Can I block my employees from adding work computers to their personal "Live Mesh"?
- Can I block my employees from adding work computers to their personal "Live Mesh"? I'm concerned about people accessing the corporate network from an unsecure enviroment (i.e. their laptop in a coffee shop).
~Joe
Answers
Microsoft has invested heavily to insure Live Mesh is safe and secure. We use Windows LiveID to manage authentication and encrypt any upload/download and syncing of files and folders. Furthermore, we empower users to manage their own sharing settings and security when they are managing files and folders within Live Mesh. As with all online services and offerings, users are encouraged to use file password protection, to use their best judgment when uploading and sharing files.
If you don’t want your employees to run specific software on the company managed systems, you can use hash or path blocking on livemesh.exe and moe.exe.
More details here of Software Restriction Policies:
http://technet.microsoft.com/en-us/windowsvista/aa940985.aspx
Thank you,
Nadia- Hi all,
This is great feedback. We are working hard on an enterprise story (that is actually one of my jobs) to help ensure Live Mesh is enterprise friendly. For right now, we have two KB articles on how to manage Live Mesh for your enterprise:
http://support.microsoft.com/kb/951861/en-us
http://support.microsoft.com/kb/951862/en-us
You will start seeing enterprise features coming in a future release, so please keep an eye out for those. We'd love to get your feedback on them or if you are an IT administrator, we'd love to get your "feature" ideas on how Live Mesh can be more enterprise freely.
Again, keep the feedback coming. We really appreciate it!
Thanks,
Todd Manion [MSFT]
This posting is provided "as is" and confers no rights or warranties.
All Replies
Microsoft has invested heavily to insure Live Mesh is safe and secure. We use Windows LiveID to manage authentication and encrypt any upload/download and syncing of files and folders. Furthermore, we empower users to manage their own sharing settings and security when they are managing files and folders within Live Mesh. As with all online services and offerings, users are encouraged to use file password protection, to use their best judgment when uploading and sharing files.
If you don’t want your employees to run specific software on the company managed systems, you can use hash or path blocking on livemesh.exe and moe.exe.
More details here of Software Restriction Policies:
http://technet.microsoft.com/en-us/windowsvista/aa940985.aspx
Thank you,
Nadia- Ok, thanks!
~Joe - I understand the security functions involved and for most work environments mesh would be very useful. But working in a school district, we don't want students installing the mesh client on computer lab workstations and being able to install any software they want (games, movies, etc.).
Our regular Internet filtering doesn't seem to work. We'll try the suggestions here and see if that will fix the problem.
- TMangan2 said:My wife works for our local school district and I had the same thought about this (and a few other file and resource sharing technologies). How do you stop students sharing test answers via a Skydrive or similar URL? The understanding that the students have for the interconnectedness of so many of these tools is staggering.
I understand the security functions involved and for most work environments mesh would be very useful. But working in a school district, we don't want students installing the mesh client on computer lab workstations and being able to install any software they want (games, movies, etc.).
Our regular Internet filtering doesn't seem to work. We'll try the suggestions here and see if that will fix the problem.
I have the same concerns about corporate security. I'm sure that there will be problems/issues, and while I agree with Microsoft that it's really up to the user, there's two types of users. The ones that want to circumvent corporate policies aren't what I'm worried about, since they are usually savvy enough to stay moderately safe. My real fear is the user who doesn't quite comprehend how widely they could accidentally share their information (these are the same people who freely share their entire drives on networks, etc.)
I'll be interested in watching what further comments come out about corporate resource management, not just in this thread, but in others. I just know there will be a lot more info. - I'm with TMangan on this. While I love Mesh, it becomes a significant security hole if I can't turn it off.
Will blocking the mesh.com site be sufficent enough? - I think this topic is going to be a major headache for Microsoft. My first thought after trying out Live Mesh was that pretty much every IT department in the world would want to disable this. Of course this would significantly reduce the value of the Mesh and is not in the interest of Microsoft or its users.
Maybe it's not as big a security issue as it appears to be on first sight but I'd be scared of it if I had to run a corporate network... - Hi all,
This is great feedback. We are working hard on an enterprise story (that is actually one of my jobs) to help ensure Live Mesh is enterprise friendly. For right now, we have two KB articles on how to manage Live Mesh for your enterprise:
http://support.microsoft.com/kb/951861/en-us
http://support.microsoft.com/kb/951862/en-us
You will start seeing enterprise features coming in a future release, so please keep an eye out for those. We'd love to get your feedback on them or if you are an IT administrator, we'd love to get your "feature" ideas on how Live Mesh can be more enterprise freely.
Again, keep the feedback coming. We really appreciate it!
