mobile admin security -...

Mobile Admin Security


www.roveit.com

IntroductionMobile Admin is an enterprise-ready IT Management solution that generates significant

cost savings by dramatically increasing the responsiveness of IT organizations facing

outages and other issues. By enabling system administrators to access over 500

functions across dozens of different types of servers, platforms and devices through

a convenient smartphone client, Mobile Admin provides a cost-effective means of

increasing the availability of mission-critical business applications. The product

enhances the efficiency of the IT team, which in turn has a direct positive impact on the

productivity of the entire user population.

Security is a fundamental concern of all IT Management solutions, and it is

of particular importance when mobile devices are used to access corporate

information across the firewall. Mobile Admin’s client-server architecture

features a fully-integrated security model that provides both data encryption and

user authentication.


www.roveit.com

• IBMLotusDomino

• NovelleDirectory/NDS

• BlackBerryEnterpriseServer

• BlackberryEnterpriseServer5

• Oracle

• Citrix

• RSAAuthenticationManager

• HPIntegratedLightsOut(iLO)

• BackupExec

• VMware

• VMwareVirtualInfrastructure

• Nagios

• resettingpasswords

• editingserverdocuments

• deletingmailboxmessages.

MobilecontrolofyournetworkMobile Admin is a client-server application. The Mobile Admin Server software

is installed behind your corporate firewall on any one computer that has access

toallotherserversinyournetworkthatyouwanttomanage.TheMobileAdmin

Clientsoftwareisinstalledonyourwirelessdevice.

You can use Mobile Admin to manage a wide range of computers, servers, and

systemsinyournetwork:

• MicrosoftWindowscomputersandnetworks

• MicrosoftActiveDirectory

• MicrosoftExchange2000/2003

• MicrosoftExchange2007

• MicrosoftSQLServer

• MicrosoftIIS

• MicrosoftDHCP

• MicrosoftDNS

• MicrosoftClusterServers

• MicrosoftSCOM

• MicrosoftSCMDM

• SolarWindsOrion

• AmazonElasticComputeCloud(EC2)

• managingusersandgroups,eventlogs, services, and print jobs

• rebootingservers

Mobile Admin allows you to use your wireless device to perform a full range of

administrativetasksontheseservers,including:


www.roveit.com

Supported devicesMobileAdmincanbeusedwithanyofthefollowingwirelesshandhelddevices:

• BlackBerrysmartphones

• AppleiOSdevices

• Androiddevices

Mobile Admin can also be used on any computer with an Internet connection

usingtheMobileAdminWebInterface(MozillaFirefoxandInternetExplorerare

thesupportedbrowsers).


www.roveit.com

EncryptionThe types of data encryption available to you with Mobile Admin depend on the

typeofwirelesshandhelddevicesyouuse:

• BlackBerrysmartphones,withorwithoutaBlackBerryEnterpriseServer

• AppleiOSdevices,withorwithoutaVPN

• Androiddevices,withorwithoutaVPN

EncryptionoptionsforMobileAdminonBlackBerrysmartphoneYoucanchoosetouseMobileAdminonBlackBerrysmartphoneswithor

withoutaBlackBerryEnterpriseServer.

MobileAdminwithBlackBerrysmartphonesandaBlackBerryEnterpriseServerWhenyouuseMobileAdminwithaBlackBerryEnterpriseServer,youareableto

leveragetheindustry-leadingsecurityinfrastructureoftheBlackBerrynetwork.

IfyouuseaBlackBerryEnterpriseServer,allyourMobileAdmindataissent

overtheMobileDataService(MDS),andis,bydefault,automaticallyencrypted

usingTripleDataEncryptionStandard(TDESor3DES).WhileTDESprovidesthe

highest industrystandard encryption, you can also choose additional layers of

encryption.

AllversionsoftheBlackBerryEnterpriseServeruseTDESasthedefault

encryptionforalldata.TheBlackBerryEnterpriseServer4.1,however,allows

youtochoosebetweenusingTDESandAdvancedEncryptionStandard(AES),

or both.

WhileTDESandAESaregenerallyrecognizedasthemostrobustencryptionmethods

availabletoday,theUSGovernmenthasalsocertifiedTDESandAESascompliantwith

FederalInformationProcessingStandards(FIPS).


www.roveit.com

The Mobile Admin Server is configured, by default, to add a layer of encryption

withHypertextTransferProtocol–Secured(HTTPS).HTTPSisHTTPencryptedwith

TransportLayerSecurity(TLS).WhenMobileAdminusesHTTPS,allMobileAdmindata

transmitted between the Mobile Admin Server and the wireless handheld is encrypted.

