Presentation is loading. Please wait.

Presentation is loading. Please wait.

May 30 th – 31 st, 2006 Sheraton Ottawa. Mobile Security Windows Mobile 5 Rick Claus IT Pro Advisor Microsoft Canada

Published byJodie Marshall Modified over 8 years ago

Similar presentations

Presentation on theme: "May 30 th – 31 st, 2006 Sheraton Ottawa. Mobile Security Windows Mobile 5 Rick Claus IT Pro Advisor Microsoft Canada"— Presentation transcript:

1 May 30 th – 31 st, 2006 Sheraton Ottawa

2 Mobile Security Windows Mobile 5 Rick Claus IT Pro Advisor Microsoft Canada rick.claus@microsoft.comhttp://blogs.technet.com/canitpro

3 Agenda Define Mobile Environment Windows Mobile devices in Canada Windows Mobile 5 Productivity Policy & Security Direct Push Myths and Objections

4 What is Mobile Data?

5 Mobile Messaging Infrastructure Mobile access to Exchange “that just works” Smartphone Platform Outlook2003 Outlook Web Access Wireless Pocket PC&PE Wireless 3 rd Party Sync Outlook Mobile Access Enable a greater number of customers, out-of-the-box User experience optimized for mobile device scenario

6 Exchange Server 2003 Mobility Scenarios IW Mobile Office Rich web Access companion for OutlookRich web Access companion for Outlook Best companion to OutlookBest companion to Outlook Part Time “Home Office”Part Time “Home Office” Airport Kiosk, Internet CaféAirport Kiosk, Internet Café Factory floor deploymentFactory floor deployment Outlook Web Access IW Mobile On-The-Road RPC over HTTP(S) ; No VPNRPC over HTTP(S) ; No VPN Low bandwidth, latent connectionsLow bandwidth, latent connections Hotel Dial-upHotel Dial-up HotspotsHotspots WWAN – Mobile OperatorWWAN – Mobile Operator Outlook and Exchange Reach device companion for OutlookReach device companion for Outlook E-mail triage and quick reviewE-mail triage and quick review On-line GAL and contacts lookup with one touch callOn-line GAL and contacts lookup with one touch call Calendar and task managementCalendar and task management Mobile Reach for IW Outlook Mobile Access “Kiosk”Laptop Phone Smart/PDA Rich/Smart device companion to OutlookRich/Smart device companion to Outlook Active e-mail/PIM management – preferably up-to-dateActive e-mail/PIM management – preferably up-to-date WWAN – Mobile OperatorsWWAN – Mobile Operators HotspotsHotspots Highly Mobile IW Exchange ActiveSync (EAS)

7 Mobile Messaging Infrastructure Exchange Front End Server(s) Mailbox Server Mobile Operator Network Wired line Wireless line Legend Wireless PDA HTTPS (443) Smartphone Wi-Fi PDA Wi-Fi Smartphone Internet (802.11x - hotspots) Wi-Fi PDA Wi-Fi Smart phone Wireless Intranet (802.11x) Corporate Network ISA Server (Optional) HTTPS (443) Outlook from home (rpc/http) OWA from kiosk or from home Wi-Fi Laptop Wi-Fi Laptop

8 Agenda Define Mobile Environment Windows Mobile devices in Canada Windows Mobile 5 Productivity Policy & Security Direct Push Myths and Objections

9 6600 Pocket PC Phone Edition 6600 Pocket PC Phone Edition CDMA/1xRTT Windows Mobile 2003 Second Edition Landscape support 128 Mb ROM, 64 Mb RAM SDIO Memory Slot Bluetooth 1.1 Megapixel camera Built-in QWERTY keyboard, with Backlighting Windows Mobile Devices in Canada … Today!

10 SMT 5600 Smartphone SMT 5600 Smartphone GSM/GPRSGSM/GPRS Windows Mobile 2003 Second EditionWindows Mobile 2003 Second Edition 64 Mb ROM, 32 Mb RAM64 Mb ROM, 32 Mb RAM MiniSD Memory SlotMiniSD Memory Slot BluetoothBluetooth 1.1 Megapixel camera1.1 Megapixel camera 850/1800/1900 MHz Support850/1800/1900 MHz Support Mini USB connectorMini USB connector First Smartphone in Canada!First Smartphone in Canada! Windows Mobile Devices in Canada … Today!

11 h6320/6325 Pocket PC Phone Edition h6320/6325 Pocket PC Phone Edition GSM/GPRSGSM/GPRS Windows Mobile 2003Windows Mobile 2003 64 Mb ROM, 64 Mb RAM64 Mb ROM, 64 Mb RAM SDIO Memory SlotSDIO Memory Slot Integrated BluetoothIntegrated Bluetooth Integrated WiFiIntegrated WiFi 850/900/1800/1900 MHz Support850/900/1800/1900 MHz Support Snap-on keyboardSnap-on keyboard –6325 with camera Windows Mobile Devices in Canada … Today!

12 hw6515 Pocket PC Phone Edition hw6515 Pocket PC Phone Edition GSM/GPRS/EDGEGSM/GPRS/EDGE Windows Mobile 2003 Second EditionWindows Mobile 2003 Second Edition 64 Mb ROM, 64 Mb RAM64 Mb ROM, 64 Mb RAM SDIO & MiniSD Memory SlotSDIO & MiniSD Memory Slot Integrated BluetoothIntegrated Bluetooth Integrated GPSIntegrated GPS 850/900/1800/1900 MHz Support850/900/1800/1900 MHz Support Built-in Qwerty keyboardBuilt-in Qwerty keyboard 1.3 MP Camera 8x Zoom1.3 MP Camera 8x Zoom Windows Mobile Devices in Canada … Today!

13 6700 Pocket PC Phone Edition 6700 Pocket PC Phone Edition CDMA/1xRTT/EvDO Windows Mobile 5.0 128 Mb ROM, 64 Mb RAM MiniSD Memory Slot Bluetooth, WiFi 1.3 Megapixel camera Built-in Sliding QWERTY keyboard Windows Mobile Devices in Canada … Today!

14 Treo 700w Pocket PC Phone Edition Treo 700w Pocket PC Phone Edition CDMA/1xRTT/EvDO GSM/GPRS/EDGE/UMTS Windows Mobile 5.0 MiniSD Memory Slot Bluetooth 1.3 Megapixel camera Built-in QWERTY keyboard Windows Mobile Devices in Canada … Soon!

15 CDMA/1xRTT/EvDO Windows Mobile 5.0 128 Mb ROM, 64 Mb RAM MiniSD Memory Slot Bluetooth 1.3 Megapixel camera Built-in QWERTY keyboard Scroll Wheel Navigation Windows Mobile Devices in Canada … Soon!

16 Agenda Define Mobile Environment Windows Mobile devices in Canada Windows Mobile 5 Productivity Policy & Security Direct Push Myths and Objections

17 Windows Mobile 5.0 Strengths Works with Exchange Server 2003 Built-in mobile access – Windows Mobile, Outlook 2003, OMA, OWA Great mobile experience with Windows Mobile 5.0 + MSFP E-mail and PIM OTA Direct Push sync is built-in – with Outlook Mobile and Exchange ActiveSync No client or 3 rd party server software to load reduces set-up time and cost Familiar Outlook experience Range of powerful Windows Mobile devices Great client platform for LOB, other solutions Scalable solution for enterprises E-mail front-end & back-end scalability Easy to manage and consolidate servers High number of users per server Scalable cost per user Range of devices, form factors, prices and data plans No incremental server license costs Removes need for separate monitoring, directory

18 What is MSFP? Direct Push Technology – near real-time sync between Exchange Server and the mobile device GAL Access – corporate contact database Security Portfolio: Policy push/Device Wipe – protects the mobile device if it is ever lost or stolen Native SSL, S/MIME and 3DES (w/FIPS 140-2) support Certificate-based authentication SecurID and VPN Windows Mobile 5.0 + Messaging & Security Feature Pack (MSFP) builds on the familiar Outlook Mobile with new features that enhance mobile messaging usability and device management for the enterprise.

