Hoe houd ik de controle ?

40
Hoe houd ik de controle? Veilig mobiel samenwerken Ferjan Ormeling Mobile Solution Specialist [email protected] Microsoft B.V.

description

Hoe houd ik de controle ?. Veilig mobiel samenwerken. Ferjan Ormeling Mobile Solution Specialist ferjanor @ microsoft.com Microsoft B.V. Hoe houd ik de controle. Agenda Microsoft & Mobility Waarom beveiliging? Exchange Server System Center Mobile Device Manager 2008 - PowerPoint PPT Presentation

Transcript of Hoe houd ik de controle ?

Page 1: Hoe  houd ik  de  controle ?

Hoe houd ik de controle?

Veilig mobiel samenwerken

Ferjan OrmelingMobile Solution [email protected] B.V.

Page 2: Hoe  houd ik  de  controle ?

Hoe houd ik de controle

Agenda

1. Microsoft & Mobility2. Waarom beveiliging?3. Exchange Server4. System Center Mobile Device Manager 20085. Samenvatting

Page 3: Hoe  houd ik  de  controle ?

Microsoft & Mobility

Page 4: Hoe  houd ik  de  controle ?

Waarom Mobile? Grootste groeier!YO

Y

% s

hip

pin

g g

row

th

35

30

25

20

15

10

5

0

CAGR 2006-2010Source: Gartner Dataquest, and IDC 2006

18.6%Mobile PCs

5.8%Mobile Phones

3.9%Desktop PCs

34.1%ConvergedMobile Phones

Page 5: Hoe  houd ik  de  controle ?

Access Control

Firewall

Mobile and Traditional Devices

Team Workspaces

E-Mail

Web and Video Conferencing

Documents and Files

Calendaring

Instant Messaging

Identity and Presence

LOB Applications

Intranet Web Applications

Managed PC

Unmanaged PC(Home PC, Kiosk, etc)

Wired

INTERNET

Wireless

Microsoft's visie op Mobility

Page 6: Hoe  houd ik  de  controle ?

Productivity Reliability

Cost

Business Value Re-Use Knowledge

Easy to Manage/SupportScalable Secure

Device Choice Easy-To-Use

Enabling Lifestyle

Microsoft’s Mobile Value Proposition

Page 7: Hoe  houd ik  de  controle ?

Demo

7

Page 8: Hoe  houd ik  de  controle ?

Windows Mobile is all about choice!

Page 9: Hoe  houd ik  de  controle ?

Waarom beveiliging?

Page 10: Hoe  houd ik  de  controle ?

Waarom beveiliging?

Ferjan’s top 5 meest gehoorde vragen:

1. Hoe ‘provision’ ik de mobiel?2. Hoe kan ik programma’s of hardware

uitzetten?3. Hoe beveilig ik de data die op de mobiel staat?4. Hoe krijg ik software op de mobiel?5. Hoe zit het met virussen?

Page 11: Hoe  houd ik  de  controle ?

Exchange Server

Page 12: Hoe  houd ik  de  controle ?

Mobile Functionality /Time

Exchange and Mobility

DirectPush introducedPolicy enforcement (7 policies)Remote/local device wipe

9 new policiesSelf-service via OWASharePoint and File access

30 new policiesEncryptionHardware controlSoftware control

Page 13: Hoe  houd ik  de  controle ?

Built-in: no special server or services required

Rich access for the many, not the few

Anywhere AccessOutlook experience from desktop to mobile devices

Page 14: Hoe  houd ik  de  controle ?

Architecture Overview

EAS

MessagingInfrastructure

SSL – Port 443

Communication

Direct Push

Internet

Devices

Page 15: Hoe  houd ik  de  controle ?

Securing the Servers

- Restricting access– Inbound port 443 (SSL) to Client Access

Server– Works with existing firewalls and Microsoft’s

ISA Server- Data inspection

– All communication can be inspected and filtered

- Complete Exchange Security Hardening Guide available from Microsoft

– Exchange 2003 http://technet.microsoft.com/en-us/library/aa996732.aspx

– Exchange 2007 http://technet.microsoft.com/en-us/library/bb691338.aspx

EAS

MessagingInfrastructure

Page 16: Hoe  houd ik  de  controle ?