Thanks,
Todd Manion [MSFT]
This posting is provided "as is" and confers no rights or warranties. - Ryan Staats said:
I'm with TMangan on this. While I love Mesh, it becomes a significant security hole if I can't turn it off.
Will blocking the mesh.com site be sufficent enough?
I am not seeing this as any more of a problem then email or FTP sites of old. It is just easier. You can do all this stuff today without Mesh or things like Twitter. When I was in school, people copied tests (well some of them) and used sneaker-net. Things like Mesh do not change this IMO. It kids are taking tests, they should not have access to phones or inet or email. Machines should be locked down (something like SteadyState comes to mind). - WilliamStacey said:
I am not seeing this as any more of a problem then email or FTP sites of old. It is just easier.
Hi William,
I'm of a slightly different opinion. It IS a problem. The reason its a problem? You said it yourself it is just easier.
Yeah, in theory FTP is a threat to enterprises. In reality it isn't THAT much of a problem because the majority of people in an enterprise wouldn't have a clue how to use FTP. Mesh puts another layer of abstraction in there that brings it into the realm of "the long tail" of users i.e. those that could use it to do something you don't want them to and dont even know that they are doing something wrong. Moreover, that level of abstraction is that everything now works over http and I don't know of any enterprise that is going to close port 80 (http traffic) in the same way that you can shut off port 21 (FTP).
I subscribed to this thread when i first saw it without actually posting anything because I think Mesh in the enterprise is a fascinating subject. Todd, I'm interested by your reply and am pleased that someone is tasked with looking at this scenario. Do you have a blog or anything like that where you are going to share your thoughts in this area?
cheers
JamieUPDATE: I've just read one of Todd's linked-to articles above and seen that, actually, blocking access to Mesh over http isn't going to be much of a problem. I still maintain though that Mesh makes this more of a problem due to its ease of use. Take those small 4 or 5 person "enterprises" - are they going to au fait with blocking http ports/sites? I think not. There's going to be 2 necassary ways to prevent problems here. One is technical (as Todd linked to above) the other is user education.
http://jamiethomson.spaces.live.com/ | http://blogs.conchango.com/jamiethomson
- Edited byJamie ThomsonMVPFriday, May 16, 2008 8:24 AMextra info
Hi William,
I'm of a slightly different opinion. It IS a problem. The reason its a problem? You said it yourself it is just easier.
Yeah, in theory FTP is a threat to enterprises. In reality it isn't THAT much of a problem because the majority of people in an enterprise wouldn't have a clue how to use FTP. Mesh puts another layer of abstraction in there that brings it into the realm of "the long tail" of users i.e. those that could use it to do something you don't want them to and dont even know that they are doing something wrong. Moreover, that level of abstraction is that everything now works over http and I don't know of any enterprise that is going to close port 80 (http traffic) in the same way that you can shut off port 21 (FTP).
Hi Jamie. As a prior enterprise admin and network admin and dev, I agree that being able to manage access and apps is very important and needed. I am just saying the biggest thread on port 80 via the users is the *browser and is probably the easist app use daily. The browser has been, and will be, the biggest threat by far. Compared to the browser, how is a mesh app really more dangerous? Also, saying people wont use ftp or other apps to download content because it is harder is a fallacy. Security via obscurity is zero security. If you want to block an app, that is fine and Todd showed methods. However, folks should not think that blocking one app will make things safer when they have a gaping hole called the browser. A wall a mile high is worthless if it is only 5 feet wide.- WilliamStacey said:A wall a mile high is worthless if it is only 5 feet wide.
Nice analogy. I'm gonna remember that one :)
http://jamiethomson.spaces.live.com/ | http://blogs.conchango.com/jamiethomson - Also, saying people wont use ftp or other apps to download content because it is harder is a fallacy. Security via obscurity is zero security. If you want to block an app, that is fine and Todd showed methods. However, folks should not think that blocking one app will make things safer when they have a gaping hole called the browser. A wall a mile high is worthless if it is only 5 feet wide.
I don't know about others, but working IT at a bank, I worry more about employees taking sensitive information out rather than in. Not that I can or even would block everything. Sneaker net is alive and well with USB flash drives, and what is to stop some of our loan people from taking a file home to do some more work on it. My biggest reason for blocking USB devices is the threat of someone coming in with podslurp on an ipod and plugging it into the back of one of our pcs while our employee goes to a printer to get some documents or something.
Live mesh is just another way for one of my users to share a folder with their home computer, then share that folder with someone else, forgetting the personal date of some of our customers in it. I don't see them doing it on purpose, but, still see it happening, especially with some of our users.
