Presentation is loading. Please wait.

Presentation is loading. Please wait.

May 30 th – 31 st, 2007 Chateau Laurier Ottawa. Helping to Secure Data while on the Run Greg Milligan Mobility Solutions Manager Microsoft Canada Co.

Published byHope Pitts Modified over 8 years ago

Similar presentations

Presentation on theme: "May 30 th – 31 st, 2007 Chateau Laurier Ottawa. Helping to Secure Data while on the Run Greg Milligan Mobility Solutions Manager Microsoft Canada Co."— Presentation transcript:

1 May 30 th – 31 st, 2007 Chateau Laurier Ottawa

2 Helping to Secure Data while on the Run Greg Milligan Mobility Solutions Manager Microsoft Canada Co. Greg.Milligan@microsoft.com

3 Agenda Microsoft Mobile Vision Threats Windows Mobile 5 Security Features Device Management Security Recommendations Windows Mobile 6 Enhancements 3 rd Party Security Extensions

4 Access Control Firewall Unmanaged PC (Home PC, Kiosk, etc) Managed PC Mobile & Traditional Devices TeamWorkspaces E-Mail Web & Video Conferencing Documents & Files Calendaring InstantMessaging LOB Applications Intranet Web Applications MSFT Enterprise Mobility Vision

5 Mobile Security Threats Physical access to device itself Access to device User Interface Access to data at rest Access to data in motion Access to the corporate network Viruses/malware/spyware Access to mobile applications

6 Mobile device security threats WLAN PAN Infrared LAN WWAN Desktop VirusMalwareSpywareUnsupportedApps Loss/Theft CorpNet

7 A Layered Approach to Delivering Trustworthy Solutions Policy Process Personnel Products Partnerships PROTECT DE DDEETETECTCTDDEETETECTCT R RRESPONDESPONDRRESPONDESPOND RECOVERRECOVERRECOVERRECOVER

8 WM5: Platform Security Features Support industry standard certificates Support Open Mobile Alliance device management standards * AES 256 *, PFX/PKCS12 APIs support * FIPS 140-2 Certification * Smartcard Resource Manager * Support Network Authentication Standards NTLM 1 & 2, Kerberos SSL TLS Client Authentication 802.1x user auth using PEAP, EAP/TLS WPA * New for Windows Mobile 5.0

9 WM5: Local Security Features Security Configuration Management Critical Updating - Image Update * Peer-to-Peer connections (IR/Bluetooth) Require user interaction to accept data Can be programmatically disabled Pluggable, programmable device lock * Exponential backoff mitigates brute force attacks Can be activated via code anytime Can include biometrics, smartcard, etc. * New for Windows Mobile 5.0

10 WM5: Development Security Features Data Protection APIs All purpose encryption APIs Used for LOB application data encryption: databases, application passwords, etc. Credential Manager Hardcoded encryption of credentials and private keys that are cached on the local device Reads/Writes credentials based on the user, target server and credential type Can be configured to force user verification prior to use of credentials

11 Remotely manage and enforce select corporate IT policies Highlights Separate IT policies into “Mandatory” versus “Recommended” Separate users with exception list Certain users can be exempt Using a PolicyKey, Exchange Admin can check whether the client device has the latest policy settings If necessary, can mandate device to download new policy and settings If device does not comply with Mandatory IT policies, it will no longer be able to sync Exchange Admin can also mandate device to refresh policies every X hours Policy Examples Remotely require a device PIN password for every device Set strength and length of PIN password Set device inactivity time before user needs to enter PIN password again Set time intervals for a device to refresh policy Require device to authenticate to Exchange Server using Certificates

12 Remotely manage and enforce select corporate IT policies: Screenshots

13 Help Protect Unauthorized Entry to Device Local Data Wipe Device automatically resets local memory to clean state after X number of unsuccessful PIN/password entries Does not erase external memory such as SD card Local Data Reset is an IT policy that can be set from Exchange Server Console Protects against accidental reset with “firebreak” mechanism that requires user for special keyword to proceed with password entry Device Timeout Device automatically locks itself after X minutes of inactivity User has to enter PIN password in order to use device Device timeout is an IT policy that can be set from Exchange Server Console However, device can still make emergency calls

14 Help Protect Unauthorized Entry to Device: Screenshots

15 Help Protect Device Data if Device is Lost with Remote Wipe Exchange Server 2003 Console can over-the-air erase all on-device data and reset device back to clean state Remote wipe only applies to data stored in internal memory and not external storage like SD Cards Remote wipe will only work once lost device attempts to sync with network Admin sends remote erase order to specific device Server sends erase order next time device connects to Exchange Device will acknowledge that the command was received Device wipes its data next time upon receiving command Easy to manage Administration through a website Exchange Admin can “delegate” access to helpdesk Provides a transaction log for history recording

