1 / 40

Hoe houd ik de controle ?

Hoe houd ik de controle ?. Veilig mobiel samenwerken. Ferjan Ormeling Mobile Solution Specialist ferjanor @ microsoft.com Microsoft B.V. Hoe houd ik de controle. Agenda Microsoft & Mobility Waarom beveiliging? Exchange Server System Center Mobile Device Manager 2008

satin
Download Presentation

Hoe houd ik de controle ?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hoe houdik de controle? Veilig mobiel samenwerken Ferjan Ormeling Mobile Solution Specialist ferjanor@microsoft.com Microsoft B.V.

  2. Hoe houd ik de controle Agenda • Microsoft & Mobility • Waarom beveiliging? • Exchange Server • System Center Mobile Device Manager 2008 • Samenvatting

  3. Microsoft & Mobility

  4. 34.1%ConvergedMobile Phones 18.6%Mobile PCs 5.8%Mobile Phones 3.9%Desktop PCs Waarom Mobile? Grootste groeier! 35 30 25 20 15 10 5 0 YOY % shipping growth CAGR 2006-2010 Source: Gartner Dataquest, and IDC 2006

  5. Microsoft's visie op Mobility LOB Applications E-Mail Access Control Intranet Web Applications Managed PC Team Workspaces Wired INTERNET Unmanaged PC (Home PC, Kiosk, etc) Identity and Presence Wireless Documents and Files Instant Messaging Mobile and Traditional Devices Firewall Web and Video Conferencing Calendaring

  6. Microsoft’s Mobile Value Proposition Easy to Manage/Support Scalable Secure Productivity Reliability Cost Business Value Re-Use Knowledge Device Choice Easy-To-Use Enabling Lifestyle

  7. Demo

  8. Windows Mobile is all about choice!

  9. Waarom beveiliging?

  10. Waarom beveiliging? Ferjan’s top 5 meest gehoorde vragen: • Hoe ‘provision’ ik de mobiel? • Hoe kan ik programma’s of hardware uitzetten? • Hoe beveilig ik de data die op de mobiel staat? • Hoe krijg ik software op de mobiel? • Hoe zit het met virussen?

  11. Exchange Server

  12. Mobile Functionality /Time Exchange and Mobility 9 new policies Self-service via OWA SharePoint and File access DirectPush introduced Policy enforcement (7 policies) Remote/local device wipe 30 new policies Encryption Hardware control Software control

  13. Anywhere AccessOutlook experience from desktop to mobile devices Built-in: no special server or services required Rich access for the many, not the few

  14. Internet Architecture Overview SSL – Port 443 Direct Push EAS Messaging Infrastructure Devices Communication

  15. Securing the Servers • Restricting access • Inbound port 443 (SSL) to Client Access Server • Works with existing firewalls and Microsoft’s ISA Server • Data inspection • All communication can be inspected and filtered • Complete Exchange Security Hardening Guide available from Microsoft • Exchange 2003 http://technet.microsoft.com/en-us/library/aa996732.aspx • Exchange 2007 http://technet.microsoft.com/en-us/library/bb691338.aspx EAS Messaging Infrastructure

  16. Securing the Communication • Secure Sockets Layer • Standard for securing communications over the Internet (i.e. online banking/shopping) • Encryption • RC4, 3DES, AES* • Authentication • Password or certificate authentication • RSA SecureID support • ~80% of Exchange customers has this in place today for OWA Internet SSL – Port 443 Direct Push Communication * Requires Windows Server 2008

  17. Securing the devices • Policy enforcement • PIN password • Local and Remote wipe device • Encryption • Application control • Hardware control Devices

  18. Policies - General • Targeting users with policies • Exchange 2003 SP2 • One policy that applies to all users • Users can be exempted from policy (no policy applied) • Exchange 2007 & SP1 • Multiple policies supported • Targeting based upon user/group membership • Exchange 2007 SP1 adds a default policy

  19. Policies - General • Allow/Deny non-provisionable devices • What devices are allowed to connect • Refresh Interval (hours) • How often is the policy refreshed on the device

  20. Password Policies • Require device password • Minimum password length • Require alphanumeric password • Inactivity timeout (in minutes) • Number of failed attempts allowed

  21. SecurityDevice Data Encryption • All device and storage encryption utilizes AES encryption • Require encryption on the storage card • Requirements: Ex2007 RTM and Windows Mobile 6 • Ensures that any data written to the storage card is encrypted • Require encryption on the device • Requirements : Ex2007 SP1 and Windows Mobile 6.1 What is encrypted on the device with Windows Mobile 6.1 and Exchange 2007 SP1? User documents (\My Documents) Email & Attachments PIM data (contacts, calendar, tasks, notes) Internet Explorer Cache

