding tags. The difference between a category and a tag mostly concerns structure. Categories are hierarchical: you can have subcategories and even sub-subcategories. Tags, however, don’t have that hierarchy. Tags say: “Hey, this article or product has a certain property that might interest a visitor.” Think of it like this: categories are the table of contents of your website, and tags are the index. A tag for the online clothing store mentioned above could be a brand, for instance, Timberlands.
Try not to create too many tags. You’re not structuring anything if you add a new unique tag to every post or article. Ensure each tag is used at least twice, and your tags group articles that genuinely belong together.
Some WordPress themes display tags with each post, but some don’t. Ensure your tags are available to visitors somewhere, preferably at the bottom of your article or in the sidebar. Google isn’t the only one that likes tags: they are useful for visitors wanting to read more about the same topic.
Site structure is all about grouping and linking the content on your site. Until now, we mostly discussed so-called classifying links: links on your homepage, navigation, and taxonomies. On the other hand, contextual links are internal links within the copy on your pages that refer to other pages within your site. For a link to be contextual, the page you link to should be relevant for someone reading the current page. If you look at the previous paragraph, for instance, we link to a post about tagging, so people can learn more about it if they’re interested.
Your most important pages are often very relevant to mention on several pages across your site, so you’ll link to them most often. Just remember that not only the page you’re linking to is relevant, the context of the link is important as well.
Google uses the context of your links to gather information about the page you’re linking to. It always uses the anchor text (or link text) to understand what the page you’re linking to is about. But the anchor text isn’t the only thing Google looks at. Nowadays, it also considers the content around the link to gather extra information. Google is becoming better at recognizing related words and concepts. Adding links from a meaningful context allows Google to value and rank your pages properly. Yoast SEO Premium makes internal linking a breeze by automatically suggesting relevant content from your site to link to.
Contextual linking for blogs
For blogs, you should write extensively on the topics you want to rank for. You should write some main articles — your cornerstone articles — and write various posts about subtopics of that topic. Then link from these related posts to your cornerstone articles and from the cornerstone articles back to related posts. In this way, you’ll ensure that your most important pages have both the most and most relevant links.
The following metaphor might help you understand this principle:
Imagine you’re looking at a map of a state or country. You’ll probably see many small towns and some bigger cities. All towns and cities will be interconnected somehow. You’ll notice that small towns often have roads leading to the big cities. Those cities are your cornerstones, receiving the most links. The small towns are your posts on more specific topics. Some roads (links) lead to these smaller towns, but not as much as the big cities.
Contextual internal linking works differently on an online store with very few to no pages that are exclusively meant to inform. You don’t explore a specific topic on your product pages: you’re selling a product. Therefore, on product pages, you mostly want to keep people on a page and convince them to buy the product. Consequently, contextual linking is far less prominent in this context. You generally shouldn’t add contextual links to your product descriptions because it could lead to people clicking away from the page.
There are just a couple of meaningful ways of adding contextual links to the product pages for your ecommerce SEO:
link from a product bundle page to the individual products
a ‘related items’ or ‘compare with similar items’ section
a ‘customers also bought’ section
a ‘product bundles’ or ‘frequently bought together’ section.
Landing pages are the pages you want your audience to find when they search for specific keywords you’ve optimized for. For instance, we want people who search for ‘free SEO training’ to end up on the page about our free training called ‘SEO for beginners’. You need to approach the content of your most important landing pages differently than your regular pages.
Here, we’ll discuss two types of landing pages: cornerstone pages and product landing pages. They’re both pages you’d like people to land on from the search engines, but they require quite a different approach. But first, we’ll shortly go into search intent because you have to know what your audience is really looking for.
Search intent
When setting up your site structure, you must consider search intent. It’s about what you think people are looking for when they enter a query into a search engine. What do people want to find? And: what do they expect to find?
Consider different possibilities in search intent, as you might want to cater to different types on your site. Are people just looking for an answer to a question or a definition? Are they comparing products before purchase? Or are they intending to buy something right away? This is often reflected in the type of query they make. You can also use Google’s search results to create great content that fits someone’s needs.
When you have an idea of the search intent, ensuring your landing page fits your audience’s search intent is essential. Pages can answer multiple search intents, but you need a clear view of at least your most important pages.
Cornerstone articles are the most important informational articles on your website. Their focus is to provide the best and most complete information on a particular topic; their main goal is not to sell products.
Because of this focus, we usually think of blogs when discussing cornerstone content. Of course, that doesn’t mean it can only be a blog post. All different kinds of websites have cornerstone articles! Rule of thumb: if an article brings everything you know about a broad topic together, it’s a cornerstone content article.
Product landing pages significantly differ from cornerstone articles. The latter are lengthy, whereas product landing pages shouldn’t be that long. Rather than complete articles, they should be focused. These pages only need to show what your visitors need to know to be convinced. They don’t need to hold all the information.
You want to rank with these pages, meaning they need content. Enough content for Google to understand what the page is about and what keyword it should rank for. Where cornerstone articles could be made up of thousands of words, a couple of hundred could be enough for product landing pages. The main focus of the content should be on your products.
Structuring or restructuring your content doesn’t always have high priority in everything you have to do. Especially when you blog a lot or add other content regularly, it might feel like a chore. Although it isn’t always fun, you must do it, or your website might become messy. To prevent that from happening, you need to fix your site structure and keep an eye on it while adding new content. Site structure should be part of your long-term SEO strategy.
Evaluate your menu
When your business goal or website changes, your menu must also change. Planning things visually will pay off when you start thinking about restructuring your site. Make a flowchart.
Start with your new menu one or two levels deep and see if you can fit in more pages you have created over the years. You’ll find that some pages are still valid but don’t seem relevant to your menu anymore. No problem, just be sure to link to them on related pages and in your sitemaps so that Google and your visitors can still find these pages. The flowchart will also show you any gaps in the site structure.
Creating an overview of your categories, subcategories, and products or posts will also help you to rethink your site’s taxonomy. This could be a simple spreadsheet, but you can use more visual tools like LucidChart or MindNode.
Do your product categories and subcategories provide a logical overview of your product range or your posts and pages? Perhaps you’ve noticed somewhere down the line that one category has been far more successful than others, or you wrote many blog posts on one subject and very few on others.
If one category grows much larger than others, your site’s pyramid could be thrown off balance. Think about splitting this category into different categories. But, if some product lines end up much smaller than others, you might want to merge them. Don’t forget to redirect the ones you delete.
If you have built your HTML sitemap manually, update that sitemap after changing your site structure. In the far more likely event you have an XML sitemap, re-submit it to Google Search Console.
You might be able to update and republish some outdated articles to make them relevant again. If an article is outdated, but no one reads it anyway, you might delete it. This could clean up your site nicely.
What you should know, in that case, is that you should never delete a page or article without thinking. If Google cannot find the page, it serves your user a 404 error page. Both the search engine and your visitor will see this error message saying the page doesn’t exist, and that is a bad experience and, thus, bad for your SEO.
Be smart about this! You need to redirect the URL of the page you’re deleting properly so your user (and Google) lands on a different page that is relevant to them. That could even improve your SEO!
Got some old content to clean up on your site? Sort out hidden pages and dead ends in four easy steps with our orphaned content SEO workout, available in Yoast SEO Premium.
Avoid keyword cannibalization
Your website is about a specific topic, which could be quite broad or rather specific. While adding content, you should be aware of keyword cannibalization. If you optimize your articles for keywords that are all too similar, you’ll be devouring your chances of ranking in Google. If you optimize different articles for similar key terms, you’ll be competing with yourself, making both pages rank lower.
You’ll have some work to do if you suffer from keyword cannibalization. In short, you should research the performance of your content and probably merge and redirect some of it. When merging posts, we recommend creating a new draft by cloning one of the original posts with the free Yoast Duplicate Post plugin. This allows you to work on your merged post without making these changes to a live post. Read the guide by Joost to learn more about keyword cannibalization and how to fix it.
Internal linking with Yoast SEO
Feeling a bit overwhelmed by all this advice? Yoast SEO has some handy tools to make internal linking so much easier.
