The best SIMPLE practice to erase Kaspersky Endpoint Security 10 para Windows is to use Advanced Uninstaller PRO. Here are some detailed instructions about how to do this: 1. If you don't have Advanced Uninstaller PRO on your PC, add it. The 10 Best Endpoint Security Free Trials for Enterprises Posted on May 15, 2019 by Ben Canner in Best Practices, Featured What are the best endpoint security free trials your enterprise could deploy?
With Kaspersky, now you can. kaspersky.com/business Be Ready for What’s Next
CONTENTS Page
1. OPEN ALL HOURS
....................................................................................................................................................................................................
2. MOBILE DEVICE MANAGEMENT – WHAT IS IT?
.................................................................................................................
2
...................................................................................................................................
2
.................................................................................................................................................................
3
.......................................................................................................................................................................................................
6
3. CHOOSING THE RIGHT MDM SOLUTION: 4. EFFECTIVE MDM PRACTICES 5. IN CONCLUSION
1
2
MOVING TARGETS: MOBILE DEVICE MANAGEMENT AND MOBILE SECURITY. 1. OPEN ALL HOURS Mobile access to vital business applications and information empowers workers to be more productive, supporting increased business agility and flexibility. But mobility comes at a price: The same features that make smart devices so useful to employees also make them attractive to hackers, data thieves, malware distributors and other criminals. In the past 12 months alone, 51 per cent of organisations globally have experienced data loss due to insecure mobile devices.1 It’s not just about malware; the trend towards ‘Bring Your Own Device’ (BYOD) initiatives in companies of all sizes is contributing to an increasingly complex spread of devices across the business. At the same time, the lines between business and personal use are blurring, creating a challenging management and control environment for IT administrators. How can you support BYOD initiatives without the headaches? How can you control what the end-user is doing when they’re downloading apps in a hotel room in a different time zone? What happens when they leave their smartphone in the back of a taxi? Can you control all of this easily and from one central point? Mobile Device Management (MDM) can answer most of these questions. 2. MOBILE DEVICE MANAGEMENT – WHAT IS IT? Mobile Device Management allows IT professionals to extend their ‘wired’ security strategy and policies to all devices, wherever they happen to be. MDM software allows IT managers to cost-effectively automate vital management and control tasks such as device configuration, software updates, backup/restore. All while ensuring the safety of sensitive business information in the event of theft, loss or end-user abuse. 3. CHOOSING THE RIGHT MDM SOLUTION: 3.1 Multi-Platform Support Android, BlackBerry, iOS, Symbian, Windows Phone, anyone supporting BYOD initiatives will be familiar with the demands of securing and maintaining multiple platforms. An MDM solution that supports multiple platforms is not only cost-effective, it takes the pain out of managing multiple systems. It also brings flexibility, supporting not only the devices you have today, but the brands and products you choose in the future.
2
1 Source reference: Ponemon: The Cost of a Lost Laptop (2009)
4. EFFECTIVE MDM PRACTICES 4.1 Strong policies Create mobile-specific policies that clearly define, among other things: • 0007How the device will be deployed • 0007What data will be accessible by mobile workers • 0007Who can do what on company networks • 0007What procedures will be implemented in the event of device loss or theftDefine and enforce policies in a granular, flexible way – e.g. apply different policies to different users and groups, according to their needs. This level of granularity should extend to the device itself- for example, jailbroken or otherwise compromised devices can be prevented from accessing company data or remotely locked, adding an extra layer of security. 4.2 Containerisation Eighty-nine per cent of people using their personal device for business purposes say they use it to access critical work information. 41 per cent say they use their personal devices at work without permission.2 Even the most conscientious users can inadvertently put company systems and content at risk by downloading consumer applications or accessing personal content using their device. This is where containerisation comes in. It’s a simple solution that separates personal and business content on the device, allowing IT complete control over business content and protecting it from any risks introduced by personal usage – without affecting personal data. Using containerisation, IT departments can apply security and data protection policies to a business ‘container’ on a personal or company-owned device – making it particularly useful in BYOD scenarios. 4.3 Encryption MDM best practice should also include the option to encrypt sensitive data within the container. Encryption reinforces anti-theft strategies; forcibly encrypted data reduces the impact of any time delay in wiping a lost or stolen device. By ensuring that only encrypted data can leave the business container on a device, organisations can guard against data leakage and support compliance requirements around data protection. Kaspersky Lab’s MDM encryption technology can be automated and made completely transparent to the end user, ensuring that your security policies are adhered to. 4.4 Anti-Theft and Content Security It’s almost impossible to physically lock down small, ultra mobile devices, but you can lock down their contents and control what happens when they do go missing. Kaspersky Lab’s MDM solution includes anti-theft and content security features that can be enabled remotely, preventing unauthorised access to sensitive date. Among them: • S 0007 IM control: Lock a lost or stolen phone, even if the SIM card is replaced, and send the new number to the rightful owner. • D 0007 evice/location tracking: Use GPS, GSM or WiFi to pinpoint device location. • R 0007 emote/selective wipe: Completely erase all data on any device, or just sensitive company information. • R 0007 emote lock: Prevent unauthorised access to a device; no need to wipe data.
3
2 Source reference: Juniper Networks, Trusted Mobility Index 2012.
4.5 Mobile Anti-Malware You need a strategy for dealing with lost or stolen devices. But devices are at risk even when they’re with authorised users. Many organisations are careful to implement anti-malware and anti-spam solutions on their fixed networks – but do little to protect their mobile devices from becoming a source of viruses or other malware. Kaspersky Lab’s mobile security technologies include a blended anti-malware solution that combines traditional, signature-based detection with proactive, cloud-assisted technologies. This improves detection rates and gives real-time protection from malware. On-demand as well as scheduled scans ensure maximum protection – automatic, over-the-air updates are essential to any MDM strategy. 4.6 Keeping things simple: Centralised controls Kaspersky Lab’s technologies allow administrators to manage the security of mobile devices from the same, ‘single pane of glass’ console they use for their network and endpoint security. This eliminates the complexity associated with separate solutions, and the multiple, often incompatible consoles that come with them. Technology sprawl makes a challenging job more complex than it needs to be. By simplifying and automating the secure configuration of multiple devices, you not only reduce the burden on IT, but support better mobile security practices. Once your policies and ground rules are in place, centralised control can be achieved using a single click – whether you’re managing 10 devices or 1,000. 4.7 Get the balance right Deploying, managing and securing your mobile IT environment doesn’t have to be complicated or expensive. Kaspersky Lab’s MDM solution makes the secure configuration of mobile devices painless and straightforward; the mobile agent installed on devices will provide all the protection you need against current threats. IT administrators can be confident that all mobile devices are configured with their required settings and are secure in the event of loss, theft or user abuse. It doesn’t matter what size your business is, if you don’t manage mobile devices properly, they’ll soon become just another drain on resources, not to mention a security and data loss risk. Whether you’re hoping to reduce costs by supporting a BYOD initiative or operating a strict company-owned mobile device program, the risks are ultimately the same: a growing volume of sensitive business data is sitting in employees’ pockets, being left behind in taxis, stolen or lost. What if you didn’t have to trade security and data protection for mobility, enhanced productivity and simplicity? Kaspersky’s mobile device management and enhanced mobile security technologies mean that you don’t. 5. IN CONCLUSION Organisations need intelligent security technologies to protect their data – and they also need intuitive and uncomplicated IT efficiency tools. Kaspersky Lab’s 2,500 employees are driven to meet those needs for the 300 million plus systems they protect – and the 50,000 new systems a day that are added to their number. Kaspersky MDM is a component of Kaspersky Endpoint Security for Business. Combining award-winning anti-malware, IT policy enforcement tools, centralised management and cloud-assisted protection, Kaspersky’s business security products are the right choice for your organisation. Talk to your security reseller about how Kaspersky can bring secure configuration to your mobile endpoint deployment – and more!
4
SEE IT. CONTROL IT. PROTECT IT. With Kaspersky, now you can. kaspersky.com/business Be Ready for What’s Next
Kaspersky Lab ZAO, Moscow, Russia www.kaspersky.com © 2013 Kaspersky Lab ZAO. All rights reserved. Registered trademarks and service marks are the property of their respective owners. Mac and Mac OS are registered trademarks of Apple Inc. Cisco is a registered trademark or trademark of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. IBM, Lotus, Notes and Domino are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Microsoft, Windows, Windows Server and Forefront are registered trademarks of Microsoft Corporation in the United States and other countries. Android™ is a trademark of Google, Inc. The Trademark BlackBerry is owned by Research In Motion Limited and is registered in the United States and may be pending or registered in other countries.