Architectureoverview—BlackBerrysmartphoneswithaBlackBerryEnterpriseServerFigure1-1showshowMobileAdminconnectsyourwirelessdevicetoyour

networkifyouareusingaBlackBerryEnterpriseServer.TheMobileAdmin

Server is connected to the servers and computers that you want to manage with

Mobile Admin. Information about these servers and computers is sent through

theMobileAdminServertotheBlackBerryEnterpriseServer.TheBlackBerry

EnterpriseServerencryptsthedatawithTripleDataEncryptionStandard(TDES)

orAdvancedEncryptionStandard(AES)andsendsitovertheInternetandthe

wirelessnetworktotheBlackBerrysmartphone.TheBlackBerrysmartphone

decryptsthedatasothatitcanbeviewedusingtheMobileAdminClient.

Similarly,MobileAdminClientcommandsfromtheBlackBerrysmartphoneare

encryptedthensentoverthewirelessnetworkandtheInternettotheBlackBerry

EnterpriseServer.TheBlackBerryEnterpriseServerdecryptsthecommands

and sends them to the Mobile Admin Server, which then further decrypts the

commands if required, and then performs the requested actions.

WhenMobileAdminusesHTTPS,dataisencryptedwithTLSbeforeit

istransmittedbetweentheMobileAdminServersandtheBlackBerry

smartphones.

NoteFigure1-1showstheMobileAdminServerandtheBlackBerryEnterpriseServerinstalledonseparatecomputers.However,theMobileAdminServercanbeinstalledonthesamecomputerastheBlackBerryEnterpriseServer.


www.roveit.com

Figure1-1 MobileAdminarchitecturewithBlackBerrysmartphonesandaBlackBerryEnterpriseServer

Protectingyournetwork when a handheld device is lostBlackBerryEnterpriseServer4.0andaboveofferstheabilityto“kill”alost

BlackBerrydevice.The“kill”commanddisablesthedevice,anddeletesallofits

stored information, including everything related to the Mobile Admin application.

The“kill”commandisoneofthehundredssupportedbyMobileAdmin,enabling

asystemadministratortouseoneBlackBerrydevicetokillanotherone.

MobileAdminwithBlackBerrysmartphoneswithoutaBlackBerryEnterpriseServerWhenyoudonotuseaBlackBerryEnterpriseServer,datasentbetweenthe

MobileAdminServerandBlackBerrysmartphonescanbeencryptedusing

HTTPS.IfyoudonotuseaBlackBerryEnterpriseServerwithyourBlackBerry

smartphones, it is strongly recommended that Mobile Admin be configured to

makeHTTPSconnections.


www.roveit.com

Architectureoverview—BlackBerrysmartphoneswithoutaBlackBerryEnterpriseServerFigure1-2showshowMobileAdminconnectsyourwirelessdevicetoyour

networkifyouarenotusingaBlackBerryEnterpriseServer.TheMobileAdmin

Server is connected to the servers and computers that you want to manage

withMobileAdmin.TheMobileAdminServerencryptsthedatawithHTTPS

andsendsitovertheInternetandthewirelessnetworktotheBlackBerry

smartphone.TheBlackBerrysmartphonedecryptsthedatasothatitcanbe

viewedusingtheMobileAdminClient.

Similarly,MobileAdminClientcommandsfromtheBlackBerrysmartphone

areencryptedusingHTTPS,andthensentoverthewirelessnetworkandthe

Internet. The Mobile Admin Server decrypts the commands if required, and then

performs the requested actions.

Figure1-2 MobileAdminarchitecturewithBlackBerrysmartphones


www.roveit.com

OtherconsiderationsIfyoudonothaveaBlackBerryEnterpriseServer,youcanchoosetoeitherrent

aBlackBerryEnterpriseServerfromahostingcompanyforamonthlyfee,orto

use Mobile Admin without one.

