Top 10 Security Concerns of Windows Mobile (and how to Overcome them)

12,549 views
12,194 views

Published on

This is my slidedeck from MEDC which discusses the top 10 Security concerns of Windows Mobile and how to overcome them.

Published in: Business, Technology
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
12,549
On SlideShare
0
From Embeds
0
Number of Embeds
65
Actions
Shares
0
Downloads
1,061
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide
  • 05/26/09 16:49 © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
  • Top 10 Security Concerns of Windows Mobile (and how to Overcome them)

    1.  
    2. Jason Langridge Enterprise Mobility Solution Specialist Microsoft Communications Business Group E-mail: [email_address] Blog: http://blogs.msdn.com/jasonlan ITP205 Top 10 Security Concerns of Deploying Windows Mobile© (And How to Overcome Them)
    3. Microsoft Windows Mobile 5.0 Security Features <ul><li>Device protection </li></ul><ul><ul><li>Device lock: PIN, strong, exponential delay </li></ul></ul><ul><ul><li>Authentication protocols: PAP, CHAP, MS-CHAP, NTLM, TLS </li></ul></ul><ul><li>Data protection </li></ul><ul><ul><li>128-bit Cryptographic services: CAPIv2 </li></ul></ul><ul><ul><li>Application installation and execution </li></ul></ul><ul><ul><li>Anti-virus API </li></ul></ul><ul><li>Network protection </li></ul><ul><ul><li>Secure browsing: HTTP (SSL), WAP (WTLS) </li></ul></ul><ul><ul><li>Virtual Private Networking (PPTP, L2TP IPSec) </li></ul></ul><ul><ul><li>Wireless network protection (WEP, 802.1x, WPA) </li></ul></ul><ul><li>Combined with Microsoft Exchange Server 2003 </li></ul><ul><ul><li>IT Security Policy Enforcement </li></ul></ul><ul><ul><li>Remote Device Wipe </li></ul></ul><ul><ul><li>S/MIME </li></ul></ul><ul><ul><li>Certificate-based authentication </li></ul></ul>
    4. Windows Mobile 6 Security Enhancements <ul><li>Storage card security </li></ul><ul><ul><li>Storage card encryption </li></ul></ul><ul><ul><li>Storage card wipe (Microsoft Exchange Server 2007) </li></ul></ul><ul><li>Generating a personal certificate </li></ul><ul><ul><li>New desktop and device certificate enrollment tools </li></ul></ul><ul><ul><li>PFX import </li></ul></ul><ul><li>Crypto/certificate services </li></ul><ul><ul><li>Root certificate add for users </li></ul></ul><ul><ul><li>AES 128 and 256 implementation for SSL and DPAPI </li></ul></ul><ul><ul><li>Wildcard certificate support </li></ul></ul><ul><ul><li>SMIME configuration improvements </li></ul></ul><ul><li>Built in Rights Management support for messaging and Office documents </li></ul>
    5. Exchange 2007 Policies <ul><li>More granular access control </li></ul><ul><ul><li>By-device ID: Allows only enterprise-provisioned devices </li></ul></ul><ul><ul><li>By-user agent: Allows only enterprise-approved devices </li></ul></ul><ul><li>Per-user policies </li></ul><ul><li>New incremental policies </li></ul><ul><ul><li>Storage card encryption enforcement </li></ul></ul><ul><ul><li>Allow/disallow attachments and maximum size </li></ul></ul><ul><ul><li>Allow/disallow UNC/SharePoint access </li></ul></ul><ul><li>New device lock policies </li></ul><ul><ul><li>Device timeout enhancements </li></ul></ul><ul><ul><li>Password expiration </li></ul></ul><ul><ul><li>Password history </li></ul></ul><ul><ul><li>User PIN/password reset </li></ul></ul>
    6. Top 10 Security Concerns <ul><li>We really don’t want to have incoming ports being opened </li></ul><ul><li>How can we stop un-trusted devices accessing Exchange? </li></ul><ul><li>We have to implement two-factor authentication </li></ul><ul><li>Do we really need to use Microsoft ISA Server? </li></ul><ul><li>We don’t want to cache passwords on the device </li></ul><ul><li>There is no way we’ll allow this solution, as you can download attachments </li></ul><ul><li>We must have on-device encryption </li></ul><ul><li>What is wiped when you remote-wipe a Windows Mobile device? </li></ul><ul><li>What about anti-virus support? </li></ul><ul><li>Couldn’t someone perform a Denial of Service (DoS) attack? </li></ul>
    7. Top 10 Security Concerns <ul><li>We really don’t want to have incoming ports being opened </li></ul><ul><li>How can we stop un-trusted devices accessing Exchange? </li></ul><ul><li>We have to implement two-factor authentication </li></ul><ul><li>Do we really need to use Microsoft ISA Server? </li></ul><ul><li>We don’t want to cache passwords on the device </li></ul><ul><li>There is no way we’ll allow this solution, as you can download attachments </li></ul><ul><li>We must have on-device encryption </li></ul><ul><li>What is wiped when you remote-wipe a Windows Mobile device? </li></ul><ul><li>What about anti-virus support? </li></ul><ul><li>Couldn’t someone perform a Denial of Service (DoS) attack? </li></ul>