Anyway, this is why I would like to be able to host an Enterprise Mesh, and give access for users to log into the "live mesh desktop" to manipulate files that I have given them access to on the live desktop or work pc desktop, without being able to download them to thier home desktop. Hey, there is a new one to add to my list on the wish list. ;-)
Steve - swattz101 said:
I don't know about others, but working IT at a bank, I worry more about employees taking sensitive information out rather than in. Not that I can or even would block everything. Sneaker net is alive and well with USB flash drives, and what is to stop some of our loan people from taking a file home to do some more work on it. My biggest reason for blocking USB devices is the threat of someone coming in with podslurp on an ipod and plugging it into the back of one of our pcs while our employee goes to a printer to get some documents or something.
Live mesh is just another way for one of my users to share a folder with their home computer, then share that folder with someone else, forgetting the personal date of some of our customers in it. I don't see them doing it on purpose, but, still see it happening, especially with some of our users.
So how is this a problem if you're using decent Information Rights Management (IRM) technology?
Information Rights Management (IRM) allows individuals and administrators to specify access permissions to documents, workbooks, and presentations. This helps prevent sensitive information from being printed, forwarded, or copied by unauthorized people. After permission for a file has been restricted by using IRM, the access and usage restrictions are enforced no matter where the information is, because the permission to a file is stored in the document file itself.
IRM helps individuals enforce their personal preferences concerning the transmission of personal or private information. IRM also helps organizations enforce corporate policy governing the control and dissemination of confidential or proprietary information.
SOURCE: http://office.microsoft.com/en-us/help/HA101029181033.aspx
As one poster mentioned earlier, there are all sorts of ways confidential customer information can escape your control (besides Mesh) if you're not using appropriate precautions.
Messing with permissions on particuar apps is a popular administrative technique because it's a lot easier than doing somethig that would really be effective. Just look at Phishing. It's a problem that'd be easily solved by S/MIME signing all outbound email. So why isn't anyone doing it? It costs money and it's a lot easier to just send emails to users telling them not to fall for Phishing scams. - TMangan2 said:
I understand the security functions involved and for most work environments mesh would be very useful. But working in a school district, we don't want students installing the mesh client on computer lab workstations and being able to install any software they want (games, movies, etc.).
So why do your students have install permissions again?
Way back when I was in High School I nearly got suspended after I discovered that you could bypass the Novell login screen by attempting to access a floppy, then breaking out of the batch (with <Ctrl> + <C> I believe). This dropped us out to a DOS prompt. From there we were able to create a fake teacher (the IT guy monitored the size of students folders, but he trusted teachers). Some friends used the account to store DOOM on the network and we socially engineered our way into the computer labs (thanks janitors!) to play on the LAN after hours.
In college the machines were much more secure, so I became friends with the head of the student computing labs and was able to ensure that the software selection suited my preferences.
What sort of movies are your students "installing"? They can probably watch movies or TV shows streaming from a variety of websites without installing anything.- Edited byBleak Morn Monday, May 19, 2008 1:01 PMAdded quote.
- joewcox said:
Can I block my employees from adding work computers to their personal "Live Mesh"? I'm concerned about people accessing the corporate network from an unsecure enviroment (i.e. their laptop in a coffee shop).
Does anyone else see the irony of this question coming from a person whose emoticon shows a guy with a laptop and cell phone on a beach? ;) - I don't know about others, but working IT at a bank, I worry more about employees taking sensitive information out rather than in. Not that I can or even would block everything. Sneaker net is alive and well with USB flash drives, and what is to stop some of our loan people from taking a file home to do some more work on it.
I have to agree with this. In a prior position I was an I.T. Administrator that worried about sensitive client information from leaving the network. I am now in the development side of I.T. and see the benefits of Mesh.
I think Mesh is great for sharing content with your home computer. For example, I share my photos at work so I can have my kids pictures appear on my computer's screen saver. But I also use Mesh for personal files that I would like to sync between home and work, such as Word documents.
Maybe an option would be for network administrators to be able to block the sharing of files on company computers but allow files to be synced from other devices. You can't create a share of corporate data.
I can see our network admins also get concerned about bandwidth. If all this meshing was going on in a network, how much bandwidth is it going to take up?