TouseMobileAdminwithoutaBlackBerryEnterpriseServer,youmust:

• useaBlackBerrysmartphonesmeetingMobileAdmin’s minimum system requirements

• connectfromtheMobileAdminClienthandheldtotheMobileAdminServerusingInternetTCP/IP

• makesurethatyourcarrierhastheInternetAccessPointName(APN)enabledforyourdevice

EncryptionoptionsforMobileAdminonAppleiOSandAndroiddevicesYoucanchoosetouseMobileAdminonAppleiOSandAndroiddeviceswithor

withoutaVirtualPrivateNetwork(VPN).IfyouuseaVPN,allyourMobileAdmindatais

sentovertheVPN,andis,bydefault,automaticallyencrypted.

By default, the Mobile Admin Server is configured to add a layer of encryption

withHyperTextTransportProtocol–Secured(HTTPS).HTTPSisHTTP

encryptedwithTransportLayerSecurity(TLS).WhenMobileAdminuses

HTTPS,alldatatransmittedbetweentheMobileAdminServerandthewireless

handheld is encrypted.

IfyouareusingAppleiOSdevicesorAndroiddeviceswithMobileAdmin,itisstrongly

recommendedthatyouconnecttoyournetworkthroughaVPN.Ifyoucannotusea

VPN,itisstronglyrecommendedthatMobileAdminbeconfiguredtomakeHTTPS

connections.


www.roveit.com

Architectureoverview-AppleiOSandAndroiddevicesFigure1-3showshowMobileAdminconnectsyourwirelesshandhelddevice

toyournetworkusingaVPNand/orHTTPS.TheMobileAdminServeris

connected to the servers and computers that you want to manage with Mobile

AdminthroughaVirtualPrivateNetwork(VPN),whichencryptsnetworkdata.

TheMobileAdminServerencryptsthedatawithHTTPSandsendsitoverthe

Internetandthewirelessnetworktothewirelesshandhelddevice.TheMobile

AdminClientdecryptsthedataonthewirelesshandhelddevicesothatitcanbe

viewed.

Similarly,MobileAdminClientcommandsfromthewirelesshandheldare

encryptedbywithHTTPS,andcanbeencryptedwithaVPN,thensentover

thewirelessnetworkandtheInternet.TheMobileAdminServerdecryptsthe

commands if required, and then performs the requested actions.

Figure1-3


www.roveit.com

MobileAdminproxy

TheMobileAdminproxyisaservicethatrunsonthesamecomputerasMobileAdmin

andproxiesSSH/TelnetandRDP/VNCtraffic.TheMobileAdminclientsauthenticate

transparentlytotheproxyiftheappropriaterightsandpermissionshavebeen

configured.

TheMobileAdminproxyenablesaccesstoSSH/TelnetandRDP/VNCservers

through a central port, rather than having to configure access to each individual

server.

IftheMobileAdminproxyisnotused,thenallSSH/TelnetandRDP/VNCservers

must have the appropriate firewall configuration.

OtherconsiderationsAVPNclientisprovidedbydefaultonallAppleiOSandAndroiddevices.

PortandfirewallconfigurationsMobileAdmincanuseports4054(theHTTPport),4055(theHTTPSport)or

4056(theproxyportforSSH/TelnetandRDP/VNCconnections)tocommunicate

betweentheBlackBerryEnterpriseServerandtheMobileAdminServer.Ifyou

useaBlackBerryEnterpriseServerhostingcompanyoruseMobileAdmin

withoutaBlackBerryEnterpriseServer,youwillhavetomakesurethatthe

gateway you use is able to contact your Mobile Admin Server through these

ports, which may require firewall configuration. You can also choose to configure

the ports that Mobile Admin uses; if you change these ports used by Mobile

Admin,youmustmakesurethatyourgatewayisstillabletocontactyourMobile

Admin Server.


www.roveit.com

AuthenticationAs well as data encryption, Mobile Admin supports three different levels of

authentication:

• primaryloginauthentication(required),fromachoiceof:

- Windowsusernameandpassword

- Mobile Admin-specific username and password

• device-levelpassword(optional)

• RSASecurID/RADIUS(optional)

PrimaryloginauthenticationMobile Admin requires that you choose a primary form of authentication that

each user must enter to log in to the Mobile Admin application, no matter what

otherformsofauthentication(suchasdevice-level,orRSASecurID)thatyou

may have configured for the user.

You can also configure how frequently the user is required to enter the primary

loginauthentication.Forexample,youcanconfigureMobileAdmintorequirethe

primary login after time-out intervals that you specify.

WindowsusernameandpasswordauthenticationAdministrative access to servers with Mobile Admin can be configured to use

theWindowsusersettingsforyournetwork.Withthisoption,usersmustalways

providetheirWindowsnetworkusernameandpasswordtologintoMobile

Admin.