    8. We Really Don’t Want to Have Incoming Ports Being Opened <ul><li>Do you use Outlook Web Access already? </li></ul><ul><ul><li>Most customers already do; so you will already have the necessary infrastructure in place </li></ul></ul><ul><li>Only one port is required to be opened: port 443 (SSL) </li></ul><ul><li>Traffic can be pre-authenticated </li></ul><ul><li>ISA does provide filtering to ensure traffic is ActiveSync traffic </li></ul>Perimeter Network Corporate Network Cellular Network/ Internet ISA Server 2004 or 2006 ISA Server Mobile Devices (HTTPS access)
    9. Top 10 Security Concerns <ul><li>We really don’t want to have incoming ports being opened </li></ul><ul><li>How can we stop un-trusted devices accessing Exchange? </li></ul><ul><li>We have to implement two-factor authentication </li></ul><ul><li>Do we really need to use Microsoft ISA Server? </li></ul><ul><li>We don’t want to cache passwords on the device </li></ul><ul><li>There is no way we’ll allow this solution, as you can download attachments </li></ul><ul><li>We must have on-device encryption </li></ul><ul><li>What is wiped when you remote-wipe a Windows Mobile device? </li></ul><ul><li>What about anti-virus support? </li></ul><ul><li>Couldn’t someone perform a Denial of Service (DoS) attack? </li></ul>
    10. How Can We Stop Un-trusted Devices Accessing Exchange? <ul><li>Front-door vs. back-door devices </li></ul><ul><li>There are two ways to address this concern </li></ul><ul><ul><li>Exchange Server 2003: Use certificate-based authentication </li></ul></ul><ul><ul><li>Exchange Server 2007 provides DeviceID blocking </li></ul></ul><ul><ul><ul><li>If a user is disabled for sync they can’t sync with any device </li></ul></ul></ul><ul><ul><ul><li>If a user is enabled for sync: </li></ul></ul></ul><ul><ul><ul><ul><li>If the deviceID restriction is null, the user can sync with any device </li></ul></ul></ul></ul><ul><ul><ul><ul><li>If the deviceID restriction is populated using the task, the user can only sync with that device </li></ul></ul></ul></ul><ul><ul><ul><li>To configure this feature you use the Exchange Management Shell and run the Set-CASMailbox task.  See example below: </li></ul></ul></ul><ul><ul><ul><li>Set-CASMailbox -identity:<user> -ActiveSynAllowedDeviceIDs:&quot;<deviceID_1>&quot;, &quot;<deviceID_2>&quot; </li></ul></ul></ul>
    11. Top 10 Security Concerns <ul><li>We really don’t want to have incoming ports being opened </li></ul><ul><li>How can we stop un-trusted devices accessing Exchange? </li></ul><ul><li>We have to implement two-factor authentication </li></ul><ul><li>Do we really need to use Microsoft ISA Server? </li></ul><ul><li>We don’t want to cache passwords on the device </li></ul><ul><li>There is no way we’ll allow this solution, as you can download attachments </li></ul><ul><li>We must have on-device encryption </li></ul><ul><li>What is wiped when you remote-wipe a Windows Mobile device? </li></ul><ul><li>What about anti-virus support? </li></ul><ul><li>Couldn’t someone perform a Denial of Service (DoS) attack? </li></ul>
    12. We Have to Implement Two-factor Authentication <ul><li>What is two-factor authentication? </li></ul><ul><li>Three methods used to authenticate: </li></ul><ul><ul><li>“ Something you know” (such as a password, PIN or an out of wallet response) </li></ul></ul><ul><ul><li>“ Something you have” (such as a mobile phone, credit card, or hardware security token) </li></ul></ul><ul><ul><li>“ Something you are” (such as a fingerprint, a retinal scan, or other biometric) </li></ul></ul><ul><li>Two-factor authentication requires any two of the above </li></ul>
    13. We Have to Implement Two-factor Authentication <ul><li>Please consider user experience </li></ul><ul><li>“ Something you have” and “Something you know” are most common approaches </li></ul><ul><li>Three common ways to solve this: </li></ul><ul><ul><li>Secure ID: secure ID token and device PIN </li></ul></ul><ul><ul><li>Certificate-based authentication: certificate and device PIN </li></ul></ul><ul><ul><li>Private APN: SIM and device PIN </li></ul></ul>
    14. SecureID <ul><li>RSA’s SecurID is currently the most popular corporate solution for two-factor authentication. In Europe, it is a de facto standard. This is now supported by Exchange ActiveSync. </li></ul><ul><li>RSA Authentication Agent 5.3 for Web for Internet Information Services provides support for Microsoft Exchange Server Activesync 2003 </li></ul><ul><li>Implementation guide - http://technet.microsoft.com/en-us/library/cfecf499-32a9-4b9a-9d2a-88e393be0bd2.aspx . </li></ul>
