MOAC 70-687 L20 Mobile Security

8/10/2019 MOAC 70-687 L20 Mobile Security

1/33

Lesson 20: Configuring

Security for Mobile DevicesMOAC 70-687: Configuring Windows 8


2/33

Securing YourMobile Devices

Lesson 20: Configuring Security for Mobile Devices

2013 John Wiley & Sons, Inc. 2


3/33

Configuring BitLocker Although Windows 7 required you to

configure BitLocker after the operatingsystem was installed, Windows 8 supports the

ability to enable BitLocker before youdeploy the operating system.

It also introduces two new options forencrypting your disk:

o Encrypt used disk space only

o Encrypt the entire drive



4/33

Configuring BitLocker In Windows 8, you must be a member of the

administrators group to configure BitLocker.

Non-administrative users can change the

BitLocker Personal Identification Number(PIN) or password for the operating systemand fixed data volumes by default.

The PIN is any 420 digit number you choosethat is stored on your computer and must beentered each time you start the system.



5/33


6/33

BitLocker Startup Key The first time you enable BitLocker on a

drive, you create a startup key.

The startup key is used to encrypt/decrypt

the drive. It can be stored on a USB drive or on a TPM

chip.

An alternative to the startup key is to use aPIN.



7/33

BitLocker Recovery Key If you lose the startup key:

o Move the drive to another system.

o If the system is compromised, use a recovery key

to gain access to the drive. The recovery key is a 48-digit number that

can be stored on a USB drive, a folder onanother drive, or be printed out.



8/33


9/33

Enabling BitLocker on OperatingSystem Drives

Selecting the Require additional authentication atstartup Group Policy setting



10/33

Enabling BitLocker on OperatingSystem Drives

Configuring BitLocker to run a startup keyand a startup PIN



11/33

Turn on BitLocker and Encrypt theOperating System Drive

Reviewing the BitLocker Drive Encryption control panel



12/33


Confirming Run BitLocker system check is enabled



13/33


Reviewing the status of the encryption process



14/33


Confirming the drive has been encrypted andreviewing additional options



15/33

ConfiguringBitLocker To Go

BitLocker To Go is BitLocker Drive Encryptionon removable data drives. Once encrypted,you need to use a password or a smart card

with PIN to unlock the drive. To use BitLocker To Go, insert the removable

drive and open the BitLocker DriveEncryption control panel application.



16/33

Configuring BitLocker To Go

Reviewing removable data drives



17/33

Controlling BitLocker ToGo Behavior

To control BitLocker To Go behavior forWindows 8 computers in a domain:

o Use the Group Policy Management console to

create a policy.o Link it to the appropriate organizational unit (OU)

in the Active Directory domain.

o Edit the Removable Data Drives section of the

policy.



18/33

Controlling BitLockerTo Go Behavior

Reviewing the BitLocker removable data drivesGroup Policy settings



19/33

Controlling BitLockerTo Go Behavior

Policy settings:o Control use of BitLocker on removable drives

o Configure use of smart cards on removable data drives

o Deny write access to removable drives not protected by

BitLockero Configure use of hardware-based encryption for

removable data drives

o Enforce drive encryption type on removable data drives

o Allow Access To BitLocker-protected removable datadrives from earlier versions of Windows

o Configure use of passwords for removable data drives

o Choose how BitLocker-protected removable drives can berecovered



20/33

Using DataRecovery Agents

Lesson 20: Configuring Security for Mobile Devices



21/33

Data RecoveryAgent (DRA)

A DRA is a user account that anadministrator has authorized to recoverBitLocker drives for an entire organizationwith a digital certificate on a smart card.

To designate a specific user as a DRA, he orshe needs to have a personal encryptioncertificate.

You can generate this certificate by usingthe Certificate Manager (certmgr.msc)console on the Windows 8 client device.



22/33

Active Directory CertificateServices (ADCS)

To generate a certificate, you first need tohave the ADCS role installed on a server inyour domain.

ADCS provides the certificate infrastructureand is used to create certification authoritiesthat issue and manage certificates.



23/33

Configure the UniqueCompany Identifier

Providing unique identifiers for your organization



24/33

Configuring Remote WipeLesson 20: Configuring Security for Mobile Devices


M bil D i d


25/33

Mobile Devices andRemote Wipe

There are two things you should prepare forwhen working with mobile devices:

o The device will contain data that is considered

sensitive at some point.o The device might eventually be lost or stolen.


M bil D i d


26/33

Mobile Devices andRemote Wipe (cont.)

Windows 8 devices support a feature calledremote wipe.

When you remote wipe a device, you are

issuing a remote wipe command from acentral location to reset the device back toits factory default settings.

Exchange Server and Windows Intune bothprovide remote wipe features.



27/33

Exchange Server 2013 Exchange Server 2013 provides access to

the feature through the Exchange AdminCenter (EAC) using Exchange ActiveSync.

Exchange ActiveSync is a protocol that isdesigned to not only synchronize email,contacts, calendars, and tasks but also toprovide the ability to perform mobile device

management.


U i Wi d I t t


28/33

Using Windows Intune toPerform Remote Wipes

Windows Intune, Microsofts cloud-basedmanagement solution, allows you to workthrough Exchange ActiveSync or directly

through Windows Intune to manage yourmobile devices and perform a remote wipe.

This can be accomplished directly throughthe Windows Intune administrator console or

by allowing users to wipe their own devicethrough their Windows Intune companyportal.



29/33

Managing Location SettingsLesson 20: Configuring Security for Mobile Devices


U i Wi d L ti


30/33

Using Windows LocationProvider (WLP)

The WLP is responsible for generating thegeographic data that tells the app thegeographic location of yourcomputer/device.

It accomplishes this by using Wi-Fitriangulation or IP address resolution.

As an administrator, you can disable access

to the location settings for all users throughthe Control Panel, Local Group Policy(gpedit.msc), or by using the Group PolicyManagement console (gpmc.msc).



31/33

U i P ll Id ifi bl


32/33

Using Personally IdentifiableInformation (PII)

Personally Identifiable Information (PII):

o Is information that can be used to uniquelyidentify, contact, or locate you.

o

Has been a major focus of lawmakers in the U.S.and other countries.



33/33

Provide PII Consent from within aWindows App

Enabling the Windows Location setting from within theWeather app

2013 John Wiley & Sons Inc 33

Documents

MOAC 70-687 L20 Mobile Security