This document provides best practices for the secure planning and deployment of Active Directory Federation Services (AD FS) and Web Application Proxy. It contains information about the default behaviors of these components and recommendations for additional security configurations for an organization with specific use cases and security requirements.
This document applies to AD FS and WAP in Windows Server 2012 R2 and Windows Server 2016 (preview). These recommendations can be used whether the infrastructure is deployed in an on premises network or in a cloud hosted environment such as Microsoft Azure.
Standard deployment topology
For deployment in on-premises environments, we recommend a standard deployment topology consisting of one or more AD FS servers on the internal corporate network, with one or more Web Application Proxy (WAP) servers in a DMZ or extranet network. At each layer, AD FS and WAP, a hardware or software load balancer is placed in front of the server farm and handles traffic routing. Firewalls are placed as required in front of the external IP address of the load balancer in front of each (FS and proxy) farm.
Ports required
The below diagram depicts the firewall ports that must be enabled between and amongst the components of the AD FS and WAP deployment. If the deployment does not include Azure AD / Office 365, the sync requirements can be disregarded.
Note that port 49443 is only required if user certificate authentication is used, which is optional for Azure AD and Office 365.
Azure AD Connect and Federation Servers/WAP
This table describes the ports and protocols that are required for communication between the Azure AD Connect server and Federation/WAP servers.
Protocol | Ports | Description |
---|---|---|
HTTP | 80 (TCP/UDP) | Used to download CRLs (Certificate Revocation Lists) to verify SSL certificates. |
HTTPS | 443(TCP/UDP) | Used to synchronize with Azure AD. |
WinRM | 5985 | WinRM Listener |
WAP and Federation Servers
This table describes the ports and protocols that are required for communication between the Federation servers and WAP servers.
Protocol | Ports | Description |
---|---|---|
HTTPS | 443(TCP/UDP) | Used for authentication. |
WAP and Users
This table describes the ports and protocols that are required for communication between users and the WAP servers.
Protocol | Ports | Description |
---|---|---|
HTTPS | 443(TCP/UDP) | Used for device authentication. |
TCP | 49443 (TCP) | Used for certificate authentication. |
For additional information on required ports and protocols required for hybrid deployments see the document here.
For detailed information about ports and protocols required for an Azure AD and Office 365 deployment, see the document here.
Endpoints enabled
When AD FS and WAP are installed, a default set of AD FS endpoints are enabled on the federation service and on the proxy. These defaults were chosen based on the most commonly required and used scenarios and it is not necessary to change them.
[Optional] Min set of endpoints proxy enabled for Azure AD / Office 365
Organizations deploying AD FS and WAP only for Azure AD and Office 365 scenarios can limit even further the number of AD FS endpoints enabled on the proxy to achieve a more minimal attack surface.Below is the list of endpoints that must be enabled on the proxy in these scenarios:
Endpoint | Purpose |
---|---|
/adfs/ls | Browser based authentication flows and current versions of Microsoft Office use this endpoint for Azure AD and Office 365 authentication |
/adfs/services/trust/2005/usernamemixed | Used for Exchange Online with Office clients older than Office 2013 May 2015 update. Later clients use the passive adfsls endpoint. |
/adfs/services/trust/13/usernamemixed | Used for Exchange Online with Office clients older than Office 2013 May 2015 update. Later clients use the passive adfsls endpoint. |
/adfs/oauth2 | This one is used for any modern apps (on prem or in cloud) you have configured to authenticate directly to AD FS (i.e. not through AAD) |
/adfs/services/trust/mex | Used for Exchange Online with Office clients older than Office 2013 May 2015 update. Later clients use the passive adfsls endpoint. |
/adfs/ls/federationmetadata/2007-06/federationmetadata.xml | Requirement for any passive flows; and used by Office 365 / Azure AD to check AD FS certificates |
AD FS endpoints can be disabled on the proxy using the following PowerShell cmdlet:
For example:
Extended protection for authentication
Extended protection for authentication is a feature that mitigates against man in the middle (MITM) attacks and is enabled by default with AD FS.
To verify the settings, you can do the following:
The setting can be verified using the below PowerShell commandlet.
PS:>Get-ADFSProperties
The property is ExtendedProtectionTokenCheck
. The default setting is Allow, so that the security benefits can be achieved without the compatibility concerns with browsers that do not support the capability.