    15. Certificate-based Authentication <ul><li>Certificates on the mobile device (or via cert-reading peripheral) authenticate the user to the server for gaining sync privileges </li></ul><ul><li>Requires SSL tunneling to the front-end server </li></ul><ul><li>Does not support pre-authentication at ISA or other reverse proxy </li></ul><ul><li>Certificate-based authentication also requires one-time cradling (plus, whenever the certificate needs to be re-provisioned) </li></ul>Using Basic Authentication Using Certificate Authentication
    16. Private APN <ul><li>Direct Private connection </li></ul><ul><li>Network access controlled via proxy </li></ul><ul><li>Access to APN controlled via SIM </li></ul>Private Network Mobile Operator Network Firewall/ISA Proxy Servers GGSN GIP GGSN Client Addressing e.g. 192.168.32.1 /24 No NAT ISP ISP Internet Direct Private Connection Exchange FE Exchange BE
    17. Top 10 Security Concerns <ul><li>We really don’t want to have incoming ports being opened </li></ul><ul><li>How can we stop un-trusted devices accessing Exchange? </li></ul><ul><li>We have to implement two-factor authentication </li></ul><ul><li>Do we really need to use Microsoft ISA Server? </li></ul><ul><li>We don’t want to cache passwords on the device </li></ul><ul><li>There is no way we’ll allow this solution, as you can download attachments </li></ul><ul><li>We must have on-device encryption </li></ul><ul><li>What is wiped when you remote-wipe a Windows Mobile device? </li></ul><ul><li>What about anti-virus support? </li></ul><ul><li>Couldn’t someone perform a Denial of Service (DoS) attack? </li></ul>
    18. Do We Really Need to Use ISA Server? <ul><li>ISA Server is “recommended,” not “required” </li></ul><ul><li>Any firewall that can publish port 443 (SSL) can be used </li></ul><ul><li>ISA is recommended because it has: </li></ul><ul><ul><li>The ability to pre-authenticate all traffic before it reaches your Exchange Server </li></ul></ul><ul><ul><li>The option to inspect Exchange ActiveSync traffic passing through it and validate it is genuine </li></ul></ul><ul><ul><li>ISA Server 2006 provides Kerberos-constrained delegation to the Exchange server </li></ul></ul>
    19. Top 10 Security Concerns <ul><li>We really don’t want to have incoming ports being opened </li></ul><ul><li>How can we stop un-trusted devices accessing Exchange? </li></ul><ul><li>We have to implement two-factor authentication </li></ul><ul><li>Do we really need to use Microsoft ISA Server? </li></ul><ul><li>We don’t want to cache passwords on the device </li></ul><ul><li>There is no way we’ll allow this solution, as you can download attachments </li></ul><ul><li>We must have on-device encryption </li></ul><ul><li>What is wiped when you remote-wipe a Windows Mobile device? </li></ul><ul><li>What about anti-virus support? </li></ul><ul><li>Couldn’t someone perform a Denial of Service (DoS) attack? </li></ul>
    20. We Don’t Want to Cache Passwords on The Device <ul><li>Username/domain name/password are stored hashed, double encrypted using 128-bit RC4 encryption </li></ul><ul><li>If you still aren’t comfortable with that, you can use certificate-based authentication </li></ul>Using basic authentication Using certificate-based authentication
    21. Top 10 Security Concerns <ul><li>We really don’t want to have incoming ports being opened </li></ul><ul><li>How can we stop un-trusted devices accessing Exchange? </li></ul><ul><li>We have to implement two-factor authentication </li></ul><ul><li>Do we really need to use Microsoft ISA Server? </li></ul><ul><li>We don’t want to cache passwords on the device </li></ul><ul><li>There is no way we’ll allow this solution, as you can download attachments </li></ul><ul><li>We must have on-device encryption </li></ul><ul><li>What is wiped when you remote-wipe a Windows Mobile device? </li></ul><ul><li>What about anti-virus support? </li></ul><ul><li>Couldn’t someone perform a Denial of Service (DoS) attack? </li></ul>
    22. There is No Way We’ll Allow This Solution, as You Can Download Attachments <ul><li>Exchange Server 2003: You can use URL Scan and block the X-MS-ENUMATTS verb to stop attachments from being downloaded. http://blogs.msdn.com/jasonlan/archive/2006/09/07/744780.aspx </li></ul><ul><li>Exchange Server 2007: You can allow/disallow attachment download through policy </li></ul>
    23.  
