Top 10 Security Concerns of Windows Mobile (and how to Overcome them)

Slide 2: ITP205 Top 10 Security Concerns of Deploying Windows Mobile© (And How to Overcome Them) Jason Langridge Enterprise Mobility Solution Specialist Microsoft Communications Business Group E-mail: jasonlan@microsoft.com Blog: http://blogs.msdn.com/jasonlan

Slide 3: Microsoft Windows Mobile 5.0 Security Features Device protection Device lock: PIN, strong, exponential delay Authentication protocols: PAP, CHAP, MS-CHAP, NTLM, TLS Data protection 128-bit Cryptographic services: CAPIv2 Application installation and execution Anti-virus API Network protection Secure browsing: HTTP (SSL), WAP (WTLS) Virtual Private Networking (PPTP, L2TP IPSec) Wireless network protection (WEP, 802.1x, WPA) Combined with Microsoft Exchange Server 2003 IT Security Policy Enforcement Remote Device Wipe S/MIME Certificate-based authentication

Slide 4: Windows Mobile 6 Security Enhancements Storage card security Storage card encryption Storage card wipe (Microsoft Exchange Server 2007) Generating a personal certificate New desktop and device certificate enrollment tools PFX import Crypto/certificate services Root certificate add for users AES 128 and 256 implementation for SSL and DPAPI Wildcard certificate support SMIME configuration improvements Built in Rights Management support for messaging and Office documents

Slide 5: Exchange 2007 Policies More granular access control By-device ID: Allows only enterprise-provisioned devices By-user agent: Allows only enterprise-approved devices Per-user policies New incremental policies Storage card encryption enforcement Allow/disallow attachments and maximum size Allow/disallow UNC/SharePoint access New device lock policies Device timeout enhancements Password expiration Password history User PIN/password reset

Slide 6: Top 10 Security Concerns 1. We really don’t want to have incoming ports being opened 2. How can we stop un-trusted devices accessing Exchange? 3. We have to implement two-factor authentication 4. Do we really need to use Microsoft ISA Server? 5. We don’t want to cache passwords on the device 6. There is no way we’ll allow this solution, as you can download attachments 7. We must have on-device encryption 8. What is wiped when you remote-wipe a Windows Mobile device? 9. What about anti-virus support? 10. Couldn’t someone perform a Denial of Service (DoS) attack?

Slide 7: Top 10 Security Concerns 1. We really don’t want to have incoming ports being opened 2. How can we stop un-trusted devices accessing Exchange? 3. We have to implement two-factor authentication 4. Do we really need to use Microsoft ISA Server? 5. We don’t want to cache passwords on the device 6. There is no way we’ll allow this solution, as you can download attachments 7. We must have on-device encryption 8. What is wiped when you remote-wipe a Windows Mobile device? 9. What about anti-virus support? 10. Couldn’t someone perform a Denial of Service (DoS) attack?

Slide 8: We Really Don’t Want to Have Incoming Ports Being Opened Do you use Outlook Web Access already? Most customers already do; so you will already have the necessary infrastructure in place Only one port is required to be opened: port 443 (SSL) Traffic can be pre-authenticated ISA does provide filtering to ensure traffic is ActiveSync traffic Perimeter Network Corporate Network Cellular Network/ Internet Mobile Devices ISA Server ISA Server (HTTPS 2004 or 2006 access)

Slide 9: Top 10 Security Concerns 1. We really don’t want to have incoming ports being opened 2. How can we stop un-trusted devices accessing Exchange? 3. We have to implement two-factor authentication 4. Do we really need to use Microsoft ISA Server? 5. We don’t want to cache passwords on the device 6. There is no way we’ll allow this solution, as you can download attachments 7. We must have on-device encryption 8. What is wiped when you remote-wipe a Windows Mobile device? 9. What about anti-virus support? 10. Couldn’t someone perform a Denial of Service (DoS) attack?

