Hoe houd ik de controle?
Veilig mobiel samenwerken
Ferjan OrmelingMobile Solution [email protected] B.V.
Hoe houd ik de controle
Agenda
1. Microsoft & Mobility2. Waarom beveiliging?3. Exchange Server4. System Center Mobile Device Manager 20085. Samenvatting
Microsoft & Mobility
Waarom Mobile? Grootste groeier!YO
Y
% s
hip
pin
g g
row
th
35
30
25
20
15
10
5
0
CAGR 2006-2010Source: Gartner Dataquest, and IDC 2006
18.6%Mobile PCs
5.8%Mobile Phones
3.9%Desktop PCs
34.1%ConvergedMobile Phones
Access Control
Firewall
Mobile and Traditional Devices
Team Workspaces
Web and Video Conferencing
Documents and Files
Calendaring
Instant Messaging
Identity and Presence
LOB Applications
Intranet Web Applications
Managed PC
Unmanaged PC(Home PC, Kiosk, etc)
Wired
INTERNET
Wireless
Microsoft's visie op Mobility
Productivity Reliability
Cost
Business Value Re-Use Knowledge
Easy to Manage/SupportScalable Secure
Device Choice Easy-To-Use
Enabling Lifestyle
Microsoft’s Mobile Value Proposition
Demo
7
Windows Mobile is all about choice!
Waarom beveiliging?
Waarom beveiliging?
Ferjan’s top 5 meest gehoorde vragen:
1. Hoe ‘provision’ ik de mobiel?2. Hoe kan ik programma’s of hardware
uitzetten?3. Hoe beveilig ik de data die op de mobiel staat?4. Hoe krijg ik software op de mobiel?5. Hoe zit het met virussen?
Exchange Server
Mobile Functionality /Time
Exchange and Mobility
DirectPush introducedPolicy enforcement (7 policies)Remote/local device wipe
9 new policiesSelf-service via OWASharePoint and File access
30 new policiesEncryptionHardware controlSoftware control
Built-in: no special server or services required
Rich access for the many, not the few
Anywhere AccessOutlook experience from desktop to mobile devices
Architecture Overview
EAS
MessagingInfrastructure
SSL – Port 443
Communication
Direct Push
Internet
Devices
Securing the Servers
- Restricting access– Inbound port 443 (SSL) to Client Access
Server– Works with existing firewalls and Microsoft’s
ISA Server- Data inspection
– All communication can be inspected and filtered
- Complete Exchange Security Hardening Guide available from Microsoft
– Exchange 2003 http://technet.microsoft.com/en-us/library/aa996732.aspx
– Exchange 2007 http://technet.microsoft.com/en-us/library/bb691338.aspx
EAS
MessagingInfrastructure
Securing the Communication
- Secure Sockets Layer– Standard for securing
communications over the Internet (i.e. online banking/shopping)
– Encryption• RC4, 3DES, AES*
– Authentication• Password or certificate
authentication• RSA SecureID support
- ~80% of Exchange customers has this in place today for OWA
SSL – Port 443
Communication
Direct Push
Internet
* Requires Windows Server 2008
Securing the devices
- Policy enforcement- PIN password- Local and Remote wipe device- Encryption- Application control- Hardware control
Devices
Policies - General
- Targeting users with policies– Exchange 2003 SP2
• One policy that applies to all users• Users can be exempted from policy (no policy applied)
– Exchange 2007 & SP1• Multiple policies supported• Targeting based upon user/group membership• Exchange 2007 SP1 adds a default policy
Policies - General
- Allow/Deny non-provisionable devices
– What devices are allowed to connect
- Refresh Interval (hours)– How often is the policy
refreshed on the device
Password Policies
- Require device password- Minimum password length- Require alphanumeric
password- Inactivity timeout (in
minutes)- Number of failed attempts
allowed
SecurityDevice Data Encryption
- All device and storage encryption utilizes AES encryption
- Require encryption on the storage card
– Requirements:Ex2007 RTM and Windows Mobile 6
– Ensures that any data written to the storage card is encrypted
- Require encryption on the device
– Requirements :Ex2007 SP1 and Windows Mobile 6.1
Sync SettingsExchange 2007 & 2007 SP1
- Allow sync when roaming• This setting allows
administrators to disable DirectPush while device is roaming. User must sync manually.
- Allow attachments to be downloaded to device
- Maximum attachment size
- Allow HTML formatted email
Sync SettingsExchange 2007 SP1
- Include past calendar items
- Include past email items- Limit email size to
– Define the maximum size of email sent to the device by default (user can still request a full message)
- Allow HTML formatted email
Mobile Policies In SP1Exchange 2007 SP1
- Allow removable storage
- Allow camera- Allow Wi-Fi- Allow infrared- Allow internet sharing- Allow Remote Desktop- Allow Desktop Sync- Allow Bluetooth
– All or headset profile only
Mobile Policies In SP1Exchange 2007 SP1
- Allow browser- Allow consumer mail- Allow unsigned apps- Allow unsigned
installation packages- Allowed applications- Blocked applications
ManageabilitySelf Service
End User Experience
John
Litware Inc.’s Exchange
Server
System Center Mobile Device Manager 2008
System Center Mobile Device Manager 2008
MDM helps to…
- Safeguard corporate data from unauthorized access.
- Reduce the cost and complexity of mobile deployments.
- Maintain persistent and enhanced security for connectivity.
- Simplify device management.
What IT pains does MDM solve?
How to:
- Manage mobile devices like PCs on the corporate network
- Manage policies and software distribution to multiple groups of users
- Provision mobile devices without physically touching them
- Allow more secure connectivity with single-point network access control
- Allow specific business units individual control over the devices in their business unit
MDM enables Windows Mobile 6.1 devices to be deployed and managed like PCs and laptops in the IT infrastructure, providing them network access to corporate data and making them first-class citizens on the corporate network.
Management WorkloadDeployment: inside firewall
Network Access WorkloadDeployment: in DMZ
• Machine authentication and “double envelope security”
• Session persistence• Fast reconnect• Internetwork roaming• Standards support (IKEv2,
IPSEC tunnel mode)
• Single point of management for mobile devices in enterprise
• Full OTA provisioning and bootstrapping
• OTA Software distribution based on WSUS 3.0
• Device data and inventory reporting
• SQL Server 2005-based reporting capabilities
• Role-based administration • MMC snap-ins and Powershell
cmndlets• WMU on/off control • OMA-DM compliance
• Active Directory Domain Join • Policy enforcement using
Active Directory and Group Policy targeting (>130 policies and settings)
• Communications and camera disablement
• File encryption • Application allow and deny• Remote wipe • OMA-DM compliance
Security Management
Device Management
MobileVPN
Samenvatting
Waarom beveiliging? De antwoorden!
1. Hoe ‘provision’ ik de mobiel?Gebruiker kan OTA met email + wachtwoord / PIN code de mobiel klaarmaken voor gebruik
2. Hoe kan ik programma’s of hardware uitzetten?Zowel Exchange 2007 SP1 als SCMDM kunnen gebruikt worden om functies en programma’s aan- of uit te zetten
3. Hoe beveilig ik de data die op de mobiel staat?Via policies kunnen wachtwoord en encryptie verplicht worden, met remote wipe kan een verloren of gestolen mobiel leeggemaakt worden
4. Hoe krijg ik software op de mobiel?Met SCMDM kan OTA software gedistribueerd worden
5. Hoe zit het met virussen?Tiered security op de mobiel, alleen ‘gesignede’ applicaties toestaan, gebruikers opvoeden en eventueel anti-virus software installeren
Samenvatting
Exchange 2003 SP2:
Direct Push E-mailE-mail, Contacts, Calendar
Basic SecurityPIN-code, device-lock, device-wipe
Windows Mobile 5 and newer
Exchange 2007 RTM:
Enriched PIM-experienceHTML E-mail, Out-of-Office
SharePoint- & UNC-access to filesEnhanced Security
Storage Card Encryption, Password Recovery
Windows Mobile 6 and newer*
Exchange 2007 SP1:
Direct Push Bandwidth optimization
uses up to 1/3 less bandwidthS/MIME supportEnhanced Security
Device Encryption, Hardware Control
Windows Mobile 6.1 and newer*
SCMDM 2008:
Security ManagementDevice Encryption, Hardware Control
Device ManagementSoftware Distribution, Inventory
Mobile VPN
Windows Mobile 6.1 and newer
* Version needed for enhanced functionality, backwards compatible down to Windows Mobile 5
Tot slot
Vragen?
Mensen maken
het Nieuwe Werken
Appendix
Key Deployment Steps
1. Ensure Exchange Server 2003 SP2 or Exchange Server 2007 are in place
2. Ensure TCP Port 443 is able to reach Client Access Server
3. Ensure customer has implemented SSL security4. Adjust firewall connection timeout values5. Enable Exchange ActiveSync and policies on
Exchange Server6. If needed, deploy certificates to devices
If you are using Outlook Web Access, much of this will already be in place.
Configure all communication points (firewalls) between the Exchange Server and Windows Mobile device with the same idle session timeout
Microsoft recommends increasing the idle session timeouts to 30 minutes
Available Documentation Firewall Configuration: http://go.microsoft.com/fwlink/?linkid=3052&kbid=905013Network Security Impact: http://msexchangeteam.com/archive/2006/08/17/428703.aspx
Mailbox Server
Mailbox Server
HTTPS (443)Advanced Firewall
Perimeter Network
Front End / CAS Server
Exchange 07 Edge Server
Increase idle session timeout to 30 mins
Increase idle session timeout to 30 mins
Increase advanced firewall idle timeout to 30 mins
Increase idle session timeout to 30 mins
Adjust Firewall Timeout Settings