    24. Top 10 Security Concerns <ul><li>We really don’t want to have incoming ports being opened </li></ul><ul><li>How can we stop un-trusted devices accessing Exchange? </li></ul><ul><li>We have to implement two-factor authentication </li></ul><ul><li>Do we really need to use Microsoft ISA Server? </li></ul><ul><li>We don’t want to cache passwords on the device </li></ul><ul><li>There is no way we’ll allow this solution, as you can download attachments </li></ul><ul><li>We must have on-device encryption </li></ul><ul><li>What is wiped when you remote-wipe a Windows Mobile device? </li></ul><ul><li>What about anti-virus support? </li></ul><ul><li>Couldn’t someone perform a Denial of Service (DoS) attack? </li></ul>
    25. We Must Have On-Device Encryption <ul><li>All data is protected by device PIN and remote wipe </li></ul><ul><li>Windows Mobile 6 has storage card encryption but we do not encrypt device </li></ul><ul><li>First separate PIM (e-mail/calendar/contact data) from LOB data </li></ul><ul><li>If it is an absolute requirement </li></ul><ul><ul><li>For LOB solutions, you can use Microsoft SQL Compact Edition native encryption or our Crypto API </li></ul></ul><ul><ul><li>If you require full-device encryption </li></ul></ul><ul><ul><ul><li>Credant Mobile Guardian </li></ul></ul></ul><ul><ul><ul><li>Trust Digital </li></ul></ul></ul>
    26. Top 10 Security Concerns <ul><li>We really don’t want to have incoming ports being opened </li></ul><ul><li>How can we stop un-trusted devices accessing Exchange? </li></ul><ul><li>We have to implement two-factor authentication </li></ul><ul><li>Do we really need to use Microsoft ISA Server? </li></ul><ul><li>We don’t want to cache passwords on the device </li></ul><ul><li>There is no way we’ll allow this solution, as you can download attachments </li></ul><ul><li>We must have on-device encryption </li></ul><ul><li>What is wiped when you remote-wipe a Windows Mobile device? </li></ul><ul><li>What about anti-virus support? </li></ul><ul><li>Couldn’t someone perform a Denial of Service (DoS) attack? </li></ul>
    27. What is Wiped When You Remote- Wipe a Windows Mobile Device? <ul><li>When device memory is wiped it is effectively a hard reset </li></ul><ul><li>Windows Mobile 6 and Exchange Server 2007 </li></ul><ul><ul><li>Storage card encryption uses AES 128-bit encryption </li></ul></ul><ul><ul><li>Key is stored on device </li></ul></ul><ul><ul><li>Encrypted data is stored on card </li></ul></ul><ul><ul><li>Wipe removes key and formats card </li></ul></ul>Exchange 2003 and Windows Mobile 5.0 Yes No Exchange 2003 and Windows Mobile 6 Yes No Exchange 2007 and Windows Mobile 5.0 Yes No Exchange 2007 and Windows Mobile 6 Yes Yes Scenario Device Memory wiped Storage Card wiped
    28. Device Wipe
    29. Windows Mobile 6 Remote Kill Functionality
    30. Top 10 Security Concerns <ul><li>We really don’t want to have incoming ports being opened </li></ul><ul><li>How can we stop un-trusted devices accessing Exchange? </li></ul><ul><li>We have to implement two-factor authentication </li></ul><ul><li>Do we really need to use Microsoft ISA Server? </li></ul><ul><li>We don’t want to cache passwords on the device </li></ul><ul><li>There is no way we’ll allow this solution, as you can download attachments </li></ul><ul><li>We must have on-device encryption </li></ul><ul><li>What is wiped when you remote-wipe a Windows Mobile device? </li></ul><ul><li>What about anti-virus support? </li></ul><ul><li>Couldn’t someone perform a Denial of Service (DoS) attack? </li></ul>
