Vik Thairani Mobility Technical Sales Consultant Mobile Communication Business -Microsoft Corp. WMB308 Session Objectives and Takeaways Overview Authenticating against your Corporate Environment Secure Intranet Access Securing Data in Transport Securing.
Download ReportTranscript Vik Thairani Mobility Technical Sales Consultant Mobile Communication Business -Microsoft Corp. WMB308 Session Objectives and Takeaways Overview Authenticating against your Corporate Environment Secure Intranet Access Securing Data in Transport Securing.
Vik Thairani Mobility Technical Sales Consultant Mobile Communication Business -Microsoft Corp. WMB308 Session Objectives and Takeaways Overview Authenticating against your Corporate Environment Secure Intranet Access Securing Data in Transport Securing Data on the Device Securing Devices for Malware and Viruses Q&A Exchange 2003 / 2007 Topology Internet Firewall Firewall Exchange Front-End/CAS Server Exchange Mailbox Server Subscription to Mailbox 128Bit SSL Tunnel ISA Server / Reverse Proxy SharePoint Request Proxy via Exchange CAS MAPI Clients 128Bit SSL Tunnel Active Directory DMZ SharePoint 2003/2007 Server Corporate Intranet SCMDM 08 Deployment Topology System Center Mobile Device Manager 2008 Exchange, SharePoint, Intranet and LOB Servers IPSEC MobIKE VPN 128Bit SSL Tunnel Initial OTA Device Enrollment via SSL SQL Server SSL User Authentication Internet Firewall SCMDM 08 Gateway Firewall SCMDM 08 Management Server 128bit SSL Tunnel IPSEC VPN MMC Console WSUS Software Management Machine Certificate Authentication for Mobile VPN 128Bit SSL Tunnel Device Certificate Enrollment Service One Time PIN for Enrollment Optional ISA or Reverse Proxy DMZ MDM Enrollment Server Corporate Intranet Active Directory Standard Authentication SSL Tunneling vs. SSL Bridging Wildcard Cert Support Elevated Root Cert install support in WM6 Certificate Authentication ISA 2006 when Domain Joined Can Cert Auth in the DMZ 2 Factor Authentication with RSA RSA must be installed on the IIS server RSA Agent must be 5.3 or Greater DMZ Pre-Authentication via ISA Split Tunneling via ISA Listeners Radius LDAP Cert Authentication with Domain Joined ISA 2006 MDM 2008 Mobile Device Manager 2008 – 2 Factor Authentication Mobile VPN • Machine authentication and “double envelope security” • Session persistence • Fast reconnect • Inter-network roaming • Standards–based (IKEv2, MOBIKE, IPSec tunnel mode) Network Access Workload Deployment: In DMZ 11 Secure Intranet Access (VPN) Built in VPN L2TP and PPTP Mobile VPN included in MDM 2008 Issues with Traditional VPNs MDM 2008 Mobile Device Manager 2008 VPN Mobile VPN • Machine authentication and “double envelope security” • Session persistence • Fast reconnect • Inter-network roaming • Standards–based (IKEv2, MOBIKE, IPSec tunnel mode) Network Access Workload Deployment: In DMZ 14 SSL / MobileIKE SSL RC4, 3DES, AES 128, AES 256* MobIKEv2 IPSEC Tunnel Wireless LAN Security WiFi 802.1x user authentication using Protected EAP (PEAP) EAP/TLS (certificate-based) WPA / TKIP Wi-Fi Certificate Enroller provided by OEM Built in Certificate Enroller for Windows Mobile 6 in Active sync 4.5 Windows Mobile 6 Includes built in PFX, CER, .P7B installer S/MIME Windows Mobile 5.0 Requires Smart-Card reader Windows Mobile 6.0 Supports Soft-Certificates Exchange 2007 SP1 Does Support SMIME Mobile Device Manager 2008 Mobile Device Manager 2008 - IPSEC Mobile VPN • Machine authentication and “double envelope security” • Session persistence • Fast reconnect • Inter-network roaming • Standards–based (IKEv2, MOBIKE, IPSec tunnel mode) Management Workload Deployment: Inside firewall Network Access Workload Deployment: In DMZ 19 On Device Encryption Encrypted PIM Data (WM 6.1 w/ Exchange 2007, MDM) AES 128 SD Card (WM 6) AES 128 LOB Custom Applications (CryptoAPI, MDM 2008) 3DES, AES128, AES 256 Information Rights Management Windows Mobile 6 Supports IRM with Mail Read Only No Creation Office for Windows Mobile 6 supports IRM for Office Documents Device Policies available with Exchange 2003/2007 Device Lock New Pin Enhancements (Pin Recovery, History) Device Password New Password Requirements Exchange 2007 allows for group based Polices New Exchange 2007 Policies SD Card encryption