Download - MOAC 70-687 L20 Mobile Security
-
8/10/2019 MOAC 70-687 L20 Mobile Security
1/33
Lesson 20: Configuring
Security for Mobile DevicesMOAC 70-687: Configuring Windows 8
-
8/10/2019 MOAC 70-687 L20 Mobile Security
2/33
Securing YourMobile Devices
Lesson 20: Configuring Security for Mobile Devices
2013 John Wiley & Sons, Inc. 2
-
8/10/2019 MOAC 70-687 L20 Mobile Security
3/33
Configuring BitLocker Although Windows 7 required you to
configure BitLocker after the operatingsystem was installed, Windows 8 supports the
ability to enable BitLocker before youdeploy the operating system.
It also introduces two new options forencrypting your disk:
o Encrypt used disk space only
o Encrypt the entire drive
2013 John Wiley & Sons, Inc. 3
-
8/10/2019 MOAC 70-687 L20 Mobile Security
4/33
Configuring BitLocker In Windows 8, you must be a member of the
administrators group to configure BitLocker.
Non-administrative users can change the
BitLocker Personal Identification Number(PIN) or password for the operating systemand fixed data volumes by default.
The PIN is any 420 digit number you choosethat is stored on your computer and must beentered each time you start the system.
2013 John Wiley & Sons, Inc. 4
-
8/10/2019 MOAC 70-687 L20 Mobile Security
5/33
-
8/10/2019 MOAC 70-687 L20 Mobile Security
6/33
BitLocker Startup Key The first time you enable BitLocker on a
drive, you create a startup key.
The startup key is used to encrypt/decrypt
the drive. It can be stored on a USB drive or on a TPM
chip.
An alternative to the startup key is to use aPIN.
2013 John Wiley & Sons, Inc. 6
-
8/10/2019 MOAC 70-687 L20 Mobile Security
7/33
BitLocker Recovery Key If you lose the startup key:
o Move the drive to another system.
o If the system is compromised, use a recovery key
to gain access to the drive. The recovery key is a 48-digit number that
can be stored on a USB drive, a folder onanother drive, or be printed out.
2013 John Wiley & Sons, Inc. 7
-
8/10/2019 MOAC 70-687 L20 Mobile Security
8/33
-
8/10/2019 MOAC 70-687 L20 Mobile Security
9/33
Enabling BitLocker on OperatingSystem Drives
Selecting the Require additional authentication atstartup Group Policy setting
2013 John Wiley & Sons, Inc. 9
-
8/10/2019 MOAC 70-687 L20 Mobile Security
10/33
Enabling BitLocker on OperatingSystem Drives
Configuring BitLocker to run a startup keyand a startup PIN
2013 John Wiley & Sons, Inc. 10
-
8/10/2019 MOAC 70-687 L20 Mobile Security
11/33
Turn on BitLocker and Encrypt theOperating System Drive
Reviewing the BitLocker Drive Encryption control panel
2013 John Wiley & Sons, Inc. 11
-
8/10/2019 MOAC 70-687 L20 Mobile Security
12/33
Turn on BitLocker and Encrypt theOperating System Drive
Confirming Run BitLocker system check is enabled
2013 John Wiley & Sons, Inc. 12
-
8/10/2019 MOAC 70-687 L20 Mobile Security
13/33
Turn on BitLocker and Encrypt theOperating System Drive
Reviewing the status of the encryption process
2013 John Wiley & Sons, Inc. 13
-
8/10/2019 MOAC 70-687 L20 Mobile Security
14/33
Turn on BitLocker and Encrypt theOperating System Drive
Confirming the drive has been encrypted andreviewing additional options
2013 John Wiley & Sons, Inc. 14
-
8/10/2019 MOAC 70-687 L20 Mobile Security
15/33
ConfiguringBitLocker To Go
BitLocker To Go is BitLocker Drive Encryptionon removable data drives. Once encrypted,you need to use a password or a smart card
with PIN to unlock the drive. To use BitLocker To Go, insert the removable
drive and open the BitLocker DriveEncryption control panel application.
2013 John Wiley & Sons, Inc. 15
-
8/10/2019 MOAC 70-687 L20 Mobile Security
16/33
Configuring BitLocker To Go
Reviewing removable data drives
2013 John Wiley & Sons, Inc. 16
-
8/10/2019 MOAC 70-687 L20 Mobile Security
17/33
Controlling BitLocker ToGo Behavior
To control BitLocker To Go behavior forWindows 8 computers in a domain:
o Use the Group Policy Management console to
create a policy.o Link it to the appropriate organizational unit (OU)
in the Active Directory domain.
o Edit the Removable Data Drives section of the
policy.
