by

Understanding the risks of BYOD and Exchange

Bring Your Own Device (BYOD) is the current trend of literally bringing your own devices to work. This may include a smartphone, tablet or laptop.

Often the mere thought of BYOD can make an enterprise security officer nervous. How nervous? Data breach kind of nervous. Before we join the chorus of security officers and auditors crying out for the ubiquitous deployment of forced mobile management conditional network access, and more, let’s have a closer look at BYOD and Exchange.

Mobile device access to Exchange is not new. Exchange mobile protocols are designed to be secure out of the box, yet many of us have lived through the frustration of educating a customer about the self-signed certificates used to bootstrap an Exchange deployment. In fact, Exchange 2007 is known for being the version of Exchange that caused vast slews of ITPro’s to learn about various types of certificates, and the order of the names appearing on them. Point in case, Exchange mobile protocols are secured by design.

Moving on from the protocol stack and onto the physical access method. We’re not going to spend a lot of time on this point, except to point out, that BYOD tend to use wireless access methods of varying degrees of security. If this layer of physical security is breached, then the attacker is still required to break the encrypted protocol tunnel between the device and Exchange. This is no different to monitoring traffic on a physical Ethernet switch, the result is still encrypted garbage.

Our next point of examination is storage. If the BYOD device is a laptop, the data store tends to be the offline cache file created by Outlook, i.e the OST file. This file is encrypted and useless without the user authenticating onto the device using the correct mail profile. Other devices, including tablets and mobile phones implementing the Active Sync protocol implement similar storage mechanisms, secured by the user authenticating onto the device such as a Pin Lock and then the email account in question.

Exchange 2010 Features a number of remote management tools, including the ability to wipe devices remotely, however remote wipe is just the tip of the management iceberg.

Active sync management policies and the built-in management features allow an organization to structure mobile security granularly, such that different users receive different security policies.

Mobile device management tools augment the security which we’ve discussed so far, by adding a layer of auditability, remote management, tracking and wiping amongst other features, which can help mitigate the risk of data loss, if the device is lost or stolen and the users passwords (device and Exchange) are known.

I’d like to argue that BYOD is often no less secure than the average corporate laptop, due to the security features built into Exchange  and the devices themselves. Exchange is designed to be implemented securely, and features mobile management features in the platform. While those features may not be enough to fill every compliance or security requirement under the sun, they are a massive part of ensuring that BYOD security fears, may be overrated.

by

Demazter’s Migration Tip #3 – Preparing for Live Migration

Another in our series of Guest posts by Exchange specialists is Glen Knight, aka Demazter. Glen is tackling a tough topic- preparing your environment for a migration- essential for keeping the migration free from additional Costs, Risks and potential Downtime.

Glen Knight is the founder of Demazter IT Services, a UK based IT consulting company which specialises in installation, support and maintenance of secure environments based on VMWare and Microsoft technologies. He has been working in the industry for the past 14 years providing support, installation and consulting services for all sizes of businesses working with all versions of Windows, Microsoft Exchange and Small Business Server, including large scale Active Directory design and maintenance.

Glen also has a blog: http://demazter.wordpress.com and very active in one of the leading technical community sites - Experts-Exchange.

Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration.

My first tip Migration Tip #1 – Source Server Health can be found here.

My second tip Migration Tip #2 – The Practice Run can be found here.

So, we now have a healthy source server and you have practiced until the match sticks snap, what next?

My third tip is about making sure you are prepared for the task ahead. Any type of migration needs to be taken seriously, it is a business critical operation you are about to embark on. If you are in any doubt about it at all, now is the time to say so, and if necessary call in help.

If you are happy with the process and confident you are able to complete the steps to achieve your goal then the next thing we need to do is plan a time to do it.

Most migrations are not time limited other than SBS to SBS migrations that have a limit of 21 days where both SBS servers can co-exist at the same time.

Make people aware of what you are doing, involve them, explain that you are expecting to have teething problems but would prefer if they collated them and then passed them to you when you ask for them. The last thing you want is to try trouble shooting whilst trying to complete a migration.

Find out if there is anything business critical happening (a big bid/contract etc that needs to be out just when you take the mail system offline) that could be delayed by the work you are carrying out, and if so, delay your migration. Talk to absolutely every member of staff. Manage Expectations.

In reality, if you get it bang on, the end users shouldn’t even notice and I would say 99% of the migrations I have done this has been the case. But there is always the odd one.

Have a recovery plan, know how to back out of what you are doing if it does go pear shaped. If you need to lock and migrate huge amounts of data then make sure you plan this stage of the migration for when people aren’t going to be using the system as heavily.

Document what you are doing, make notes of which stage you have got to and what action you have just taken.  This might seem like a waste of time, but take it from someone who has picked up a few failed migrations from people, it’s not.  Knowing exactly what stage you are at will help a consultant very quickly get to grips with the situation and this means a faster resolution.

And, most importantly of all, make sure you have backups! Take more than one, take one off-site, and do it different ways. I like to have a backup on either removable storage so I can access it quickly but also on tape just to be sure.

Watch out for tip Migration Tip #4 – The Migration

by

Demazter’s Migration Tip #2 – The Practice Run

Next in our series of Guest posts by Exchange specialists is Glen Knight, aka Demazter. Glen is tackling a tough topic- preparing your environment for a migration- essential for keeping the migration free from additional Costs, Risks and potential Downtime.