Exchange 2007 Device Control Disable desktop ActiveSync Disable removable storage Disable camera Disable SMS and any MMS text messaging Network Control Exchange 2007 Device Control Disable Wi-Fi Disable Bluetooth Disable IrDA Allow internet sharing from device Allow desktop sharing from device Application Control Exchange Functionality Features 2007 S E X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X Min Device Pwd Complex Characters Require Device Encryption Require Encrypted SMIME Messages Require Encryption SMIME Algorithm Require Manual Sync When Roaming Require Signed SMIME Algorithm Require Signed SMIME Messages Allow Bluetooth Allow Browser Allow Camera Allow Consumer Email Allow Desktop Sync Allow Internet Sharing Allow IrDA Allow POP/IMAP Email Allow Remote Desktop Allow Storage Card Allow SMIME Encryption Algorithm Negotiation X X Allow Text Messaging X Allow SMIME Soft Certs Max Calendar Age Filter Max Email Age Filter Max Email Body Truncation Size Max Email HTML Body Truncation Size X X X X X X X X X X Allow Unsigned Applications Allow Unsigned Installation Packages Allow Wi-Fi Approved Application List Unapproved InROM Application List X X X X X Password Required Allow non-provisionable devices Allow Simple Device Password Alphanumeric Password Attachments Enabled Inactivity Timeout Max Attachment Size Max Failed Password Attempts Min Password Length Password Expiration Password History Password Recovery Enabled Policy Refresh Interval Storage Card Encryption UNC Access Enabled WSS Access Enabled Allow HTML Email Features 2007 S E X X X X X X X X X X X X X X X X X X X X X X X X 2007 = Exchange 2007 | S = Exchange 2007 SP1 Standard CAL | E = Exchange 2007 SP1 Enterprise CAL Mobile Device Manager 2008 Mobile Device Manager 2008 - Security Security Management • Active Directory Domain Join • Policy enforcement using Active Directory/group policy targeting (>125 policies) • Communications and camera disablement* • File encryption • Application allow and deny • Remote wipe • OMA DM compliant ® *Part of LTK requirement Management Workload Deployment: Inside firewall 27 Antivirus and Firewalls Mitigating Attack Vectors on Windows Mobile Office Internet Explorer Application Install Entry Points on your Corporate Environment Desktop Exchange APIs available for Windows Mobile Exchange Advanced Policies Allow browser Allow consumer mail Allow unsigned apps Allow unsigned installation packages Mobile Device Manager 2008 Mobile Device Manager 2008 – Software Distribution Device Management • Single point of management for mobile devices in enterprise • Full over-the-air (OTA) provisioning and bootstrapping • OTA software distribution based on Windows Software Update Service (WSUS) 3.0 • Inventory • Microsoft SQL Server™ 2005–based reporting capabilities • Role–based administration • MMC snap-ins and Microsoft Windows PowerShell™ cmdlets • WMU On/Off control Management Workload Deployment: Inside firewall 31 Partners Management and Security Credant Trust Digital Afaria Odyssey VPN Bluefire (Cisco) Net Motion (IPSEC Mobile) Checkpoint (SSL) Resources www.microsoft.com/teched www.microsoft.com/learning Sessions On-Demand & Community Microsoft Certification & Training Resources http://microsoft.com/technet http://microsoft.com/msdn Resources for IT Professionals Resources for Developers www.microsoft.com/learning Microsoft Certification and Training Resources Windows Mobile® Resources TechNet TechCenter – System Center Mobile Device Manager 2008 http://technet.microsoft.com/scmdm TechNet TechCenter – Windows Mobile http://technet.microsoft.com/windowsmobile MSDN Center – Windows Mobile http://msdn.microsoft.com/windowsmobile Webcasts and Podcasts for IT – Windows Mobile http://www.microsoft.com/events/series/msecmobility.aspx General Information – Windows Mobile http://www.windowsmobile.com General Information – System Center Mobile Device Manager 2008 http://www.windowsmobile.com/mobiledevicemanager Windows Marketplace Developer Portal http://developer.windowsmobile.com Windows Mobile® is giving away Blackjack IIs ! Stop by the Windows Mobile Technical Learning Center to learn how to enter Complete an evaluation on CommNet and enter to win! © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.