Provide network admins with control over what employees can do with Live Mesh instead of blocking it all together. And most importantly, make it easy for the admins to do it. So many admins will take the easy way out of blocking it all together because controlling it is difficult. Wizards that set up a group policy for Live Mesh would be my vote. - Most corps will have more control over security of Domain Computers. Plus they have more capabilities to block applications and such. Schools however, are usually staffed with IT resources that don't fully understand how these things can be blocked. Something that can be looked into when we have URLs that we are unable to block (due to access or techology limitation) is to use the HOSTS file to redirect the system to a different location. For example, as the admin user I can redirect users from going to myspace by adding www.myspace.com, myspace.com, login.myspace.com and profile.myspace.com, common URLs for myspace and redirect them to my local web server. Edit the HOST file from notepad, the file is located in
%WINDIR%\system32\drivers\etc (Vista users will need to run notepad as admin or you won't be able to save the file) and add these lines (from my example) [replace IPs with a web server ip address]
192.168.0.10 www.myspace.com
192.168.0.10 myspace.com
192.168.0.10 login.myspace.com
192.168.0.10 profile.myspace.com
once saved restart the computer (or restart the DNS Client Service) and that will redirect users to the web server on 192.168.0.10 when they access these resources. These will need to be added to each computer (you can use the same HOST file so just copy it to a USB drive) but will work great is small environments. The students who are not admins will not be able to edit the HOST file and since the DNS Client gets URL resolutions from the HOST file first it will counter any proxy or DNS server redirect. Works great for us and we haven't seen any bypass from this yet. - The bigger challenge is to not just turn off Live Mesh but to allow Live Mesh without compromising the security and integrity of corporate assets. As I see it Live Mesh is just a 2.0 extension of tools that we already expect users to take advantage of from any geographic location or context (cell phone, notebook computer, PDA, etc). Execs and mobile users want to use these tools because they are convenient. Management wants you to use these tools because they don't want to wait for you to show back up in the office to take care of business. I see Live Mesh as an extremely powerful and convenient mechanism to allow access to documents and desktops from any location or context for both sophisticated and less sophisticated users. The challenge is preventing leaking documents in a context that compromises the business. My first pass thought on this is that you either need DRM internal to the organization or a DRM mechanism built into Live Mesh that disables documents if that user no longer has rights to those documents in Live Mesh.
- This is indeed a very interesting topic, Mesh is a two edged sword, it is a blessing and a curse at the same time, depending on whose side you are. In my opinion, this is just a natural evolution of our digital lifestyle, no SysAdmin can block this progress.
I am a mobile IT worker, working mostly from home. I have almost twenty years of IT experience behind me, so I definitely know how to use Mesh withouth sacrificing the security of my company. Indeed this cannot be said of everyone. Mesh has been a boon to my productivity without a doubt, it will be a pain to see it blocked from my corporate evironment.
To return to my original thought, Mesh is a natural progression of things. I remember several technology was also seen as a threat in the past, but now accepted in the corporate environment. Think about the origin of the VPN, and Office Web Access. There is inherent danger in every technology. If admins block Mesh, it will never prevent a savvy employee bent on Enterprise Espionage. You really can't prevent a focused attack on the enterprise unless you use DRM/IRM to protect sensitive documents and mails so as people already mentioned in this thread.
Mesh is a welcomed life-saver for mobile workers, it will be anti-productive to see it blocked by nervous admins. This is the 21st century people, my employer has taken control of my private life by asking me to work from home. For me I don't have working hours, my private life and working life flow into each other. I don't see the reason why I should not have access to tools that help bridge this divide in the digital world, it is already bridged in the physical world.
McAkins - If you look carefully, *both* Live Mesh and Microsoft Vine are able to be installed by the end user without invoking any UAC prompts, even when UAC is in its default (enabled) configuration because they install to "%USERPROFILE%\AppData\Local\Microsoft\Live Mesh\Bin\Servicing\0.9.4014.7\MoeMonitor.exe" and "%USERPROFILE%\AppData\Local\Microsoft\Microsoft Vine\Vine.exe" which - if you notice carefully, isn't in %ProgramFiles% nor %ProgramFiles(x86) nor %ProgramW6432%.
So you don't need to allow students/staff/contractors to have install rights for them to be able to install Live Mesh nor Microsoft Vine.
I see this as a *major* issue when it comes to security. Sure, you can use Software Restriction Policies to block the files/hashes, but a simple program upgrade will make that useless. The ability for a user to install an application is the issue here - it should NEVER be allowed in an enterprise/secure environment.
Now, add to that the issue of being able to copy corporate data into a Live Mesh folder and replicate it to an unsecured location, and say goodbye to network security. IRM will certainly help - for some document types, but not for everything.
I wonder, sometimes, why Microsoft increases security with things like UAC and then makes that all redundant by allowing applications such as this to be installed and used on corporate networks at the user's whim.
- Hilton Travis
Quark IT
http://blog.hiltontravis.com/ - Thanks for your comments, Hilton. Administrators can block the use of Live Mesh as desired through simple methods.
http://support.microsoft.com/kb/951862
http://support.microsoft.com/kb/951861
-steve
Microsoft MVP Windows Live / Windows Live OneCare, Live Mesh, & MS Security Essentials Forums Moderator