IfyouchoosetousetheWindowsnetworksettings,youcanconfigureMobile

Adminuserstohaveaccesstoeither:

• exactlythesameserversandservicesinMobileAdminastheydoinyournetwork;or

• asubsetoftheserversandservicestheyhavepermissionstomanageinyournetwork.


www.roveit.com

Mobile Admin user name and password authenticationAdministrative access to servers with Mobile Admin can be configured to be

specifictoMobileAdmin,ifyouwouldrathernotuseWindowslogindatafor

Mobile Admin.

BecauseMobileAdminisfullyintegratedwithWindowssecurity,youmust

specifyatleastoneWindowsaccountfortheMobileAdminServertouseto

authenticate Mobile Admin users when they login with their Mobile Admin-

specific username and password.

IfyouspecifyoneWindowsaccount,MobileAdminwillusethatasthedefault

WindowsauthenticationforallMobileAdminuserswhentheyentertheirMobile

Admin-specificusernamepassword.However,foreachuser,youcanchooseto:

• usethedefaultWindowsaccount,oruseanyotherWindowsaccount

• furtherconfigureorlimitaccesstospecificnetworkservers,as long as these servers are a subset of the servers that the associatedWindowsaccounthaspermissiontomanage

Because of the many available choices, there are several ways to configure user

accesstoyournetworkifyouchoosetouseMobileAdmin-specificpasswords.

Thefollowingthreeexamplesareprovidedtoillustratesomeofthepossibilities.

Sampleconfiguration#1: • InMobileAdmin,setuponeexistingWindowsaccountasthe

default account for Mobile Admin with a wide range of permissions, such as a domain administrator or administrator account.

• InMobileAdmin,addusers,andsetupMobileAdmin specific passwords for each user.

• InMobileAdmin,configureaccessforeachusertoanappropriatesubsetofnetworkservers.


www.roveit.com

Sampleconfiguration#2: • InWindows,createaspecificWindowsaccountthathasthe

permissions that you want all Mobile Admin users to have.

• InMobileAdmin,setupthenewWindowsaccountas the default account for Mobile Admin.

• InMobileAdmin,addusers,andsetupMobileAdmin specific passwords for each.

Sampleconfiguration#3: • InWindows,createaspecificWindowsaccountthathasthe

permissions that you want most Mobile Admin users to have.

• InMobileAdmin,setupthenewaccountasthedefault account for Mobile Admin.

• InMobileAdmin,addusersandsetupMobileAdmin specific passwords for each.

• ForthesmallnumberofuserswhoyouwanttohavedifferentpermissionsthanthedefaultWindowsaccount,configurethemtousedifferentappropriateWindowsaccountstoauthenticatewithMobileAdmin.

Device-levelpassword authenticationMost wireless handheld devices and phones provide optional device-level

authentication.Whenthedevicepasswordfeatureisenabled,youmustentera

password before you can use the device and Mobile Admin.


www.roveit.com

Device-levelpasswordsforBlackBerrysmartphonesTheBlackBerrysmartphonepasswordprovidesdevice-levelauthentication

onBlackBerrysmartphones.Aftertenfailedattemptstoenterthehandheld

password, all information on the handheld is erased for security purposes.

By default, the handheld password feature is not enabled. The handheld

password can be enabled at the device level by each user. Alternatively,

yourBlackBerryEnterpriseServeradministratorcanedittheITPolicyforthe

BlackBerryEnterpriseServertorequireahandheldpasswordforsomeorall

users.

Security time-out settings define how long a handheld device must be inactive

before a user is required to enter the handheld password. These settings can

also be configured at the device level by individual users, or by modifying the IT

PolicyontheBlackBerryEnterpriseServerforsomeorallusers.

Forextrasecurity,itisrecommendedthatyouenabletheBlackBerry

smartphone password for all Mobile Admin users.

Formoreinformationabouthowtoenablethehandheldpasswordandto

configure the security time-out, please refer to the user documentation for your

BlackBerrysmartphone.

Device-levelpasswordsfor AppleiOSandAndroiddevicesBy default, device-level passwords are not usually enabled, and must be

enabled at the device level by each user.

Forextrasecurity,itisrecommendedthatallMobileAdminusersenablethe

device-level password.

