This is my slidedeck from MEDC which discusses the top 10 Security concerns of Windows Mobile and how to overcome them.

2. Jason Langridge Enterprise Mobility Solution Specialist Microsoft Communications Business Group E-mail: [email_address] Blog: http://blogs.msdn.com/jasonlan ITP205 Top 10 Security Concerns of Deploying Windows Mobile© (And How to Overcome Them)

3. Microsoft Windows Mobile 5.0 Security Features Device protection Device lock: PIN, strong, exponential delay Authentication protocols: PAP, CHAP, MS-CHAP, NTLM, TLS Data protection 128-bit Cryptographic services: CAPIv2 Application installation and execution Anti-virus API Network protection Secure browsing: HTTP (SSL), WAP (WTLS) Virtual Private Networking (PPTP, L2TP IPSec) Wireless network protection (WEP, 802.1x, WPA) Combined with Microsoft Exchange Server 2003 IT Security Policy Enforcement Remote Device Wipe S/MIME Certificate-based authentication

4. Windows Mobile 6 Security Enhancements Storage card security Storage card encryption Storage card wipe (Microsoft Exchange Server 2007) Generating a personal certificate New desktop and device certificate enrollment tools PFX import Crypto/certificate services Root certificate add for users AES 128 and 256 implementation for SSL and DPAPI Wildcard certificate support SMIME configuration improvements Built in Rights Management support for messaging and Office documents

5. Exchange 2007 Policies More granular access control By-device ID: Allows only enterprise-provisioned devices By-user agent: Allows only enterprise-approved devices Per-user policies New incremental policies Storage card encryption enforcement Allow/disallow attachments and maximum size Allow/disallow UNC/SharePoint access New device lock policies Device timeout enhancements Password expiration Password history User PIN/password reset

6. Top 10 Security Concerns We really don’t want to have incoming ports being opened How can we stop un-trusted devices accessing Exchange? We have to implement two-factor authentication Do we really need to use Microsoft ISA Server? We don’t want to cache passwords on the device There is no way we’ll allow this solution, as you can download attachments We must have on-device encryption What is wiped when you remote-wipe a Windows Mobile device? What about anti-virus support? Couldn’t someone perform a Denial of Service (DoS) attack?

7. Top 10 Security Concerns We really don’t want to have incoming ports being opened How can we stop un-trusted devices accessing Exchange? We have to implement two-factor authentication Do we really need to use Microsoft ISA Server? We don’t want to cache passwords on the device There is no way we’ll allow this solution, as you can download attachments We must have on-device encryption What is wiped when you remote-wipe a Windows Mobile device? What about anti-virus support? Couldn’t someone perform a Denial of Service (DoS) attack?

8. We Really Don’t Want to Have Incoming Ports Being Opened Do you use Outlook Web Access already? Most customers already do; so you will already have the necessary infrastructure in place Only one port is required to be opened: port 443 (SSL) Traffic can be pre-authenticated ISA does provide filtering to ensure traffic is ActiveSync traffic Perimeter Network Corporate Network Cellular Network/ Internet ISA Server 2004 or 2006 ISA Server Mobile Devices (HTTPS access)

9. Top 10 Security Concerns We really don’t want to have incoming ports being opened How can we stop un-trusted devices accessing Exchange? We have to implement two-factor authentication Do we really need to use Microsoft ISA Server? We don’t want to cache passwords on the device There is no way we’ll allow this solution, as you can download attachments We must have on-device encryption What is wiped when you remote-wipe a Windows Mobile device? What about anti-virus support? Couldn’t someone perform a Denial of Service (DoS) attack?

10. How Can We Stop Un-trusted Devices Accessing Exchange? Front-door vs. back-door devices There are two ways to address this concern Exchange Server 2003: Use certificate-based authentication Exchange Server 2007 provides DeviceID blocking If a user is disabled for sync they can’t sync with any device If a user is enabled for sync: If the deviceID restriction is null, the user can sync with any device If the deviceID restriction is populated using the task, the user can only sync with that device To configure this feature you use the Exchange Management Shell and run the Set-CASMailbox task. See example below: Set-CASMailbox -identity:<user> -ActiveSynAllowedDeviceIDs:&quot;<deviceID_1>&quot;, &quot;<deviceID_2>&quot;

11. Top 10 Security Concerns We really don’t want to have incoming ports being opened How can we stop un-trusted devices accessing Exchange? We have to implement two-factor authentication Do we really need to use Microsoft ISA Server? We don’t want to cache passwords on the device There is no way we’ll allow this solution, as you can download attachments We must have on-device encryption What is wiped when you remote-wipe a Windows Mobile device? What about anti-virus support? Couldn’t someone perform a Denial of Service (DoS) attack?