Yoast SEO’s text link counter visualizes your links so you can optimize them. It shows the internal links in a post and the internal links to a post. This tool can enhance your site structure by improving the links between your related posts. Make sure your cornerstones get the most (relevant) links! You can identify your cornerstones by finding them in the column with the pyramid icon.
Yoast SEO Premium helps you with your internal linking as well. Our internal linking suggestions tool will show you which articles are related to the one you’re writing, so you can easily link to them: just by dragging the link into your editor!
Moreover, our tool allows you to indicate which articles you consider cornerstone content on your site. Those articles will be shown at the top of the internal linking suggestions. You’ll never forget to link to them again.
As we have seen, there are several reasons why site structure is important. A good site structure helps both your visitors and Google navigate your site. It makes it easier to implement changes and prevents competing with your content. So use the tips and pointers in this guide to check and improve your site structure. That way, you’ll stay on top and keep your website from growing out of control!
Want to improve your site structure but don’t know where to start? Get Yoast SEO Premium and get loads of helpful tools and guidance, including free access to Yoast SEO Academy, our Site structure training, and our SEO workouts!
Marieke was head of strategy and former CEO at Yoast. After the sale of Yoast to Newfold Digital in 2021 she is no longer active at Yoast in 2023. Marieke, together with her husband Joost, actively invests in and advises several startups through their company Emilia Capital.
In SEO, there are on-page factors and off-page factors. On-page SEO factors are aspects of your website that you can optimize for better search rankings. It’s about improving things like your technical set-up, your content, and how user-friendly your site is. In this post, we’ll explain all about on-page SEO and how it differs from off-page SEO, and we’ll talk about some on-page optimizations that can help you to rank better.
On-page and off-page SEO: what’s the difference?
Every SEO strategy is focused on ranking as high as possible in the search engines. To do this, we all try to design and develop a website that Google’s algorithm — and people! — will love. That’s basically what SEO is about. The factors in Google’s algorithm can be divided into two categories that will determine the ranking of your website: on-page factors and off-page factors.
On-page SEO factors all have to do with elements on your website. For instance, things you work on to improve your E-E-A-T also fall in this category. Some of the most important on-page SEO factors are:
Your site set-up and technical features, site speed in particular
The quality of your content and use of keywords
How do you use additional media, such as images and videos
Your site structure and internal linking
Structured data and search appearance
Your URL structure
User experience
Meanwhile, off-page SEO looks at what happens away from your website. Some off-page SEO factors include:
Relevant links from other websites leading to your site
Social media activity
Business and map listings
External marketing activities
Pro tip: Find out more about on-page SEO with our front-end SEO inspector! You can use the front-end inspector tool in Yoast SEO Premium to explore the SEO data, metadata and schema output for pages on your site. It’s a great way to get to grips with your on-page SEO.
Importance of on-page SEO
On-page SEO consists of all the elements of SEO that you have control over. If you own a website, you can control the technical issues and the quality of your content. We believe you should be able to tackle all of these factors as they’re in your own hands. Remember: if you create an excellent website, it will start ranking.
Focusing on on-page SEO will also increase the chance that your off-page SEO strategy will be successful. Link building with a crappy site is very tough. Nobody wants to link to poorly written articles or sites that don’t work correctly.
How to optimize on-page SEO factors
1. Make sure search engines can crawl and index your site
If you’re unfamiliar with crawlability and indexing, here’s a quick explanation of what it is and what it has to do with Google. To show your page in the search results, Google must first know about that page. It has to be indexed by Google, meaning that this page has been stored in their index. And for that to be possible, you must ensure you’re not blocking Google from indexing your post or your whole site. So check if you’re not unintentionally doing that (we still see this happening!), and ensure your site is indexed.
Although this isn’t technically a ranking factor, getting your site into the search results requires it, so we thought it should be included here.
2. Invest time in creating quality content based on solid keyword research
Why do you think people visit your site? Most likely because it contains the information they’re looking for. Therefore it’s essential to write excellent content that corresponds with their needs. Search engines like Google also read your text. Which site ranks highest for a specific search term is primarily based on a website’s content. That’s why your content should be informative, easy to read, and focused on the right keywords that your audience uses.