Securing the Communication

- Secure Sockets Layer– Standard for securing

communications over the Internet (i.e. online banking/shopping)

– Encryption• RC4, 3DES, AES*

– Authentication• Password or certificate

authentication• RSA SecureID support

- ~80% of Exchange customers has this in place today for OWA

SSL – Port 443

Communication

Direct Push

Internet

* Requires Windows Server 2008

Page 17: Hoe  houd ik  de  controle ?

Securing the devices

- Policy enforcement- PIN password- Local and Remote wipe device- Encryption- Application control- Hardware control

Devices

Page 18: Hoe  houd ik  de  controle ?

Policies - General

- Targeting users with policies– Exchange 2003 SP2

• One policy that applies to all users• Users can be exempted from policy (no policy applied)

– Exchange 2007 & SP1• Multiple policies supported• Targeting based upon user/group membership• Exchange 2007 SP1 adds a default policy

Page 19: Hoe  houd ik  de  controle ?

Policies - General

- Allow/Deny non-provisionable devices

– What devices are allowed to connect

- Refresh Interval (hours)– How often is the policy

refreshed on the device

Page 20: Hoe  houd ik  de  controle ?

Password Policies

- Require device password- Minimum password length- Require alphanumeric

password- Inactivity timeout (in

minutes)- Number of failed attempts

allowed

Page 21: Hoe  houd ik  de  controle ?

SecurityDevice Data Encryption

- All device and storage encryption utilizes AES encryption

- Require encryption on the storage card

– Requirements:Ex2007 RTM and Windows Mobile 6

– Ensures that any data written to the storage card is encrypted

- Require encryption on the device

– Requirements :Ex2007 SP1 and Windows Mobile 6.1

Page 22: Hoe  houd ik  de  controle ?

Sync SettingsExchange 2007 & 2007 SP1

- Allow sync when roaming• This setting allows

administrators to disable DirectPush while device is roaming. User must sync manually.

- Allow attachments to be downloaded to device

- Maximum attachment size

- Allow HTML formatted email

Page 23: Hoe  houd ik  de  controle ?

Sync SettingsExchange 2007 SP1

- Include past calendar items

- Include past email items- Limit email size to

– Define the maximum size of email sent to the device by default (user can still request a full message)

- Allow HTML formatted email

Page 24: Hoe  houd ik  de  controle ?

Mobile Policies In SP1Exchange 2007 SP1

- Allow removable storage

- Allow camera- Allow Wi-Fi- Allow infrared- Allow internet sharing- Allow Remote Desktop- Allow Desktop Sync- Allow Bluetooth

– All or headset profile only

Page 25: Hoe  houd ik  de  controle ?

Mobile Policies In SP1Exchange 2007 SP1

- Allow browser- Allow consumer mail- Allow unsigned apps- Allow unsigned

installation packages- Allowed applications- Blocked applications

Page 26: Hoe  houd ik  de  controle ?

ManageabilitySelf Service

Page 27: Hoe  houd ik  de  controle ?

End User Experience

John

Litware Inc.’s Exchange

Server

Page 28: Hoe  houd ik  de  controle ?

System Center Mobile Device Manager 2008

Page 29: Hoe  houd ik  de  controle ?

System Center Mobile Device Manager 2008

MDM helps to…

- Safeguard corporate data from unauthorized access.

- Reduce the cost and complexity of mobile deployments.

- Maintain persistent and enhanced security for connectivity.

- Simplify device management.

Page 30: Hoe  houd ik  de  controle ?

What IT pains does MDM solve?

How to:

- Manage mobile devices like PCs on the corporate network

- Manage policies and software distribution to multiple groups of users

- Provision mobile devices without physically touching them

- Allow more secure connectivity with single-point network access control

- Allow specific business units individual control over the devices in their business unit

Page 31: Hoe  houd ik  de  controle ?

MDM enables Windows Mobile 6.1 devices to be deployed and managed like PCs and laptops in the IT infrastructure, providing them network access to corporate data and making them first-class citizens on the corporate network.