16 Increase Access Security To Exchange Server Using Certificate-Based Authentication Certificate-based Authentication (CA) has been a big ask from top security-conscious customers User can now access Exchange using PKI Software Certificates instead of corporate login credentials If user loses device to an unauthorized party, it cannot gain access to the user’s corporate LAN network Certificates limit what a user can do on a corporate network Upon certificate expiration, user needs to cradle device again User gets an alert 14 days before expiration

17 Certificate-Based Authentication: Screenshots Using Certificate Authentication Using Basic Authentication

18 SMS 2003 Device Management Feature Pack Add-on to SMS 2003 Features include Discovery/Identification Hardware Inventory Software Inventory and File Collection Software Distribution Script Execution

19 Information Device name Hardware ID Device model Power (battery status) Display resolution Generate reports on any hardware characteristic Can be extended to capture other hardware inventory information Asset Management Hardware Inventory File system MemoryNetwork Operating system

20

21 Information Presence of files File details Last software scan Product details Specify directories Specify wildcard file extensions List of files or applications in the file system Permits collection of log/data files Generate reports on any software or file Asset Management Software Inventory and File Collection

22 Software Inventory

23 Configuration Management Device Settings SMS provides integrated experience to configure and deploy settings Example of configurable settings: Network GPRS Network PPP Network VPNSecurityCertificates Registry Entry Applications ActiveSync & Exchange E-mail Internet E-mail Proxy Browser Favorite

24 Configuration Management Password Policy Centralized control of device password policy Configure mandatory numeric or strong password Force password setting prior to use Power off timeout maybe defined Administrator defined ‘lockout’ strong password applies after certain failed device entry attempts Implementation Password applet contained in a separate install from core SMS client Password policy configured and deployed as part of settings

25 Deploy applications or execute scripts Provides rich administrator control Target specific groups of devices based on inventory Specify whether application is mandatory Schedule deployment time and configure reoccurrence Configure “anytime”/“only when docked”/”only over a fast network” Sophisticated deployment Simple download and execute command line model Checkpoint restart for downloads Generate reports on deployment status Status: download started, program execution start and finish Application Deployment

26 Windows Mobile Application Level Security Features Security Level Execution Security Device Mgmt Security Security OFF No security checks at all. All executables from any source can install and run with maximum access to the device. All configuration files from all sources will execute with maximum privileges. Prompt User is prompted when source is unknown or anonymous. User visibility into install and execution when source is not known. User must OK changes from unknown sources. 3rd Party Signed 3 rd party vendors identified through the Mobile-to-Market program are allowed access. An app must be M2M signed in order to run on the device. M2M signed app vendors are required not to make configuration changes that impact security. Locked Only the OEM & Operator, or their licensed vendors, are allowed access. Third party apps are not allowed to run or install. Only Operator can change configuration.

27 Mobile Security Threat Windows Mobile Solution Physical access to device itself Policy-enforced password*; remote & local wipe* Access to device User Interface Policy-enforced password; remote & local wipe Access to data at rest (stored on device) Policy-enforced password; remote & local wipe; S/MIME email support* Access to data in motion (network) Encrypted email synch; Virtual Private Network client; secure WLAN access Access to the corporate network Certificate-based synch*; secure WLAN access Access to mobile applications Policy-enforced password; remote & local wipe; application installation & execution security model; programmatic device lock access* Viruses/malware/spyware Rich platform support for 3 rd party antivirus and firewall products * New for Windows Mobile 5.0, MSFP

28 Pocket PC Security Recommendations Risk assessment is key Evaluate applicability of organisation’s standards for laptop computers Passwords Activate power-on password No power-on password, prohibit storing corporate network password Anti-virus Consider anti-virus software that runs locally on the mobile device Flash-able ROM Consider placing systems management, security, and virus protection applications in flash ROM Encryption Encrypting sensitive information in the devices and on external storage cards End-to-end network encryption when using a virtual private network (VPN) connection 802.1x authentication/encryption over 802.11b WLANs

29 Windows Mobile 6 Security Enhancements Storage Card Security:Storage Card Security: Storage Card Encryption Storage Card Encryption Storage card wipe (Exchange 2007) Storage card wipe (Exchange 2007) Generating a Personal CertificateGenerating a Personal Certificate New desktop and device certificate enrollment tools New desktop and device certificate enrollment tools PFX import PFX import Crypto/Certificate ServicesCrypto/Certificate Services Root Certificate Add for users Root Certificate Add for users AES 128 and 256 implementation for SSL and DPAPI AES 128 and 256 implementation for SSL and DPAPI Wildcard Certificate Support Wildcard Certificate Support SMIME configuration improvements SMIME configuration improvements Built in Rights Management support for messaging and Office documentsBuilt in Rights Management support for messaging and Office documents