  22. Sync SettingsExchange 2007 & 2007 SP1 • Allow sync when roaming • This setting allows administrators to disable DirectPush while device is roaming. User must sync manually. • Allow attachments to be downloaded to device • Maximum attachment size • Allow HTML formatted email

  23. Sync SettingsExchange 2007 SP1 • Include past calendar items • Include past email items • Limit email size to • Define the maximum size of email sent to the device by default (user can still request a full message) • Allow HTML formatted email

  24. Mobile Policies In SP1Exchange 2007 SP1 • Allow removable storage • Allow camera • Allow Wi-Fi • Allow infrared • Allow internet sharing • Allow Remote Desktop • Allow Desktop Sync • Allow Bluetooth • All or headset profile only

  25. Mobile Policies In SP1Exchange 2007 SP1 • Allow browser • Allow consumer mail • Allow unsigned apps • Allow unsigned installation packages • Allowed applications • Blocked applications

  26. ManageabilitySelf Service

  27. End User Experience Litware Inc.’s Exchange Server John

  28. System Center Mobile Device Manager 2008

  29. System Center Mobile Device Manager 2008 MDM helps to… • Safeguard corporate data from unauthorized access. • Reduce the cost and complexity of mobile deployments. • Maintain persistent and enhanced security for connectivity. • Simplify device management.

  30. What IT pains does MDM solve? How to: • Manage mobile devices like PCs on the corporate network • Manage policies and software distribution to multiple groups of users • Provision mobile devices without physically touching them • Allow more secure connectivity with single-point network access control • Allow specific business units individual control over the devices in their business unit

  31. MDM enables Windows Mobile 6.1 devices to be deployed and managed like PCs and laptops in the IT infrastructure, providing them network access to corporate data and making them first-class citizens on the corporate network. Mobile VPN Security Management Device Management • Active Directory Domain Join • Policy enforcement using Active Directory and Group Policy targeting (>130 policies and settings) • Communications and camera disablement • File encryption • Application allow and deny • Remote wipe • OMA-DM compliance • Single point of management for mobile devices in enterprise • Full OTA provisioning and bootstrapping • OTA Software distribution based on WSUS 3.0 • Device data and inventory reporting • SQL Server 2005-based reporting capabilities • Role-based administration • MMC snap-ins and Powershell cmndlets • WMU on/off control • OMA-DM compliance • Machine authentication and “double envelope security” • Session persistence • Fast reconnect • Internetwork roaming • Standards support (IKEv2, IPSEC tunnel mode) Management Workload Deployment: inside firewall Network Access Workload Deployment: in DMZ

  32. Samenvatting

  33. Waarom beveiliging? De antwoorden! • Hoe ‘provision’ ik de mobiel? Gebruiker kan OTA met email + wachtwoord / PIN code de mobiel klaarmaken voor gebruik • Hoe kan ik programma’s of hardware uitzetten? Zowel Exchange 2007 SP1 als SCMDM kunnen gebruikt worden om functies en programma’s aan- of uit te zetten • Hoe beveilig ik de data die op de mobiel staat? Via policies kunnen wachtwoord en encryptie verplicht worden, met remotewipe kan een verloren of gestolen mobiel leeggemaakt worden • Hoe krijg ik software op de mobiel? Met SCMDM kan OTA software gedistribueerd worden • Hoe zit het met virussen? Tieredsecurity op de mobiel, alleen ‘gesignede’ applicaties toestaan, gebruikers opvoeden en eventueel anti-virus software installeren

  34. Samenvatting • * Version needed for enhanced functionality, backwards compatible down to Windows Mobile 5

  35. Tot slot Vragen?

  36. Mensen maken

  37. het Nieuwe Werken

  38. Appendix

  39. Key Deployment Steps • Ensure Exchange Server 2003 SP2 or Exchange Server 2007 are in place • Ensure TCP Port 443 is able to reach Client Access Server • Ensure customer has implemented SSL security • Adjust firewall connection timeout values • Enable Exchange ActiveSync and policies on Exchange Server • If needed, deploy certificates to devices If you are using Outlook Web Access, much of this will already be in place.

  40. Adjust Firewall Timeout Settings Increase advanced firewall idle timeout to 30 mins Increase idle session timeout to 30 mins Increase idle session timeout to 30 mins Increase idle session timeout to 30 mins Front End / CAS Server Mailbox Server Exchange 07 Edge Server HTTPS (443) Advanced Firewall MailboxServer Perimeter Network • Configure all communication points (firewalls) between the Exchange Server and Windows Mobile device with the same idle session timeout • Microsoft recommends increasing the idle session timeouts to 30 minutes • Available Documentation • Firewall Configuration: http://go.microsoft.com/fwlink/?linkid=3052&kbid=905013 • Network Security Impact: http://msexchangeteam.com/archive/2006/08/17/428703.aspx

More Related