MDM Self Service Portal Security


Review the following security requirements and best practices before you deploy MDM Self Service Portal.

To install MDM Self Service Portal, you must be a member of the DefaultServerAdministrators group and you must be a local administrator for the server on which you are installing MDM Self Service Portal.

The following shows the necessary requirements before you install MDM Self Service Portal:

  • An available certification authority: After you meet this requirement, MDM Setup configures Secure Sockets Layer (SSL) when you install MDM Self Service Portal.
  • You have run the Active Directory Configuration Tool (ADConfig): ADConfig installs the DefaultServerAdministrators and DefaultSelfService security groups that MDM Self Service Portal requires. When you run Setup to install the portal, the MDM Self Service Portal server account is added to the DefaultSelfService group. This gives MDM Self Service Portal permission to run specific MDM cmdlets.
  • Port 443 is available: MDM Self Service Portal uses this port by default to take advantage of SSL encryption. You can choose a different port when you install MDM Self Service Portal by using MDM Setup if port 443 is not available.

The following describes best practices to help make MDM Self Service Portal more secure.

Configure and Use Appropriate Passwords

MDM Self Service Portal establishes the following password policy:

  • Users access the portal by using their Windows-based operating system domain credentials. These should be strong passwords.
  • As the MDM administrator, you can configure the strength of the enrollment password by using an MDM cmdlet. To learn more about how to configure enrollment passwords, see the MDM Operations Guide. You cannot configure this password through the portal.
  • By default, the enrollment password is 10 characters long. The password should have no fewer than eight characters to be a strong password.
  • MDM Setup configures MDM Self Service Portal so that anonymous logon to the server that is running IIS is not allowed.

Do Not Disable SSL

When you install MDM Self Service Portal by using MDM Setup, Setup turns on Secure Sockets Layer (SSL). SSL is not required for the portal to function correctly. However, encrypted communication between the client and the Web server helps reduce several threats. The following lists the threats that can be reduced when information is encrypted between the client and the Web server:

  • User identity spoofing or sniffing
  • Session hijacking
  • Data tampering

Manage Access to MDM Self Service Portal

By default, you must be a member of one of the following groups in a given instance to access MDM Self Service Portal:

  • SCMDMAuthorizedUsers (InstanceName)
  • SCMDMServerAdmins (InstanceName)
  • A domain administrator group

However, when you run Setup to install MDM Self Service Portal, all domain users are added as members of SCMDMAuthorized Users (InstanceName), and device enrollment in MDM Self Service Portal is enabled. Therefore, when installation is complete, all domain users have access to the portal and can enroll Windows Mobile devices in the default organizational unit (OU) for MDM Enrollment Server.

To restrict access to the portal, change the membership of SCMDMAuthorizedUsers (InstanceName) before you install MDM Self Service Portal. You can modify user access to the portal by using ASP.NET configuration settings. For more information, see Manage Access to MDM Self Service Portal by Using IIS.

Use E-Mail or Web Site Password Delivery

Use e-mail or Web site delivery to give users their enrollment passwords. Users must have passwords to complete the enrollment process. If you disable both e-mail and Web site delivery, you must use another mechanism to let users know their password.

Use the Portal Administration page or the configuration file to configure e-mail or Web site delivery settings.

Avoid Same Server Installations

To help make MDM more secure, you should not install MDM Self Service Portal on the same server as MDM Enrollment Server or MDM Device Management Server.

By default, MDM Self Service Portal runs under the Network Service account. By default, MDM Enrollment Server also runs under the Network Service account. Therefore, any other application that is running under the Network Service account will have the credentials to create or delete accounts in the domain.

Restrict Access to IIS Settings

Give only trusted users access to IIS settings and be cautious when you change these settings. If you change IIS settings on a computer that is running MDM, it could cause the Web sites to function incorrectly.

Modify Only Specific Web Configuration Settings

You should only modify certain settings in the Web configuration (Web.Config) file.

All MDM Web services have a Web.Config file. You should use caution if you modify these files. Any changes that you make can affect MDM performance negatively, or lead to MDM system failures.

Run Setup from a Secure Location

Run Setup (.msi) files and Active Directory configuration files only from a secure location. Do not run MDM Setup from a network share. If you modify files from the original version, such as changing a .dll, MDM Self Service Portal will not install.

Deploy MDM Self Service Portal on a Company Network or Use ISA

We do not recommend that you put MDM Self Service Portal directly on the Internet. If you must make MDM Self Service Portal functionality available to users outside the company network, use a publishing mechanism such as Microsoft Internet Security and Acceleration (ISA) Server.

ISA has additional authentication processes to provide improved security and to meet your company security policies. For more information about how to publish by using ISA, see this Microsoft Web site: