Ethics of Certified Peer Recovery Specialists-Presentation-Vik Moore, MS
Vik Thairani Mobility Technical Sales Consultant Mobile Communication Business -Microsoft Corp....
-
Upload
thomasina-carson -
Category
Documents
-
view
216 -
download
0
Transcript of Vik Thairani Mobility Technical Sales Consultant Mobile Communication Business -Microsoft Corp....
Securely Deploying Windows Mobile in Your Enterprise
Vik ThairaniMobility Technical Sales ConsultantMobile Communication Business -Microsoft Corp.WMB308
Session Objectives and Takeaways
OverviewAuthenticating against your Corporate EnvironmentSecure Intranet AccessSecuring Data in TransportSecuring Data on the DeviceSecuring Devices for Malware and VirusesQ&A
Architecture
DMZ Corporate Intranet
ISA Server /Reverse Proxy
Exchange 2003 / 2007 Topology
Exchange Front-End/CAS
Server
ExchangeMailbox Server
128Bit SSLTunnel
Firewall Firewall
Subscription to Mailbox
MAPIClients
Internet
Active Directory
SharePoint 2003/2007 Server
SharePointRequest Proxy via
Exchange CAS
128Bit SSL Tunnel
SCMDM 08 Deployment TopologySystem Center Mobile Device Manager 2008
DMZ Corporate Intranet
SCMDM 08Gateway
Exchange, SharePoint, Intranet and LOB Servers
SSL User Authentication
MMCConsole
SCMDM 08 Management
Server
ActiveDirectory
WSUS Software Management
MDM Enrollment Server
IPSEC MobIKE VPN
128Bit SSL Tunnel
IPSECVPN
128bit SSLTunnelFirewall Firewall
One Time PIN for Enrollment
Initial OTA DeviceEnrollment via SSL
Machine Certificate Authentication for Mobile VPN
SQLServer
Internet
Optional ISA orReverse Proxy
128Bit SSL
Tunnel
Device CertificateEnrollment
Service
Authenticating Against Your Corporate Network
SSL Tunneling vs. SSL BridgingWildcard Cert SupportElevated Root Cert install support in WM6
Certificate AuthenticationISA 2006 when Domain Joined Can Cert Auth in the DMZ
Standard Authentication
2 Factor Authentication with RSA
RSA must be installed on the IIS serverRSA Agent must be 5.3 or Greater
DMZ Pre-Authentication via ISA
Split Tunneling via ISA ListenersRadiusLDAP
Cert Authentication with Domain Joined ISA 2006
MDM 2008
11
Mobile Device Manager 2008 – 2 Factor Authentication
• Machine authentication and “double envelope security”
• Session persistence• Fast reconnect• Inter-network roaming• Standards–based (IKEv2, MOBIKE,
IPSec tunnel mode)
Network Access WorkloadDeployment: In DMZ
MobileVPN
Secure Intranet Access
Secure Intranet Access (VPN)
Built in VPNL2TP and PPTP
Mobile VPN included in MDM 2008Issues with Traditional VPNs
MDM 2008
14
Mobile Device Manager 2008 VPN
• Machine authentication and “double envelope security”
• Session persistence• Fast reconnect• Inter-network roaming• Standards–based (IKEv2, MOBIKE,
IPSec tunnel mode)
Network Access WorkloadDeployment: In DMZ
MobileVPN
Securing Data in Motion
SSL / MobileIKE
SSL RC4, 3DES, AES 128, AES 256*
MobIKEv2 IPSEC Tunnel
Wireless LAN Security
WiFi 802.1x user authentication usingProtected EAP (PEAP)EAP/TLS (certificate-based)WPA / TKIP
Wi-Fi Certificate Enroller provided by OEMBuilt in Certificate Enroller for Windows Mobile 6 in Active sync 4.5Windows Mobile 6 Includes built in PFX, CER, .P7B installer
S/MIME
Windows Mobile 5.0 Requires Smart-Card readerWindows Mobile 6.0 Supports Soft-CertificatesExchange 2007 SP1 Does Support SMIME
Mobile Device Manager 2008
19
Mobile Device Manager 2008 - IPSEC
• Machine authentication and “double envelope security”
• Session persistence• Fast reconnect• Inter-network roaming• Standards–based (IKEv2, MOBIKE,
IPSec tunnel mode)
Network Access WorkloadDeployment: In DMZ
Management WorkloadDeployment: Inside firewall
MobileVPN
Securing Data on Device
On Device Encryption
Encrypted PIM Data (WM 6.1 w/ Exchange 2007, MDM)
AES 128SD Card (WM 6)
AES 128LOB Custom Applications (CryptoAPI, MDM 2008)
3DES, AES128, AES 256
Information Rights Management
Windows Mobile 6 Supports IRM with MailRead OnlyNo Creation
Office for Windows Mobile 6 supports IRM for Office Documents
Device Policies available with Exchange 2003/2007
Device LockNew Pin Enhancements (Pin Recovery, History)
Device PasswordNew Password Requirements
Exchange 2007 allows for group based PolicesNew Exchange 2007 Policies
SD Card encryption