19 Device And Server Requirements WinMobile Device Requirements Requires a Windows Mobile 5 device MSFP will not work on devices with versions prior to Magneto MSFP features will not need PC sync except Certificate-based Authentication Certificate-based authentication will require a one- time connection to ActiveSync for certificate deployment Exchange Server Requirements Requires upgrade from Exchange Server 2003 to Exchange Server 2003 SP2 No major changes beyond SP upgrade Need to increase IIS and Firewall https connection timeout to the ActiveSync virtual directory Recommend 15min to 30min for timeout Certificate-based Authentication feature will require a Certificate Authority (CA) deployment

20 1.Enhances The Outlook Mobile Experience  Keep your Outlook Mobile up-to-date with the new Direct Push Technology that delivers Inbox, Calendar, Contacts and Tasks information quickly and directly to your device  Maintain an up-to-date to-do list with new synchronization of the Outlook Mobile Tasks list with Exchange 2003 SP2  Access the corporate contact database while on-the-go with over- the-air lookup and browsing of the Global Address List on Exchange 2003 SP2

21  Remotely manage and enforce corporate IT policy over- the-air via Exchange 03 SP2 console  Enable automatic reset of data when password is entered incorrectly X number of times  Help to better protect device data with remote reset of on-device data via Exchange 03 SP2 console  Increase access security to Exchange 03 SP2 using Certificate-based Authentication to the server  Help protect email content with native support for S/MIME 2. Helps Businesses To Better Protect Device Data

22 Usability vs. Security I Just Want To Make a Call!

23 Exchange Server controls access to the device by pushing PIN/password policy and lockdown time-out to the device OTA the next time a sync is initiated Policy Provisioning How does this strengthen security?

24 …but the end-user sets his/her personal PIN or password according to the policy required After lockdown, entering the correct PIN/password is the only way to access data or use the device* Policy Enforcement IT controls the password strength… * Emergency calls can be made during lockdown

25 IT initiates the remote wipe via the Mobile Admin Web tool after a device is reported lost or stolen Remote wipe command status is relayed via ActiveSync back to the Mobile Admin Web tool for logging Remote Device Wipe IT-initiated Data Protection

26 IT configures the number of allowed attempts via the Exchange Server Console Local Device Wipe Password-based Data Protection Only local memory is erased (hard reset) with either device wipe, external memory (such as a SD card) remains intact

27 SSL (Secure Sockets Layer) is a secure channel of communication between a Web server and client (mobile device). Native SSL Support The end-to-end security standard Windows Mobile uses SSL with RC4 cipher (128bit) as the default. This is the standard for online banking and other secure transactions on the Internet. SSL can make use of variety of encryption ciphers, including 3DES by enabling FIPS on the front-end server. SSL can’t be used by 3 rd party relay solutions because of the discontinuous store-and-forward model they use. SSL is session- based and requires an uninterrupted point-to-point connection between the data source (server) and the recipient client (mobile device).

28 MSFP requires that a firewall port (443 recommended) be made available* as the “Web Listener” in order to allow Direct Push to work. To secure that port, 443 is designated as the SSL port. Traffic into and out of the port will then be doubly filtered because it is: Security Architecture Making the most of SSL Encrypted with SSL Authenticated * Maximum duration of the “Web Listening” connection should be greater than the lowest network timeout in the path between the device and the server.

29 S/MIME (Secure Multipurpose Internet Mail Extensions) is a standard protocol that provides protection and verification of messages as they are transferred by using content encryption and digital signatures features. Native S/MIME Support Securing the payload… Signing ensures the integrity of your message and attachments and ensures the recipient that they have not been tampered with during transit. Encryption ensures data confidentiality by only allowing the intended recipient to decrypt and access the contents of the message. Requires a S/MIME certificate on the device or via peripheral reader.

30 WM Smartcard Solution Currently creating for US DoD Partners contributing: Saflink (smartcard software) Axcess Technology (reader hardware) Commercial Availability summer 05

31 Certificates on the mobile device (or via cert-reading peripheral) authenticate the user to the server for gaining sync privileges Requires Exchange Server 2003 Cert-based Authentication The next step in authentication Using Basic Authentication Using Certificate Authentication

32 Native basic authentication for Exchange ActiveSync uses NT credentials (userid/password/domain) – one-factor authentication (the NT password) cached by the device. Many enterprise customers are requiring two- factor security solutions (human-memorized password AND some other physical object or certificate). RSA’s SecurID is currently the most popular corporate solution for two-factor authentication – in Europe, it is a de facto standard. This is now supported by Exchange ActiveSync. Very important for the Finance vertical where two-factor authentication is often required. SecurID RSA’s two-factor authentication