Slide 10: How Can We Stop Un-trusted Devices Accessing Exchange? Front-door vs. back-door devices There are two ways to address this concern Exchange Server 2003: Use certificate-based authentication 1. Exchange Server 2007 provides DeviceID blocking 2. If a user is disabled for sync they can’t sync with any device If a user is enabled for sync: If the deviceID restriction is null, the user can sync with any device If the deviceID restriction is populated using the task, the user can only sync with that device To configure this feature you use the Exchange Management Shell and run the Set-CASMailbox task. See example below: Set-CASMailbox -identity:<user> -ActiveSynAllowedDeviceIDs :\"<deviceID_1>\", \"<deviceID_2>\"

Slide 11: Top 10 Security Concerns 1. We really don’t want to have incoming ports being opened 2. How can we stop un-trusted devices accessing Exchange? 3. We have to implement two-factor authentication 4. Do we really need to use Microsoft ISA Server? 5. We don’t want to cache passwords on the device 6. There is no way we’ll allow this solution, as you can download attachments 7. We must have on-device encryption 8. What is wiped when you remote-wipe a Windows Mobile device? 9. What about anti-virus support? 10. Couldn’t someone perform a Denial of Service (DoS) attack?

Slide 12: We Have to Implement Two-factor Authentication What is two-factor authentication? Three methods used to authenticate: “Something you know” (such as a password, PIN or an 1. out of wallet response) “Something you have” (such as a mobile phone, credit 2. card, or hardware security token) “Something you are” (such as a fingerprint, a retinal 3. scan, or other biometric) Two-factor authentication requires any two of the above

Slide 13: We Have to Implement Two-factor Authentication Please consider user experience “Something you have” and “Something you know” are most common approaches Three common ways to solve this: Secure ID: secure ID token and device PIN 1. Certificate-based authentication: certificate and 2. device PIN Private APN: SIM and device PIN 3.

Slide 14: SecureID RSA’s SecurID is currently the most popular corporate solution for two-factor authentication. In Europe, it is a de facto standard. This is now supported by Exchange ActiveSync. RSA Authentication Agent 5.3 for Web for Internet Information Services provides support for Microsoft Exchange Server Activesync 2003 Implementation guide - http://technet.microsoft.com/en-us/library/cfecf499-32a9-4b9a-9d2a-88e393be0bd2.aspx.

Slide 15: Certificate-based Authentication Certificates on the mobile device (or via cert-reading peripheral) authenticate the user to the server for gaining sync privileges Requires SSL tunneling to the front-end server Does not support pre-authentication at ISA or other reverse proxy Certificate-based authentication also requires one-time cradling (plus, whenever the certificate needs to be re-provisioned) Using Using Basic Certificate Authentication Authentication

Slide 16: Private APN Direct Private connection Network access controlled via proxy Access to APN controlled via SIM Client Addressing Private Network e.g. 192.168.32.1 /24 No NAT Mobile Exchange Operator Internet FE Exchange BE Firewall/ISA Network ISP ISP GIP GGSN GGSN Direct Private Connection Proxy Servers

Slide 17: Top 10 Security Concerns 1. We really don’t want to have incoming ports being opened 2. How can we stop un-trusted devices accessing Exchange? 3. We have to implement two-factor authentication 4. Do we really need to use Microsoft ISA Server? 5. We don’t want to cache passwords on the device 6. There is no way we’ll allow this solution, as you can download attachments 7. We must have on-device encryption 8. What is wiped when you remote-wipe a Windows Mobile device? 9. What about anti-virus support? 10. Couldn’t someone perform a Denial of Service (DoS) attack?