12. We Have to Implement Two-factor Authentication What is two-factor authentication? Three methods used to authenticate: “ Something you know” (such as a password, PIN or an out of wallet response) “ Something you have” (such as a mobile phone, credit card, or hardware security token) “ Something you are” (such as a fingerprint, a retinal scan, or other biometric) Two-factor authentication requires any two of the above

13. We Have to Implement Two-factor Authentication Please consider user experience “ Something you have” and “Something you know” are most common approaches Three common ways to solve this: Secure ID: secure ID token and device PIN Certificate-based authentication: certificate and device PIN Private APN: SIM and device PIN

14. SecureID RSA’s SecurID is currently the most popular corporate solution for two-factor authentication. In Europe, it is a de facto standard. This is now supported by Exchange ActiveSync. RSA Authentication Agent 5.3 for Web for Internet Information Services provides support for Microsoft Exchange Server Activesync 2003 Implementation guide - http://technet.microsoft.com/en-us/library/cfecf499-32a9-4b9a-9d2a-88e393be0bd2.aspx .

15. Certificate-based Authentication Certificates on the mobile device (or via cert-reading peripheral) authenticate the user to the server for gaining sync privileges Requires SSL tunneling to the front-end server Does not support pre-authentication at ISA or other reverse proxy Certificate-based authentication also requires one-time cradling (plus, whenever the certificate needs to be re-provisioned) Using Basic Authentication Using Certificate Authentication

16. Private APN Direct Private connection Network access controlled via proxy Access to APN controlled via SIM Private Network Mobile Operator Network Firewall/ISA Proxy Servers GGSN GIP GGSN Client Addressing e.g. 192.168.32.1 /24 No NAT ISP ISP Internet Direct Private Connection Exchange FE Exchange BE

17. Top 10 Security Concerns We really don’t want to have incoming ports being opened How can we stop un-trusted devices accessing Exchange? We have to implement two-factor authentication Do we really need to use Microsoft ISA Server? We don’t want to cache passwords on the device There is no way we’ll allow this solution, as you can download attachments We must have on-device encryption What is wiped when you remote-wipe a Windows Mobile device? What about anti-virus support? Couldn’t someone perform a Denial of Service (DoS) attack?

18. Do We Really Need to Use ISA Server? ISA Server is “recommended,” not “required” Any firewall that can publish port 443 (SSL) can be used ISA is recommended because it has: The ability to pre-authenticate all traffic before it reaches your Exchange Server The option to inspect Exchange ActiveSync traffic passing through it and validate it is genuine ISA Server 2006 provides Kerberos-constrained delegation to the Exchange server

19. Top 10 Security Concerns We really don’t want to have incoming ports being opened How can we stop un-trusted devices accessing Exchange? We have to implement two-factor authentication Do we really need to use Microsoft ISA Server? We don’t want to cache passwords on the device There is no way we’ll allow this solution, as you can download attachments We must have on-device encryption What is wiped when you remote-wipe a Windows Mobile device? What about anti-virus support? Couldn’t someone perform a Denial of Service (DoS) attack?

20. We Don’t Want to Cache Passwords on The Device Username/domain name/password are stored hashed, double encrypted using 128-bit RC4 encryption If you still aren’t comfortable with that, you can use certificate-based authentication Using basic authentication Using certificate-based authentication

21. Top 10 Security Concerns We really don’t want to have incoming ports being opened How can we stop un-trusted devices accessing Exchange? We have to implement two-factor authentication Do we really need to use Microsoft ISA Server? We don’t want to cache passwords on the device There is no way we’ll allow this solution, as you can download attachments We must have on-device encryption What is wiped when you remote-wipe a Windows Mobile device? What about anti-virus support? Couldn’t someone perform a Denial of Service (DoS) attack?

22. There is No Way We’ll Allow This Solution, as You Can Download Attachments Exchange Server 2003: You can use URL Scan and block the X-MS-ENUMATTS verb to stop attachments from being downloaded. http://blogs.msdn.com/jasonlan/archive/2006/09/07/744780.aspx Exchange Server 2007: You can allow/disallow attachment download through policy

24. Top 10 Security Concerns We really don’t want to have incoming ports being opened How can we stop un-trusted devices accessing Exchange? We have to implement two-factor authentication Do we really need to use Microsoft ISA Server? We don’t want to cache passwords on the device There is no way we’ll allow this solution, as you can download attachments We must have on-device encryption What is wiped when you remote-wipe a Windows Mobile device? What about anti-virus support? Couldn’t someone perform a Denial of Service (DoS) attack?