Glen Knight is the founder of Demazter IT Services, a UK based IT consulting company which specialises in installation, support and maintenance of secure environments based on VMWare and Microsoft technologies. He has been working in the industry for the past 14 years providing support, installation and consulting services for all sizes of businesses working with all versions of Windows, Microsoft Exchange and Small Business Server, including large scale Active Directory design and maintenance.

Glen also has a blog: http://demazter.wordpress.com and very active in one of the leading technical community sites - Experts-Exchange.

Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration.

My first tip Migration Tip #1 – Source Server Health can be found here.

My second tip is about making sure you are familiar with the technology you are migrating to.

For many people, migrating to a new technology will be the first and only time they perform this task. So, it’s always a good idea to familiarise yourself with the setup process before you do it for real.  With the use of virtualisation technologies we can install and test new products without the need for new hardware and without the possible impact on our live environment.

There are a number of virtualisation products that will allow you to do this on your desktop/laptop computer. You need to consider that most new products (if not all) will be based on x64 bit architecture. This does limit the virtualisation technologies that you can use on the desktop. Some of my favourites are listed below.

  • VMWare Workstation, this is a paid product but worth its weight in gold
  • VMWare Server, this is free for use and technically should only be used on a Server Operating System, but it does work on Desktop OS for testing purposes.
  • Virtual Box

Whichever technology you use, virtualisation will allow you to install the new software in a test environment, and keep installing it until you are happy with the process. Run through it 2, 3 even 4 times. Make sure you are familiar with the screens and what answers you are going to provide to the wizards. Take notes, even write a step-by-step of what you encountered and when you encountered it. Remember, the more you do now when you are in a safe “sandbox” environment, the easier and less pressurised the real thing will be. Don’t pay too much attention to the actual data you are entering as some of this will change when you do a migration as opposed to a new installation.

For the actual Migration Pick a migration guide for your technologies, it’s always best to use one that’s recommended by others and they have had good success with.  You will find my migration guides here. I use my guides in my own migrations and update them with any changes as often as possible.  Read the guide thoroughly before you start the migration.   It’s easier to get answers when you are not under pressure to fix things.

If you have the time and the inclination I would also suggest that you convert your physical source server to a virtual one. This will allow you to do a test migration with your actual source server. There are many tools for performing the capture and they depend on the virtualisation technology you are using and whether you want a free or paid product. Some examples of methods that can be used to convert physical machines to virtual ones can be found here.

Doing a virtual migration with a virtual copy of your actual source server is a great way to identify any problems you may encounter during the real live migration. You then have the opportunity to rectify these issues and then try the migration again. Once you are happy the migration has worked you are then in a position to do the live backup. I would be doing 3 to 4 virtual migrations just to be absolutely sure.

Watch out for tip Migration Tip #3 – Preparing for Live Migration in the next day or two.

by

Demazter’s Migration Tip #1 – Source Server Health

Fifth in our series of Guest posts by Exchange specialists is Glen Knight, aka Demazter. Glen is tackling a tough topic- preparing your environment for a migration- essential for keeping the migration free from additional Costs, Risks and potential Downtime.

Glen Knight is the founder of Demazter IT Services, a UK based IT consulting company which specialises in installation, support and maintenance of secure environments based on VMWare and Microsoft technologies. He has been working in the industry for the past 14 years providing support, installation and consulting services for all sizes of businesses working with all versions of Windows, Microsoft Exchange and Small Business Server, including large scale Active Directory design and maintenance.

Glen also has a blog: http://demazter.wordpress.com and very active in one of the leading technical community sites - Experts-Exchange.

Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration.

My first tip is around source server preparation.

No migration is an easy migration, there is always potential for something to go wrong. All we can do is try to minimize this risk.

The biggest risk comes from the system we already have in place, the integrity of this system is paramount in ensuring a successful migration.

Making sure your source system is healthy and configured correctly will go a long way to ensuring you have a smooth migration.

Use analyzers and health check tools that are available from the vendor. Microsoft, for example, have a number of best practice analyzer tools. These can be used to identify any problems the system may have and provide advice on how to resolve them. Some of the ones I use regularly are listed below:

In a Microsoft migration I will use tools like DCDIAG, NETDIAG, REPLMON and REPADMIN to check for errors, even if it’s a single server. You would be surprised how easy it is to misconfigure a single server. Further details on the usage of these tools can be found here:

Make sure the source system is up-to-date. All updates, service packs etc need to be applied. This may seem like a waste of time on a system that you are soon to be migrating out of your network but really it isn’t. New products from the same vendor normally rely on the source system being up-to-date. I have been known to spend hours installing service packs and updates on a source server.

It’s worth spending the time getting this part of the migration perfect. There are no timescales in play here you can take your time, once you start migrating there are pressures at play that will make the slightest hiccup seem like your whole world is imploding. I would consider this part of the migration process the most important, and therefore if you are not comfortable with this process, hire someone who is. Buying in consulting services to make sure the server is healthy can save you a lot of money.

Watch out for tip Migration Tip #2 – The Practice Run in the next day or two.