30 Windows Mobile Update The “Windows Update” client is turned off by default but will ship on every Windows Mobile device. Users have an option to enable the client WMU will be used to distribute critical security fixes only WMU enables rapid distribution of fixes to respond to urgent security issues WMU will be available with Windows Mobile 6 based devices

31 Signature authentication Certicom Corporation Communication Intelligence Corporation TSI/Crypto-SignVASCO Enhanced password protection Hewlett-Packard Pictograph authentication Pointsec Mobile Technologies Fingerprint authentication Biocentric Solutions Inc. HP iPAQ 5400 Card-based authentication RSA Security Schlumberger Sema Certificate Authentication on a Storage Card JGUI Software Storage Encryption F-Secure Pointsec Mobile Technologies Trust Digital LLC Encrypt Application Data Certicom Corporation Glück & Kanja Group Ntrū Cryptosystems, Inc. Virtual Private Networking Certicom Corporation Check Point Software Technologies Ltd. Columbitech Entrust, Inc. Epiphan Consulting Inc. Disable Applications Trust Digital LLC Device Wipe Asynchrony.com Public Key Infrastructure (PKI) Certicom Corporation Diversinet Corp. Dreamsecurity Co., Ltd. Glück & Kanja Group Thin Client Technology Citrix FinTech Solutions Ltd. Microsoft 3 rd Party Solution Providers

32 References Pages on the Windows Mobile site: http://www.microsoft.com/windowsmobile http://www.microsoft.com/windowsmobile Software Developer’s kit: /mobility/thekit/ /mobility/thekit/ Windows Mobile Enterprise White Papers: business/whitepapers/default.mspx business/whitepapers/default.mspx Third Party Software Solutions for IT Pros: /providers/mpdsearch.aspx /providers/mpdsearch.aspx Windows CE 5.0 on MSDN: http://msdn.microsoft.com/library/en-us/wceintro5 /html/wce50oriWelcomeToWindowsCE.asp http://msdn.microsoft.com/library/en-us/wceintro5 /html/wce50oriWelcomeToWindowsCE.asp http://msdn.microsoft.com/library/en-us/wceintro5 /html/wce50oriWelcomeToWindowsCE.asp

33

Download ppt "May 30 th – 31 st, 2007 Chateau Laurier Ottawa. Helping to Secure Data while on the Run Greg Milligan Mobility Solutions Manager Microsoft Canada Co."

Similar presentations

Powerful and convenient management for Windows Mobile ® 6.1 devices in an enterprise environment. These features include: Centralized, over-the-air device.

Powerful and convenient management for Windows Mobile ® 6.1 devices in an enterprise environment. These features include: Centralized, over-the-air device.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
© 2012 All rights reserved to Ceedo. Flexible Desktops. Dynamic Workplace. Ceedo for Citrix Optimal User Experience & Maximum IT Control Ceedo for Call.

© 2012 All rights reserved to Ceedo. Flexible Desktops. Dynamic Workplace. Ceedo for Citrix Optimal User Experience & Maximum IT Control Ceedo for Call.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Lee Hang Lam Wong Kwun Yam Chan Sin Ping Wong Cecilia Kei Ka Mobile Phone OS.

Lee Hang Lam Wong Kwun Yam Chan Sin Ping Wong Cecilia Kei Ka Mobile Phone OS.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Script Kiddies; CybercrimeCyber-espionage; Cyber-warfare CybercriminalsState sponsored actions; Unlimited resources Attacks on fortune 500All sectors.

Script Kiddies; CybercrimeCyber-espionage; Cyber-warfare CybercriminalsState sponsored actions; Unlimited resources Attacks on fortune 500All sectors.
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
1 of 5 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.

1 of 5 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.
Kalpesh Patel Ramprabhu Rathnam

Kalpesh Patel Ramprabhu Rathnam
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
Windows XP Professional Deployment and Support Microsoft IT Shares Its Experiences Published: May 2002 (Revised October 2004)

Windows XP Professional Deployment and Support Microsoft IT Shares Its Experiences Published: May 2002 (Revised October 2004)
MiVoice Office v6.0. 2 MiVoice Office v6.0 is mainly a service enhancement release, rather than a user feature rich enhancement release.

MiVoice Office v MiVoice Office v6.0 is mainly a service enhancement release, rather than a user feature rich enhancement release.
Windows 2003 and 802.1x Secure Wireless Deployments.

Windows 2003 and 802.1x Secure Wireless Deployments.
Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.

Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.
Managing Client Access

Managing Client Access
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.

Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
Microsoft ® Official Course Module 9 Configuring Applications.

Microsoft ® Official Course Module 9 Configuring Applications.

Similar presentations

Ads by Google