Exchange 2007 Device Control
Disable desktop ActiveSync Disable removable storage Disable camera Disable SMS and any MMS text messaging Network Control
Exchange 2007 Device Control
Disable Wi-Fi Disable Bluetooth Disable IrDA Allow internet sharing from device Allow desktop sharing from device Application Control
Exchange FunctionalityFeatures 2007 S E Features 2007 S E
Password Required X X X Min Device Pwd Complex Characters X XAllow non-provisionable devices X X X Require Device Encryption X X
Allow Simple Device Password X X X Require Encrypted SMIME Messages X XAlphanumeric Password X X X Require Encryption SMIME Algorithm X X
Attachments Enabled X X X Require Manual Sync When Roaming X XInactivity Timeout X X X Require Signed SMIME Algorithm X X
Max Attachment Size X X X Require Signed SMIME Messages X XMax Failed Password Attempts X X X Allow Bluetooth X
Min Password Length X X X Allow Browser XPassword Expiration X X X Allow Camera X
Password History X X X Allow Consumer Email XPassword Recovery Enabled X X X Allow Desktop Sync X
Policy Refresh Interval X X X Allow Internet Sharing XStorage Card Encryption X X X Allow IrDA X
UNC Access Enabled X X X Allow POP/IMAP Email XWSS Access Enabled X X X Allow Remote Desktop X
Allow HTML Email X X Allow Storage Card X
Allow SMIME Encryption Algorithm Negotiation X X Allow Text Messaging X
Allow SMIME Soft Certs X X Allow Unsigned Applications XMax Calendar Age Filter X X Allow Unsigned Installation Packages X
Max Email Age Filter X X Allow Wi-Fi XMax Email Body Truncation Size X X Approved Application List X
Max Email HTML Body Truncation Size X X Unapproved InROM Application List X
2007 = Exchange 2007 | S = Exchange 2007 SP1 Standard CAL | E = Exchange 2007 SP1 Enterprise CAL
Mobile Device Manager 2008
27
Mobile Device Manager 2008 - Security
• Active Directory® Domain Join • Policy enforcement using Active
Directory/group policy targeting (>125 policies)
• Communications and camera disablement*
• File encryption • Application allow and deny• Remote wipe • OMA DM compliant
*Part of LTK requirement
Security Management
Management WorkloadDeployment: Inside firewall
Antivurus and Firewalls
Antivirus and Firewalls
Mitigating Attack Vectors on Windows MobileOfficeInternet ExplorerApplication Install
Entry Points on your Corporate EnvironmentDesktopExchange
APIs available for Windows Mobile
Exchange Advanced Policies
Allow browserAllow consumer mailAllow unsigned appsAllow unsigned installation packages
Mobile Device Manager 2008
31
Mobile Device Manager 2008 – Software Distribution
• Single point of management for mobile devices in enterprise
• Full over-the-air (OTA) provisioning and bootstrapping
• OTA software distribution based on Windows Software Update Service (WSUS) 3.0
• Inventory• Microsoft SQL Server™ 2005–based
reporting capabilities • Role–based administration • MMC snap-ins and Microsoft
Windows PowerShell™ cmdlets• WMU On/Off control
Management WorkloadDeployment: Inside firewall
Device Management
PartnersManagement and SecurityCredantTrust DigitalAfariaOdyssey
VPNBluefire (Cisco)Net Motion (IPSEC Mobile)Checkpoint (SSL)
www.microsoft.com/teched
Sessions On-Demand & Community
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learningMicrosoft Certification and Training Resources
www.microsoft.com/learning
Microsoft Certification & Training Resources
Resources
Windows Mobile® ResourcesTechNet TechCenter – System Center Mobile Device Manager 2008 http://technet.microsoft.com/scmdm
TechNet TechCenter – Windows Mobile http://technet.microsoft.com/windowsmobile
MSDN Center – Windows Mobilehttp://msdn.microsoft.com/windowsmobile
Webcasts and Podcasts for IT – Windows Mobilehttp://www.microsoft.com/events/series/msecmobility.aspx
General Information – Windows Mobilehttp://www.windowsmobile.com
General Information – System Center Mobile Device Manager 2008http://www.windowsmobile.com/mobiledevicemanager
Windows Marketplace Developer Portalhttp://developer.windowsmobile.com
Windows Mobile® is giving away Blackjack IIs !
Stop by the Windows Mobile Technical Learning Center to learn how to enter
Complete an evaluation on CommNet and enter to win!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.