33 SecurID Architecture with ISA

34 Windows Mobile Platform Security Features Support industry standard certificates Support Open Mobile Alliance device management standards * AES 256 *, PFX/PKCS12 APIs support * FIPS 140-2 Certification * Smartcard Resource Manager * Support Network Authentication Standards NTLM 1 & 2, Kerberos SSL TLS Client Authentication 802.1x user auth using PEAP, EAP/TLS WPA * New for Windows Mobile 5.0

35 Agenda Define Mobile Environment Windows Mobile devices in Canada Windows Mobile 5 Productivity Policy & Security Direct Push Myths and Objections

36 Before Direct Push How did it work? Short Messaging Service (SMS) IP Data Connection 1. Server Trigger Binary “blob” including: Message digest (hash)Message digest (hash) Server ID (pre-configured on device)Server ID (pre-configured on device) 3. Server-Controlled Interchange passes data via ActiveSync 2. Client initiates session

37 Direct Push Technology How does it work now? 4. If server state changes before heartbeat interval expires, Exchange 2003 notifies device that changes have occurred in the mail box 1. Device sends PING request to Exchange 2003 SP2 server after establishing data/SSL connection 2. Exchange 2003 holds the request pending until heartbeat interval expires 5. Device immediately issues SYNC request to pull data. Upon SYNC completion, go to step 1 3. If no server state changes occur before heartbeat expires, device sends another PING request Windows Mobile Device with MSFP Server running Exchange 2003 SP2 The device controls the heartbeat interval duration as shown on the next slide…

38 Less radio & battery overhead Persistent data connection does not require the data connection to be built up and torn down for each ActiveSync session Less data usage required Each MSFP ping (~350 bits of data) uses less data than that needed to do a Scheduled Sync even when no data is transferred during the sync No need for SMS sync initiation Direct Push Technology Why is this better?

39 Windows Mobile 5.0: Why Direct is Better No 3 rd party relay NOCs outside of enterprise IT control No 3 rd party relay failure or access points Utilizes existing investments in Exchange Server – highly scalable messaging platform No additional client or server licenses for devices No additional 3 rd party relay hardware or software required behind the enterprise firewall Leading platform for LOB applications:.NET Framework and Visual Studio porting to WM Single source for product support included with Exchange 2003

40 Agenda Define Mobile Environment Windows Mobile devices in Canada Windows Mobile 5 Productivity Policy & Security Direct Push Myths and Objections

41 Security Myths & Objections Myth: 3DES is “better” than SSL Much online banking, e-commerce uses SSL 128-bit SSL—never hacked over the Internet MS Solution—no dependence on 3 rd -party NOC Objection: Storing Corp credentials on device Credentials stored in protected registry Can use Certificate authentication instead Objection: Using Corp credentials for authentication Can use Certificate authentication instead Myth: Allowing inbound connections from devices to corporate data center is unsecure Windows Mobile uses same data flow, authentication, encryption, architecture as Outlook Web Access

42 Security Myths & Objections Myth: Sending all data through NOC is good A 3 rd party has control of corporate data Objection: Must encrypt data and pipe Traffic encrypted between device & server; data doesn’t need to be encrypted Myth: Windows Mobile is not secure enough Received US Govt. Federal Information Processing Standards Cryptographic certification (FIPS 140-2) Myth: Remote Wipe by itself is good enough Should require PIN lock to protect device prior to report of loss If device radio is turned off, remote wipe won’t work—need local wipe as well

43 Resources Additional Third Party Security Signature authentication Certicom Corporation Communication Intelligence Corporation TSI/Crypto-SignVASCO Enhanced password protection Hewlett-Packard Pictograph authentication Pointsec Mobile Technologies Fingerprint authentication Biocentric Solutions Inc. HP iPAQ 5400 Card-based authentication RSA Security Certificate Authentication on a Storage Card JGUI Software Storage Encryption F-Secure Pointsec Mobile Technologies Trust Digital LLC 802.1x WPA Encryption Method Funk Software S/MIMECerticom Encrypt Application Data Certicom Corporation Glück & Kanja Group Ntrū Cryptosystems, Inc. Virtual Private Networking Certicom Corporation Check Point Software Technologies Ltd. Columbitech Entrust, Inc. Epiphan Consulting Inc. Disable Applications Odyssey Software Trust Digital LLC Device Wipe Asynchrony.com Public Key Infrastructure (PKI) Certicom Corporation Diversinet Corp. Dreamsecurity Co., Ltd. Glück & Kanja Group Thin Client Technology Citrix FinTech Solutions Ltd.

44 © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, Rick Claus IT Pro Advisor Microsoft Canada rick.claus@microsoft.comhttp://blogs.technet.com/canitpro

Download ppt "May 30 th – 31 st, 2006 Sheraton Ottawa. Mobile Security Windows Mobile 5 Rick Claus IT Pro Advisor Microsoft Canada"

Similar presentations

Powerful and convenient management for Windows Mobile ® 6.1 devices in an enterprise environment. These features include: Centralized, over-the-air device.

Powerful and convenient management for Windows Mobile ® 6.1 devices in an enterprise environment. These features include: Centralized, over-the-air device.
Lee Hang Lam Wong Kwun Yam Chan Sin Ping Wong Cecilia Kei Ka Mobile Phone OS.

Lee Hang Lam Wong Kwun Yam Chan Sin Ping Wong Cecilia Kei Ka Mobile Phone OS.
Module 3: Microsoft Mobility Solutions. Overview Microsoft Office Mobile Using Windows Mobile 5.0 with Exchange Server 2003 Using Windows Mobile 5.0 with.

Module 3: Microsoft Mobility Solutions. Overview Microsoft Office Mobile Using Windows Mobile 5.0 with Exchange Server 2003 Using Windows Mobile 5.0 with.
Extending ForeFront beyond the limit www.AGATSolutions.com TMGUAG ISAIAG AG Security Suite.

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
1 The Wireless Network. 2 Agenda Brief Introduction A list of the products and solutions Why Sprint Next Steps / Q & A.

1 The Wireless Network. 2 Agenda Brief Introduction A list of the products and solutions Why Sprint Next Steps / Q & A.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Introduction to ISA 2004 Dana Epp Microsoft Security MVP.

Introduction to ISA 2004 Dana Epp Microsoft Security MVP.
Identity and Access IDGo Secure Email (ISE) for Android Didier Bonnet April 2015.

Identity and Access IDGo Secure (ISE) for Android Didier Bonnet April 2015.
1 of 5 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.

1 of 5 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.
Mobile Messaging & Exchange 2003 SP2 overview Ewan Dalton Microsoft UK.

Mobile Messaging & Exchange 2003 SP2 overview Ewan Dalton Microsoft UK.
1 Integrating ISA Server and Exchange Server. 2 How email works.

1 Integrating ISA Server and Exchange Server. 2 How works.
©2006 Microsoft Corporation. All rights reserved. WINDOWS MOBILE ® FOR SMALL BUSINESS Stay in sync with your office while on-the-go. [Presenter’s Information]

©2006 Microsoft Corporation. All rights reserved. WINDOWS MOBILE ® FOR SMALL BUSINESS Stay in sync with your office while on-the-go. [Presenter’s Information]
Copyright Microsoft Corp. 2006 Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.

Copyright Microsoft Corp Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.
MCTS GUIDE TO MICROSOFT WINDOWS 7 Chapter 14 Remote Access.

MCTS GUIDE TO MICROSOFT WINDOWS 7 Chapter 14 Remote Access.
Winter 2005-2006 Consolidated Server Deployment Guide for Hosted Messaging and Collaboration version 3.5 Philippe Maurent Principal Consultant Microsoft.

Winter Consolidated Server Deployment Guide for Hosted Messaging and Collaboration version 3.5 Philippe Maurent Principal Consultant Microsoft.
Windows 2003 and 802.1x Secure Wireless Deployments.

Windows 2003 and 802.1x Secure Wireless Deployments.
Identity and Access IDGo Secure Email (ISE) for Android Didier Bonnet November 2014.

Identity and Access IDGo Secure (ISE) for Android Didier Bonnet November 2014.
Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.

Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.
Windows ® Powered NAS. Agenda Windows Powered NAS Windows Powered NAS Key Technologies in Windows Powered NAS Key Technologies in Windows Powered NAS.

Windows ® Powered NAS. Agenda Windows Powered NAS Windows Powered NAS Key Technologies in Windows Powered NAS Key Technologies in Windows Powered NAS.

Similar presentations

Ads by Google