    31. What About Anti-virus? <ul><li>User education is critical </li></ul><ul><li>Windows Mobile includes application installation and execution security </li></ul><ul><li>Uses code signing to determine the trust level for: </li></ul><ul><ul><li>An application installation </li></ul></ul><ul><ul><li>An application process </li></ul></ul><ul><li>Primary defense for enterprises against malicious code </li></ul><ul><li>Built-in APIs for anti-virus solutions </li></ul><ul><ul><li>Computer Associates </li></ul></ul><ul><ul><li>F-Secure </li></ul></ul><ul><ul><li>McAfee </li></ul></ul><ul><ul><li>SOFTWIN </li></ul></ul><ul><ul><li>Airscanner </li></ul></ul><ul><ul><li>Trend </li></ul></ul><ul><ul><li>Symantec </li></ul></ul>
    32. Infamous Mobile Threats (2004-2006) Copyright 2006 - Trend Micro Inc. RedBrow Cxover 29Dec04 1Feb05 21Nov04 20June04 17Jul04 5Aug04 = Symbian OS = Windows CE/Mobile = Java (J2ME) 8Mar05 7Mar05 12Aug04 4Apr05 6Apr05 18Mar05 15Apr05 4Jul05 8Jul05 19Jul05 21Sep05 2Oct05 23Nov05 10Aug05 2004 2005 2006 19Jul05 23Jan06 28Feb06 15Mar06 30Mar06 3Apr06 18Jun06 31Aug06 Wesber 7Sep06 4Sep06 Vlasco Win CE BRADOR Locknut (Gavno) Skulls Cabir Win CE DUTS Comwar Dampig Qdial Mabir Fontal Drever Hobbes Doomed Boottoon Skudoo Cadmesk Cardtrp Cardblk PBSteal Blanfon Sndtool Flexspy OneJump Romride Mobler Acallno
    33. Top 10 Security Concerns <ul><li>We really don’t want to have incoming ports being opened </li></ul><ul><li>How can we stop un-trusted devices accessing Exchange? </li></ul><ul><li>We have to implement two-factor authentication </li></ul><ul><li>Do we really need to use Microsoft ISA Server? </li></ul><ul><li>We don’t want to cache passwords on the device </li></ul><ul><li>There is no way we’ll allow this solution, as you can download attachments </li></ul><ul><li>We must have on-device encryption </li></ul><ul><li>What is wiped when you remote-wipe a Windows Mobile device? </li></ul><ul><li>What about anti-virus support? </li></ul><ul><li>Couldn’t someone perform a Denial of Service (DoS) attack? </li></ul>
    34. Couldn’t Someone Perform a Denial of Service (DoS) Attack? <ul><li>Spoofing/intercepting these connections is impossible </li></ul><ul><li>Potential for DoS attack is mitigated by complexity of performing “well-formed” requests </li></ul><ul><li>Major concerns are: </li></ul><ul><ul><li>Incomplete Handshakes. (Mitigated by TCP Connection timeouts.) </li></ul></ul><ul><ul><li>Opening lots of connections. (Mitigated by connection timeouts.) </li></ul></ul><ul><ul><li>Opening connections and issuing lots of HTTP requests. (Mitigated by connection timeouts.) </li></ul></ul><ul><ul><li>Account lockout . (Eliminated using RADIUS authentication.) </li></ul></ul>
    35. Security is Everywhere!
    36. Top 10 Review <ul><li>User education is critical </li></ul><ul><li>Good security = technology and policy </li></ul><ul><li>So what did I miss? </li></ul>
    37. Resources <ul><li>Security for Windows Mobile Messaging </li></ul><ul><ul><li>http://blogs.msdn.com/jasonlan/archive/2007/03/13/new-whitepaper-security-for-windows-mobile-messaging-in-the-enterprise.aspx </li></ul></ul><ul><li>Security model for Windows Mobile 5.0 and 6 </li></ul><ul><ul><li>http://blogs.msdn.com/jasonlan/archive/2007/03/13/new-whitepaper-security-model-for-windows-mobile-5-0-and-windows-mobile-6.aspx </li></ul></ul><ul><li>http://www.microsoft.com/security/default.mspx </li></ul><ul><li>Other great sessions: </li></ul><ul><ul><li>APP215 : Windows Mobile© Application Security Model </li></ul></ul><ul><ul><li>ITP305 : Security Analysis for Mobile Deployments </li></ul></ul>
    38.  
    39. While You're Here Fill out your session evaluation Enter to win a Windows Mobile ® phone or Zune™ Geek out with a huge rack of servers Enterprise Mobility in Action is in the Expo Hall Meet the geeks The Expert Cabana is packed with MEDC speakers and MVPs
    40. © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

    ×