Slide 18: Do We Really Need to Use ISA Server? ISA Server is “recommended,” not “required” Any firewall that can publish port 443 (SSL) can be used ISA is recommended because it has: The ability to pre-authenticate all traffic before it reaches your Exchange Server The option to inspect Exchange ActiveSync traffic passing through it and validate it is genuine ISA Server 2006 provides Kerberos- constrained delegation to the Exchange server

Slide 19: Top 10 Security Concerns 1. We really don’t want to have incoming ports being opened 2. How can we stop un-trusted devices accessing Exchange? 3. We have to implement two-factor authentication 4. Do we really need to use Microsoft ISA Server? 5. We don’t want to cache passwords on the device 6. There is no way we’ll allow this solution, as you can download attachments 7. We must have on-device encryption 8. What is wiped when you remote-wipe a Windows Mobile device? 9. What about anti-virus support? 10. Couldn’t someone perform a Denial of Service (DoS) attack?

Slide 20: We Don’t Want to Cache Passwords on The Device Username/domain name/password are stored hashed, double encrypted using 128-bit RC4 encryption If you still aren’t comfortable with that, you can use certificate-based authentication Using Using basic certificate-based authentication authentication

Slide 21: Top 10 Security Concerns 1. We really don’t want to have incoming ports being opened 2. How can we stop un-trusted devices accessing Exchange? 3. We have to implement two-factor authentication 4. Do we really need to use Microsoft ISA Server? 5. We don’t want to cache passwords on the device 6. There is no way we’ll allow this solution, as you can download attachments 7. We must have on-device encryption 8. What is wiped when you remote-wipe a Windows Mobile device? 9. What about anti-virus support? 10. Couldn’t someone perform a Denial of Service (DoS) attack?

Slide 22: There is No Way We’ll Allow This Solution, as You Can Download Attachments Exchange Server 2003: You can use URL Scan and block the X-MS-ENUMATTS verb to stop attachments from being downloaded. http://blogs.msdn.com/jasonlan/archive/2006/09/07/744780.aspx Exchange Server 2007: You can allow/disallow attachment download through policy

Slide 24: Top 10 Security Concerns 1. We really don’t want to have incoming ports being opened 2. How can we stop un-trusted devices accessing Exchange? 3. We have to implement two-factor authentication 4. Do we really need to use Microsoft ISA Server? 5. We don’t want to cache passwords on the device 6. There is no way we’ll allow this solution, as you can download attachments 7. We must have on-device encryption 8. What is wiped when you remote-wipe a Windows Mobile device? 9. What about anti-virus support? 10. Couldn’t someone perform a Denial of Service (DoS) attack?

Slide 25: We Must Have On-Device Encryption All data is protected by device PIN and remote wipe Windows Mobile 6 has storage card encryption but we do not encrypt device First separate PIM (e-mail/calendar/contact data) from LOB data If it is an absolute requirement For LOB solutions, you can use Microsoft SQL Compact Edition native encryption or our Crypto API If you require full-device encryption Credant Mobile Guardian Trust Digital

Slide 26: Top 10 Security Concerns 1. We really don’t want to have incoming ports being opened 2. How can we stop un-trusted devices accessing Exchange? 3. We have to implement two-factor authentication 4. Do we really need to use Microsoft ISA Server? 5. We don’t want to cache passwords on the device 6. There is no way we’ll allow this solution, as you can download attachments 7. We must have on-device encryption 8. What is wiped when you remote-wipe a Windows Mobile device? 9. What about anti-virus support? 10. Couldn’t someone perform a Denial of Service (DoS) attack?

Slide 27: What is Wiped When You Remote- Wipe a Windows Mobile Device? When device memory is wiped it is effectively a hard reset Windows Mobile 6 and Exchange Server 2007 Storage card encryption uses AES 128-bit encryption Key is stored on device Encrypted data is stored on card Wipe removes key and formats card Scenario Storage Card wiped Device Memory wiped Exchange 2003 and Windows Mobile 5.0 Yes No Exchange 2003 and Windows Mobile 6 Yes No Exchange 2007 and Windows Mobile 5.0 Yes No Exchange 2007 and Windows Mobile 6 Yes Yes