Aside from creating quality content, you must remove or remedy low-quality pages. So-called thin content can harm your SEO. Take time to find these pages and do something with them occasionally to keep your content in good shape.
A significant on-page ranking factor is site speed. Users don’t want to wait for pages to load, so Google tends to rank fast-loading sites higher. If you’re unsure how fast (or slow) your site is, check out your Core Web Vital scores using the report in Google Search Console. This helpful tool will point out areas where your site speed can be improved so you know what to work on.
If you’re tech-savvy, you can probably handle this on your own. If you’re unsure where to start, our Technical SEO training can help you.
4. Get your site structure and internal linking right
A good site structure helps Google (and users) understand your site and navigate your content. And when it comes to making that site structure, internal linking is the way to do it. Firstly, you must channel many internal links to your most important content. We call those pages cornerstone content. Secondly, you should tidy up pages that aren’t getting many (if any) internal links. Those pages are what we refer to as orphaned content. It would be best if you decided whether to improve those pages and add more internal links pointing to them or remove them altogether.
Yoast SEO Premium has two SEO workouts to help you improve your site structure and internal linking. Using the workouts can help you to make big improvements quickly, so give them a go!
5. Optimize your use of images and videos
You’ll want to include images on your site to make it attractive, and maybe some videos too. Doing that wrong can harm your SEO, but doing it correctly comes with some SEO benefits.
High-quality images are usually large files that can slow your site down, and that’s a problem. Using smaller image files and giving them descriptive names, captions, and alt tags will favor your SEO. Plus, there are additional benefits. For one, you’ll make your site more accessible, so it’s helpful for a wider audience. And for another thing, you’ll have a chance of your images ranking in the Google Image search results. Read more about these topics in our posts about image SEO and alt tags.
Adding videos to your site is a bit more complicated than images. And ranking your videos on Google (or YouTube) comes with its own set of challenges. We’ve got a great series of posts all about video SEO, if you’d like to learn more about optimizing in this area. There’s also a dedicated Yoast Video SEO plugin, if you’re serious about getting your videos ranking.
6. Create a persuasive search appearance
How your site looks in the search results is vital for SEO. While the search results aren’t part of your site, the things you do to optimize your search appearance are. Therefore, we consider SEO titles, meta descriptions, and structured data part of on-page SEO.
Optimizing the text for your search snippets is fairly straightforward. Adding structured data can be trickier. Good to know: Yoast SEO can help with all these tasks. With checks and previews to help you, getting your SEO titles and meta descriptions right couldn’t be easier. And when it comes to structured data, Yoast does all the hard work for you — all you need to do is select the content type and fill in the blanks.
7. Make your URLs SEO-friendly
A well-crafted URL structure helps your on-page SEO — it’s like giving your web pages a good road map. Think of it as a friendly address that guides search engines and invites users to explore your content. Creating SEO-friendly URLs makes it easier for humans and search engines to understand what your page is all about. Opt for concise and descriptive URLs that include relevant keywords, as they provide a clear signpost. A clean and organized URL structure enhances navigation, making it easier for everyone to understand your website. Don’t forget to keep it short and readable.
8. Design an excellent user experience
The last thing we want to mention is user experience. Simply put, users need to understand your website easily. They should be able to find what they want in a heartbeat. They should know where to click and how to navigate through your site. And your site should be fast! A beautifully designed website is nice, but you should make it your top priority to create a user-friendly website first.
If you want to learn more about combining SEO and UX to get more people to your site, we’d advise you to look at our other articles on user experience. Or check out our all-around SEO training course.
To conclude
We’ve talked about the most important on-page SEO factors. First, ensure that your website works correctly and that your technical SEO is up to par. Secondly, create content that is user-centered and focused on the right keywords. Thirdly, work on the usability and speed of your site to help users and search engines around your website.
As these factors are all a part of your site, you can work on them to ensure your on-page SEO is top-notch! That being said, do remember to also work on your off-page SEO. Although you may not have total control over these factors, you can still put some effort into creating that exposure on other sites too!