Management WorkloadDeployment: inside firewall

Network Access WorkloadDeployment: in DMZ

• Machine authentication and “double envelope security”

• Session persistence• Fast reconnect• Internetwork roaming• Standards support (IKEv2,

IPSEC tunnel mode)

• Single point of management for mobile devices in enterprise

• Full OTA provisioning and bootstrapping

• OTA Software distribution based on WSUS 3.0

• Device data and inventory reporting

• SQL Server 2005-based reporting capabilities

• Role-based administration • MMC snap-ins and Powershell

cmndlets• WMU on/off control • OMA-DM compliance

• Active Directory Domain Join • Policy enforcement using

Active Directory and Group Policy targeting (>130 policies and settings)

• Communications and camera disablement

• File encryption • Application allow and deny• Remote wipe • OMA-DM compliance

Security Management

Device Management

MobileVPN

Page 32: Hoe  houd ik  de  controle ?

Samenvatting

Page 33: Hoe  houd ik  de  controle ?

Waarom beveiliging? De antwoorden!

1. Hoe ‘provision’ ik de mobiel?Gebruiker kan OTA met email + wachtwoord / PIN code de mobiel klaarmaken voor gebruik

2. Hoe kan ik programma’s of hardware uitzetten?Zowel Exchange 2007 SP1 als SCMDM kunnen gebruikt worden om functies en programma’s aan- of uit te zetten

3. Hoe beveilig ik de data die op de mobiel staat?Via policies kunnen wachtwoord en encryptie verplicht worden, met remote wipe kan een verloren of gestolen mobiel leeggemaakt worden

4. Hoe krijg ik software op de mobiel?Met SCMDM kan OTA software gedistribueerd worden

5. Hoe zit het met virussen?Tiered security op de mobiel, alleen ‘gesignede’ applicaties toestaan, gebruikers opvoeden en eventueel anti-virus software installeren

Page 34: Hoe  houd ik  de  controle ?

Samenvatting

Exchange 2003 SP2:

Direct Push E-mailE-mail, Contacts, Calendar

Basic SecurityPIN-code, device-lock, device-wipe

Windows Mobile 5 and newer

Exchange 2007 RTM:

Enriched PIM-experienceHTML E-mail, Out-of-Office

SharePoint- & UNC-access to filesEnhanced Security

Storage Card Encryption, Password Recovery

Windows Mobile 6 and newer*

Exchange 2007 SP1:

Direct Push Bandwidth optimization

uses up to 1/3 less bandwidthS/MIME supportEnhanced Security

Device Encryption, Hardware Control

Windows Mobile 6.1 and newer*

SCMDM 2008:

Security ManagementDevice Encryption, Hardware Control

Device ManagementSoftware Distribution, Inventory

Mobile VPN

Windows Mobile 6.1 and newer

* Version needed for enhanced functionality, backwards compatible down to Windows Mobile 5

Page 35: Hoe  houd ik  de  controle ?

Tot slot

Vragen?

Page 36: Hoe  houd ik  de  controle ?

Mensen maken

Page 37: Hoe  houd ik  de  controle ?

het Nieuwe Werken

Page 38: Hoe  houd ik  de  controle ?

Appendix

Page 39: Hoe  houd ik  de  controle ?

Key Deployment Steps

1. Ensure Exchange Server 2003 SP2 or Exchange Server 2007 are in place

2. Ensure TCP Port 443 is able to reach Client Access Server

3. Ensure customer has implemented SSL security4. Adjust firewall connection timeout values5. Enable Exchange ActiveSync and policies on

Exchange Server6. If needed, deploy certificates to devices

If you are using Outlook Web Access, much of this will already be in place.

Page 40: Hoe  houd ik  de  controle ?

Configure all communication points (firewalls) between the Exchange Server and Windows Mobile device with the same idle session timeout

Microsoft recommends increasing the idle session timeouts to 30 minutes

Available Documentation Firewall Configuration: http://go.microsoft.com/fwlink/?linkid=3052&kbid=905013Network Security Impact: http://msexchangeteam.com/archive/2006/08/17/428703.aspx

Mailbox Server

Mailbox Server

HTTPS (443)Advanced Firewall

Perimeter Network

Front End / CAS Server

Exchange 07 Edge Server

Increase idle session timeout to 30 mins

Increase idle session timeout to 30 mins

Increase advanced firewall idle timeout to 30 mins

Increase idle session timeout to 30 mins

Adjust Firewall Timeout Settings