Slide 28: Device Wipe

Slide 29: Windows Mobile 6 Remote Kill Functionality

Slide 30: Top 10 Security Concerns 1. We really don’t want to have incoming ports being opened 2. How can we stop un-trusted devices accessing Exchange? 3. We have to implement two-factor authentication 4. Do we really need to use Microsoft ISA Server? 5. We don’t want to cache passwords on the device 6. There is no way we’ll allow this solution, as you can download attachments 7. We must have on-device encryption 8. What is wiped when you remote-wipe a Windows Mobile device? 9. What about anti-virus support? 10. Couldn’t someone perform a Denial of Service (DoS) attack?

Slide 31: What About Anti-virus? User education is critical Windows Mobile includes application installation and execution security Uses code signing to determine the trust level for: An application installation An application process Primary defense for enterprises against malicious code Built-in APIs for anti-virus solutions Computer Associates F-Secure McAfee SOFTWIN Airscanner Trend Symantec

Slide 32: Infamous Mobile Threats (2004- 2006) = Symbian OS = Windows CE/Mobile = Java (J2ME) 21Nov04 20June04 8Mar05 15Apr05 Skulls Cabir Dampig Hobbes 19Jul05 1Feb05 30Mar06 23Nov05 4Apr05 4Sep06 Cadmesk Flexspy PBSteal Locknut 5Aug04 Mabir Acallno 8Jul05 (Gavno) 18Jun06 Win CE 28Feb06 21Sep05 Boottoon BRADOR Romride RedBrow Cardtrp Doomed Comwar Qdial Sndtool OneJump Wesber 4Jul05 Blanfon 7Mar05 3Apr06 12Aug04 23Jan06 7Sep06 Fontal 10Aug05 Vlasco Cxover Win CE 6Apr05 Skudoo Mobler 15Mar06 Cardblk 29Dec04 DUTS Drever 31Aug06 2Oct05 19Jul05 17Jul04 18Mar05 2004 2006 2005 Copyright 2006 - Trend Micro Inc.

Slide 33: Top 10 Security Concerns 1. We really don’t want to have incoming ports being opened 2. How can we stop un-trusted devices accessing Exchange? 3. We have to implement two-factor authentication 4. Do we really need to use Microsoft ISA Server? 5. We don’t want to cache passwords on the device 6. There is no way we’ll allow this solution, as you can download attachments 7. We must have on-device encryption 8. What is wiped when you remote-wipe a Windows Mobile device? 9. What about anti-virus support? 10. Couldn’t someone perform a Denial of Service (DoS) attack?

Slide 34: Couldn’t Someone Perform a Denial of Service (DoS) Attack? Spoofing/intercepting these connections is impossible Potential for DoS attack is mitigated by complexity of performing “well-formed” requests Major concerns are: Incomplete Handshakes. (Mitigated by TCP Connection timeouts.) Opening lots of connections. (Mitigated by connection timeouts.) Opening connections and issuing lots of HTTP requests. (Mitigated by connection timeouts.) Account lockout . (Eliminated using RADIUS authentication.)

Slide 35: Security is Everywhere!

Slide 36: Top 10 Review User education is critical Good security = technology and policy So what did I miss?

Slide 37: Resources Security for Windows Mobile Messaging http://blogs.msdn.com/jasonlan/archive/2007/03/13/new-whitepaper-security Security model for Windows Mobile 5.0 and 6 http://blogs.msdn.com/jasonlan/archive/2007/03/13/new-whitepaper-security http://www.microsoft.com/security/default.mspx Other great sessions: APP215: Windows Mobile© Application Security Model ITP305: Security Analysis for Mobile Deployments

Slide 39: While You're Here Fill out your session evaluation Enter to win a Windows Mobile® phone or Zune™ Geek out with a huge rack of servers Enterprise Mobility in Action is in the Expo Hall Meet the geeks The Expert Cabana is packed with MEDC speakers and MVPs

Slide 40: © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.