2013 John Wiley & Sons, Inc. 17
-
8/10/2019 MOAC 70-687 L20 Mobile Security
18/33
Controlling BitLockerTo Go Behavior
Reviewing the BitLocker removable data drivesGroup Policy settings
2013 John Wiley & Sons, Inc. 18
-
8/10/2019 MOAC 70-687 L20 Mobile Security
19/33
Controlling BitLockerTo Go Behavior
Policy settings:o Control use of BitLocker on removable drives
o Configure use of smart cards on removable data drives
o Deny write access to removable drives not protected by
BitLockero Configure use of hardware-based encryption for
removable data drives
o Enforce drive encryption type on removable data drives
o Allow Access To BitLocker-protected removable datadrives from earlier versions of Windows
o Configure use of passwords for removable data drives
o Choose how BitLocker-protected removable drives can berecovered
2013 John Wiley & Sons, Inc. 19
-
8/10/2019 MOAC 70-687 L20 Mobile Security
20/33
Using DataRecovery Agents
Lesson 20: Configuring Security for Mobile Devices
2013 John Wiley & Sons, Inc. 20
-
8/10/2019 MOAC 70-687 L20 Mobile Security
21/33
Data RecoveryAgent (DRA)
A DRA is a user account that anadministrator has authorized to recoverBitLocker drives for an entire organizationwith a digital certificate on a smart card.
To designate a specific user as a DRA, he orshe needs to have a personal encryptioncertificate.
You can generate this certificate by usingthe Certificate Manager (certmgr.msc)console on the Windows 8 client device.
2013 John Wiley & Sons, Inc. 21
-
8/10/2019 MOAC 70-687 L20 Mobile Security
22/33
Active Directory CertificateServices (ADCS)
To generate a certificate, you first need tohave the ADCS role installed on a server inyour domain.
ADCS provides the certificate infrastructureand is used to create certification authoritiesthat issue and manage certificates.
2013 John Wiley & Sons, Inc. 22
-
8/10/2019 MOAC 70-687 L20 Mobile Security
23/33
Configure the UniqueCompany Identifier
Providing unique identifiers for your organization
2013 John Wiley & Sons, Inc. 23
-
8/10/2019 MOAC 70-687 L20 Mobile Security
24/33
Configuring Remote WipeLesson 20: Configuring Security for Mobile Devices
2013 John Wiley & Sons, Inc. 24
M bil D i d
-
8/10/2019 MOAC 70-687 L20 Mobile Security
25/33
Mobile Devices andRemote Wipe
There are two things you should prepare forwhen working with mobile devices:
o The device will contain data that is considered
sensitive at some point.o The device might eventually be lost or stolen.
2013 John Wiley & Sons, Inc. 25
M bil D i d
-
8/10/2019 MOAC 70-687 L20 Mobile Security
26/33
Mobile Devices andRemote Wipe (cont.)
Windows 8 devices support a feature calledremote wipe.
When you remote wipe a device, you are
issuing a remote wipe command from acentral location to reset the device back toits factory default settings.
Exchange Server and Windows Intune bothprovide remote wipe features.
2013 John Wiley & Sons, Inc. 26
-
8/10/2019 MOAC 70-687 L20 Mobile Security
27/33
Exchange Server 2013 Exchange Server 2013 provides access to
the feature through the Exchange AdminCenter (EAC) using Exchange ActiveSync.
Exchange ActiveSync is a protocol that isdesigned to not only synchronize email,contacts, calendars, and tasks but also toprovide the ability to perform mobile device
management.
2013 John Wiley & Sons, Inc. 27
U i Wi d I t t
-
8/10/2019 MOAC 70-687 L20 Mobile Security
28/33
Using Windows Intune toPerform Remote Wipes
Windows Intune, Microsofts cloud-basedmanagement solution, allows you to workthrough Exchange ActiveSync or directly
through Windows Intune to manage yourmobile devices and perform a remote wipe.
This can be accomplished directly throughthe Windows Intune administrator console or
by allowing users to wipe their own devicethrough their Windows Intune companyportal.
2013 John Wiley & Sons, Inc. 28
-
8/10/2019 MOAC 70-687 L20 Mobile Security
29/33
Managing Location SettingsLesson 20: Configuring Security for Mobile Devices
2013 John Wiley & Sons, Inc. 29
U i Wi d L ti
-
8/10/2019 MOAC 70-687 L20 Mobile Security
30/33
Using Windows LocationProvider (WLP)
The WLP is responsible for generating thegeographic data that tells the app thegeographic location of yourcomputer/device.
It accomplishes this by using Wi-Fitriangulation or IP address resolution.
As an administrator, you can disable access
to the location settings for all users throughthe Control Panel, Local Group Policy(gpedit.msc), or by using the Group PolicyManagement console (gpmc.msc).
2013 John Wiley & Sons, Inc. 30
-
8/10/2019 MOAC 70-687 L20 Mobile Security
31/33
U i P ll Id ifi bl
-
8/10/2019 MOAC 70-687 L20 Mobile Security
32/33
Using Personally IdentifiableInformation (PII)
Personally Identifiable Information (PII):
o Is information that can be used to uniquelyidentify, contact, or locate you.
o
Has been a major focus of lawmakers in the U.S.and other countries.
2013 John Wiley & Sons, Inc. 32
-
8/10/2019 MOAC 70-687 L20 Mobile Security
33/33
Provide PII Consent from within aWindows App
Enabling the Windows Location setting from within theWeather app
2013 John Wiley & Sons Inc 33