WindowsNetworking.com Monthly Newsletter of October 2010 Sponsored by: Symprex
Welcome to the WindowsNetworking.com newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on the world of Windows Networking. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: firstname.lastname@example.org
In August, the analysts at Gartner released a report that says that the business world can expect to experience ten dramatic changes over the next decade. Many of these predicted changes will affect IT workers, whether employed on the premises of individual companies or with cloud providers. You can read a press release that summarizes those changes here.
One of the changes that caught my eye was “hyperconnectedness.” Hyperconnectivity is a term that is credited to a pair of Canadian social scientists, referring to the use of multiple means of communication. Certainly we’ve already seen that, with people in the work world today accustomed to using telephony (including IP telephony and wireless telephony), email, instant messaging, web forums, video conferencing, and other means of communication.
Gartner’s definition of “hyperconnectedness” goes further, referring to “networks of networks, with the organization unable to control any of them.”
This is likely to increase in the future. We’re currently seeing a huge invasion of mobile devices in the workplace, with the corresponding burden on IT staff to integrate these smart phones, tablets, netbooks, laptops and other portable devices into the corporate network. Unlike in the past, not all of these devices are issued or owned by the company, either. The consumerization of IT has resulted in users bringing their own devices to work, or using their own devices - from handhelds to desktop computers - to connect to the company network remotely.
This creates at least two major problems for IT:
The first issue presents a problem because there are such a large number of different devices, running different operating systems and applications on different types of hardware. Allowing employees to purchase their own devices can save companies money, but it creates a diversity that never existed when companies purchased one or possibly a handful of device models to issue to employees. Now you may have users who want to connect with Windows Mobile phones, the new Windows Phone 7 devices, Android phones, Symbian phones, iPhones, iPads, and soon, Android, Windows 7 and WebOS tablets, along with Windows, Mac and Linux laptops and desktops. How can IT departments possibly support so many different devices?
The second issue is even more serious. A security breach can cost a company millions of dollars, not to mention lost productivity and damage to the organization’s reputation. If customer data or other sensitive information is exposed, consequences could even include legal repercussions.
What can companies and their IT departments do to address these issues, while giving employees the hyperconnectivity they need? Policies are imperative - and they must be well thought out ones that take into account the needs of today’s young workers, who grew up with technology and are less likely to bow to the control of IT without question as less tech-savvy workers may have done in the past.
Ultimately, it will take a combination of human and technological solutions to deal with hyperconnected workers and to manage the networks within networks to which they are connected within your organization. It’s time to start planning for that eventuality now. One possible solution to the security dilemma is to move toward a model based on the public health model, as was proposed by Microsoft corporate vice president Scott Charney in a recent whitepaper, which I wrote about in my blog over on WindowSecurity.com.
By Debra Littlejohn Shinder, MVP
3. WindowsNetworking.com Articles of Interest
Disable In-Private Browsing in Internet Explorer 8
The InPrivate Browsing feature, new in Internet Explorer 8, can be helpful in protecting your privacy. However, there are times you might not want users to be able to freely browse. Fortunately, you can disable this feature with the Group Policy settings in the Windows XP, Vista, and 7 professional editions:
For more administrator tips, go to WindowsNetworking.com/WindowsTips
Run 16-bit applications in Windows 7
There still are a bunch of us who need to run old applications on our shiny new Windows 7 computers. You can do this by taking advantage of a virtual machine process that makes these applications think they are running in 386 Enhanced Mode in Windows 3.x. However, this virtual machine process runs as a single virtual machine, which means that all the legacy applications run in the same process. If one of the applications goes haywire, it can take down the rest of them – just like we remember back in the Win 3.x day.
The good news is that you can help stop a rogue 16-bit or MS-DOS-based application from whacking the others by running that application in a separate memory space. Here’s how:
There you go! Note that this will take a bit more memory, but modern computers come with plenty of memory so this shouldn’t pose a problem for you. Also, using this method, you can run multiple instances of the application – just make sure each instance is configured to use its own memory space.
We would like to allow our remote users to access Exchange Server with Outlook using RPC/HTTPS (Outlook Anywhere). However, we need something more than password authentication. While two factor authentication would be nice, it’s not strictly required. What we need is some way to prove that the computer that the user is connecting from is a corporate computer. Any ideas?
Thank you - Ted E.
You have several options when it comes to enhancing the default authentication mechanism used by the Outlook RPC/HTTPS client. As you know, out of the box, you only have the option to enable Windows Integrated authentication (Kerberos/NTLM) or basic authentication. Since the authentication process takes place after the SSL connection is established, in general you’re best using basic authentication. This is especially important for non-domain member machines, where you have to use basic authentication.
The Outlook client, for some reason, wasn’t built to support two factor authentication at the application level. That means you have to get creative. You mention that you want to make sure that users are using corporate computers. If these corporate computers are using Windows 7, then your best bet is to use DirectAccess. When you use DirectAccess, your Windows 7 domain computers can always be managed, and they also require that the computer present a computer certificate and that the computer and user accounts can be authenticated and authorized. This is a very secure solution, but it does require that you deploy UAG DirectAccess to get full value out of the solution.
If you aren’t using Windows 7, UAG is still a great solution for you. What you can do is have users log into the portal using a two-factor authentication method of your choice (RSA, Radius OTP, etc) and then after the user completes the two-factor authentication process, the Outlook client is then able to connect to the Exchange server through the portal. This allows both domain member and non-domain member computers to use strong authentication, since they have to successfully authenticate at the UAG SSL VPN portal before they are allowed access to the Exchange Server.
Another method you can use is to require an IPsec connection to the Exchange Server. In most cases, when you publish the CAS, you want to have a strong application layer inspection firewall like the TMG firewall in front of the CAS server (at least when you’re not using UAG as a gateway to the Exchange Server). If you choose to use TMG instead of UAG, you can configure the client systems to require an IPsec tunnel to the external interface of the TMG firewall. The IPsec tunnel will require a computer certificate from the corporate computers running Outlook to establish the IPsec tunnel. After the IPsec tunnel is established using the computer certificate on the client system, then the user will be able to establish the Outlook connection to the CAS. In this scenario, you have a one-and-a-half factor authentication, since the “half factor” is the computer certificate on the client system.
As you can see, you have several options for enhancing the authentication security for your Outlook Anywhere client. There are other options too, but these are the ones that we’ve used most to provide secure access for our Outlook clients.
Hope this helps! - Deb.
For more information on Windows Server 2008 R2 (and other OS versions) and IPsec, check out this TechNet page.