Formoreinformationabouthowtoenablethedevice-levelpasswordforyour

device, please refer to the user documentation that was provided with your

device.


www.roveit.com

RSASecurIDandRADIUSauthenticationMobileAdminalsosupportstheoptionofusingRSASecurIDauthentication,

andhasbeenofficiallyapprovedasanRSA-Certifiedapplication.RSA

SecurIDprovides“twofactor”authentication,whichrequiresausertoentera

combinationofasecret,personalidentificationnumber(PIN)andacodefrom

aSecurIDtoken.Thetokengeneratesanew,unpredictablecodeevery60

seconds.ThesePINandcodecombinationsaresynchronizedwiththeRSA

AuthenticationManager,whichisinstalledonyournetworkandcontrolsaccess

toRSA-protectedapplicationsanddevices.

IfyouchoosetouseRSASecurIDauthenticationwithMobileAdmin,userswill

havetoentertheirPINandtokencodebeforetheycanlogintoMobileAdmin.

FormoreinformationaboutusingRSASecurIDauthentication,pleaseseewww.

rsasecurity.com.

MobileAdminalsosupportsRADIUSauthentication,whichmeansthatMobile

AdmincanactasaRADIUSclientorRADIUSdeviceforwhatevertypeof

RADIUSserverandauthenticationsystemyouareusing,suchasSafeWord.


www.roveit.com

CredentialandInformationLoggingin Mobile Admin

Client(MobileUser)Ifalogintothenetworkisrequired,theuserispromptedforauthentication

information.Thisauthenticationinformationtakestheformof

• (optionally)RADIUSorRSASecurID2-factorauthentication

• (optionally)device-levelauthentication

• (required)Windowscredentials

Iftheauthenticationissuccessful,theserverpassesbackatokentotheclient

that is required in subsequent transactions between the client and server. This

tokenisnotstoredonthemobiledevicebetweensessions.

Thesessionscanbeconfiguredfromtheserver–theservercanbeconfigured

toensurethatthetokenexpiresafteraperiodoftime.Thedefaulttokenlengthis

10minutes.

Whenoverridingcredentialsareusedforindividualmanagedservers,this

informationissentdirectlytotheMobileAdminserver(withinyourdatacenter)

andstoredsecurelyonit.Thisinformationisnotusedinatoken,norisitstored

on the mobile device in any way.

As well, on all mobile platforms, any state information stored by the Mobile

Adminclientisstoredincommonpersistentstorageareas–ifadeviceforany

reason becomes compromised, wiping the devices will remove all of this state

information. The only state information stored persistently is configuration and

preferenceinformation–notcredentials.


www.roveit.com

ServerDuringtheauthenticationprocess,oncetheserversecurelyreceivesthe

credentials, they are passed onto the relevant subsystems for validation.

Theserverstorestwotypesofdata:

• Configurationdata(userandserverpreferences,MobileAdminpolicy

information,etc)

• Servercharacteristics(portsettings,etc)

Anysensitivedatarelatedtocredentials(usernamesandpasswords)are

encryptedusingTriple-DESencryptionbeforebeingplacedinaSQLiteback-

endthatisembeddedintheMobileAdminserver.Strongkeymanagement

ishandledbytheOSand.NETAPIs,notMobileAdmin.UsersontheMobile

Admin server that have file access rights to the Mobile Admin installation folder

canaccesstheback-enddata.Thisdataisextremelywellprotected,aslongas

routineandprudentmeasuresaretakentosecuretheMobileAdminserverfrom

unauthorizedentry(aswithanyotherserverhost).

Audit and DebugLoggingTherearetwocategoriesofinformationstoredbytheMobileAdminserver:

• AuditLogs

• DebugLogs

Audit log information is maintained inside the database, but this information

does not contain any identifying data other than the user login name that

performedtheaction.Thisinformationiskeptindefinitelytosatisfycompliance

and regulation-related requirements of our users. It can be browsed and

searched from within the administration interface of the Mobile Admin server.


www.roveit.com

Debugginganddiagnosticinformationisstoredontheserverinatextfilein

theMobileAdmindirectory–bydefault,theserveronlylogsfordebugging

purposes information related to server activity and events. This information can

be configured to be more detailed, but this is usually only done to diagnose a

supportissue.Greatcareandtestinghavetakenplacetoensurenosensitive

information enters debug logs. These logs are not rotated or deleted unless the

user removes them manually.

mobile admin security -...

Documents