25. We Must Have On-Device Encryption All data is protected by device PIN and remote wipe Windows Mobile 6 has storage card encryption but we do not encrypt device First separate PIM (e-mail/calendar/contact data) from LOB data If it is an absolute requirement For LOB solutions, you can use Microsoft SQL Compact Edition native encryption or our Crypto API If you require full-device encryption Credant Mobile Guardian Trust Digital

26. Top 10 Security Concerns We really don’t want to have incoming ports being opened How can we stop un-trusted devices accessing Exchange? We have to implement two-factor authentication Do we really need to use Microsoft ISA Server? We don’t want to cache passwords on the device There is no way we’ll allow this solution, as you can download attachments We must have on-device encryption What is wiped when you remote-wipe a Windows Mobile device? What about anti-virus support? Couldn’t someone perform a Denial of Service (DoS) attack?

27. What is Wiped When You Remote- Wipe a Windows Mobile Device? When device memory is wiped it is effectively a hard reset Windows Mobile 6 and Exchange Server 2007 Storage card encryption uses AES 128-bit encryption Key is stored on device Encrypted data is stored on card Wipe removes key and formats card Exchange 2003 and Windows Mobile 5.0 Yes No Exchange 2003 and Windows Mobile 6 Yes No Exchange 2007 and Windows Mobile 5.0 Yes No Exchange 2007 and Windows Mobile 6 Yes Yes Scenario Device Memory wiped Storage Card wiped

28. Device Wipe

29. Windows Mobile 6 Remote Kill Functionality

30. Top 10 Security Concerns We really don’t want to have incoming ports being opened How can we stop un-trusted devices accessing Exchange? We have to implement two-factor authentication Do we really need to use Microsoft ISA Server? We don’t want to cache passwords on the device There is no way we’ll allow this solution, as you can download attachments We must have on-device encryption What is wiped when you remote-wipe a Windows Mobile device? What about anti-virus support? Couldn’t someone perform a Denial of Service (DoS) attack?

31. What About Anti-virus? User education is critical Windows Mobile includes application installation and execution security Uses code signing to determine the trust level for: An application installation An application process Primary defense for enterprises against malicious code Built-in APIs for anti-virus solutions Computer Associates F-Secure McAfee SOFTWIN Airscanner Trend Symantec

32. Infamous Mobile Threats (2004-2006) Copyright 2006 - Trend Micro Inc. RedBrow Cxover 29Dec04 1Feb05 21Nov04 20June04 17Jul04 5Aug04 = Symbian OS = Windows CE/Mobile = Java (J2ME) 8Mar05 7Mar05 12Aug04 4Apr05 6Apr05 18Mar05 15Apr05 4Jul05 8Jul05 19Jul05 21Sep05 2Oct05 23Nov05 10Aug05 2004 2005 2006 19Jul05 23Jan06 28Feb06 15Mar06 30Mar06 3Apr06 18Jun06 31Aug06 Wesber 7Sep06 4Sep06 Vlasco Win CE BRADOR Locknut (Gavno) Skulls Cabir Win CE DUTS Comwar Dampig Qdial Mabir Fontal Drever Hobbes Doomed Boottoon Skudoo Cadmesk Cardtrp Cardblk PBSteal Blanfon Sndtool Flexspy OneJump Romride Mobler Acallno

33. Top 10 Security Concerns We really don’t want to have incoming ports being opened How can we stop un-trusted devices accessing Exchange? We have to implement two-factor authentication Do we really need to use Microsoft ISA Server? We don’t want to cache passwords on the device There is no way we’ll allow this solution, as you can download attachments We must have on-device encryption What is wiped when you remote-wipe a Windows Mobile device? What about anti-virus support? Couldn’t someone perform a Denial of Service (DoS) attack?

34. Couldn’t Someone Perform a Denial of Service (DoS) Attack? Spoofing/intercepting these connections is impossible Potential for DoS attack is mitigated by complexity of performing “well-formed” requests Major concerns are: Incomplete Handshakes. (Mitigated by TCP Connection timeouts.) Opening lots of connections. (Mitigated by connection timeouts.) Opening connections and issuing lots of HTTP requests. (Mitigated by connection timeouts.) Account lockout . (Eliminated using RADIUS authentication.)

35. Security is Everywhere!

36. Top 10 Review User education is critical Good security = technology and policy So what did I miss?

37. Resources Security for Windows Mobile Messaging http://blogs.msdn.com/jasonlan/archive/2007/03/13/new-whitepaper-security-for-windows-mobile-messaging-in-the-enterprise.aspx Security model for Windows Mobile 5.0 and 6 http://blogs.msdn.com/jasonlan/archive/2007/03/13/new-whitepaper-security-model-for-windows-mobile-5-0-and-windows-mobile-6.aspx http://www.microsoft.com/security/default.mspx Other great sessions: APP215 : Windows Mobile© Application Security Model ITP305 : Security Analysis for Mobile Deployments

39. While You're Here Fill out your session evaluation Enter to win a Windows Mobile ® phone or Zune™ Geek out with a huge rack of servers Enterprise Mobility in Action is in the Expo Hall Meet the geeks The Expert Cabana is packed with MEDC speakers and MVPs

40. © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.