Congestion control to protect the federation service
The federation service proxy (part of the WAP) provides congestion control to protect the AD FS service from a flood of requests. The Web Application Proxy will reject external client authentication requests if the federation server is overloaded as detected by the latency between the Web Application Proxy and the federation server. This feature is configured by default with a recommended latency threshold level.
To verify the settings, you can do the following:
- On your Web Application Proxy computer, start an elevated command window.
- Navigate to the ADFS directory, at %WINDIR%adfsconfig.
- Change the congestion control settings from its default values to ‘’.
- Save and close the file.
- Restart the AD FS service by running ‘net stop adfssrv’ and then ‘net start adfssrv’.For your reference, guidance on this capability can be found here.
Standard HTTP request checks at the proxy
The proxy also performs the following standard checks against all traffic:
- The FS-P itself authenticates to AD FS via a short lived certificate. In a scenario of suspected compromise of dmz servers, AD FS can “revoke proxy trust” so that it no longer trusts any incoming requests from potentially compromised proxies. Revoking the proxy trust revokes each proxy’s own certificate so that it cannot successfully authenticate for any purpose to the AD FS server
- The FS-P terminates all connections and creates a new HTTP connection to the AD FS service on the internal network. This provides a session-level buffer between external devices and the AD FS service. The external device never connects directly to the AD FS service.
- The FS-P performs HTTP request validation that specifically filters out HTTP headers that are not required by AD FS service.
Recommended security configurations
Ensure all AD FS and WAP servers receive the most current updatesThe most important security recommendation for your AD FS infrastructure is to ensure you have a means in place to keep your AD FS and WAP servers current with all security updates, as well as those optional updates specified as important for AD FS on this page.
The recommended way for Azure AD customers to monitor and keep current their infrastructure is via Azure AD Connect Health for AD FS, a feature of Azure AD Premium. Azure AD Connect Health includes monitors and alerts that trigger if an AD FS or WAP machine is missing one of the important updates specifically for AD FS and WAP.
Information on installing Azure AD Connect Health for AD FS can be found here.
Additional security configurations
The following additional capabilities can be configured optionally to provide additional protections to those offered in the default deployment.
Extranet “soft” lockout protection for accounts
With the extranet lockout feature in Windows Server 2012 R2, an AD FS administrator can set a maximum allowed number of failed authentication requests (ExtranetLockoutThreshold) and an ‘observation window's time period (ExtranetObservationWindow). When this maximum number (ExtranetLockoutThreshold) of authentication requests is reached, AD FS stops trying to authenticate the supplied account credentials against AD FS for the set time period (ExtranetObservationWindow). This action protects this account from an AD account lockout, in other words, it protects this account from losing access to corporate resources that rely on AD FS for authentication of the user. These settings apply to all domains that the AD FS service can authenticate.
You can use the following Windows PowerShell command to set the AD FS extranet lockout (example):
For reference, the public documentation of this feature is here.
Differentiate access policies for intranet and extranet access
AD FS has the ability to differentiate access policies for requests that originate in the local, corporate network vs requests that come in from the internet via the proxy. This can be done per application or globally. For high business value applications or applications with sensitive or personally identifiable information, consider requiring multi factor authentication. This can be done via the AD FS management snap-in.
Require Multi factor authentication (MFA)
AD FS can be configured to require strong authentication (such as multi factor authentication) specifically for requests coming in via the proxy, for individual applications, and for conditional access to both Azure AD / Office 365 and on premises resources. Supported methods of MFA include both Microsoft Azure MFA and third party providers. The user is prompted to provide the additional information (such as an SMS text containing a one time code), and AD FS works with the provider specific plug-in to allow access.
Supported external MFA providers include those listed in this page, as well as HDI Global.
Hardware Security Module (HSM)
In its default configuration, the keys AD FS uses to sign tokens never leave the federation servers on the intranet. They are never present in the DMZ or on the proxy machines. Optionally to provide additional protection, these keys can be protected in a hardware security module attached to AD FS. Microsoft does not produce an HSM product, however there are several on the market that support AD FS. In order to implement this recommendation, follow the vendor guidance to create the X509 certs for signing and encryption, then use the AD FS installation powershell commandlets, specifying your custom certificates as follows:
where:
CertificateThumbprint
is your SSL certificateSigningCertificateThumbprint
is your signing certificate (with HSM protected key)DecryptionCertificateThumbprint
is your encryption certificate (with HSM protected key)