May 30 th – 31 st, 2007 Chateau Laurier Ottawa
Helping to Secure Data while on the Run Greg Milligan Mobility Solutions Manager Microsoft Canada Co.
Agenda Microsoft Mobile Vision Threats Windows Mobile 5 Security Features Device Management Security Recommendations Windows Mobile 6 Enhancements 3 rd Party Security Extensions
Access Control Firewall Unmanaged PC (Home PC, Kiosk, etc) Managed PC Mobile & Traditional Devices TeamWorkspaces Web & Video Conferencing Documents & Files Calendaring InstantMessaging LOB Applications Intranet Web Applications MSFT Enterprise Mobility Vision
Mobile Security Threats Physical access to device itself Access to device User Interface Access to data at rest Access to data in motion Access to the corporate network Viruses/malware/spyware Access to mobile applications
Mobile device security threats WLAN PAN Infrared LAN WWAN Desktop VirusMalwareSpywareUnsupportedApps Loss/Theft CorpNet
A Layered Approach to Delivering Trustworthy Solutions Policy Process Personnel Products Partnerships PROTECT DE DDEETETECTCTDDEETETECTCT R RRESPONDESPONDRRESPONDESPOND RECOVERRECOVERRECOVERRECOVER
WM5: Platform Security Features Support industry standard certificates Support Open Mobile Alliance device management standards * AES 256 *, PFX/PKCS12 APIs support * FIPS Certification * Smartcard Resource Manager * Support Network Authentication Standards NTLM 1 & 2, Kerberos SSL TLS Client Authentication 802.1x user auth using PEAP, EAP/TLS WPA * New for Windows Mobile 5.0
WM5: Local Security Features Security Configuration Management Critical Updating - Image Update * Peer-to-Peer connections (IR/Bluetooth) Require user interaction to accept data Can be programmatically disabled Pluggable, programmable device lock * Exponential backoff mitigates brute force attacks Can be activated via code anytime Can include biometrics, smartcard, etc. * New for Windows Mobile 5.0
WM5: Development Security Features Data Protection APIs All purpose encryption APIs Used for LOB application data encryption: databases, application passwords, etc. Credential Manager Hardcoded encryption of credentials and private keys that are cached on the local device Reads/Writes credentials based on the user, target server and credential type Can be configured to force user verification prior to use of credentials
Remotely manage and enforce select corporate IT policies Highlights Separate IT policies into “Mandatory” versus “Recommended” Separate users with exception list Certain users can be exempt Using a PolicyKey, Exchange Admin can check whether the client device has the latest policy settings If necessary, can mandate device to download new policy and settings If device does not comply with Mandatory IT policies, it will no longer be able to sync Exchange Admin can also mandate device to refresh policies every X hours Policy Examples Remotely require a device PIN password for every device Set strength and length of PIN password Set device inactivity time before user needs to enter PIN password again Set time intervals for a device to refresh policy Require device to authenticate to Exchange Server using Certificates
Remotely manage and enforce select corporate IT policies: Screenshots
Help Protect Unauthorized Entry to Device Local Data Wipe Device automatically resets local memory to clean state after X number of unsuccessful PIN/password entries Does not erase external memory such as SD card Local Data Reset is an IT policy that can be set from Exchange Server Console Protects against accidental reset with “firebreak” mechanism that requires user for special keyword to proceed with password entry Device Timeout Device automatically locks itself after X minutes of inactivity User has to enter PIN password in order to use device Device timeout is an IT policy that can be set from Exchange Server Console However, device can still make emergency calls
Help Protect Unauthorized Entry to Device: Screenshots
Help Protect Device Data if Device is Lost with Remote Wipe Exchange Server 2003 Console can over-the-air erase all on-device data and reset device back to clean state Remote wipe only applies to data stored in internal memory and not external storage like SD Cards Remote wipe will only work once lost device attempts to sync with network Admin sends remote erase order to specific device Server sends erase order next time device connects to Exchange Device will acknowledge that the command was received Device wipes its data next time upon receiving command Easy to manage Administration through a website Exchange Admin can “delegate” access to helpdesk Provides a transaction log for history recording
Increase Access Security To Exchange Server Using Certificate-Based Authentication Certificate-based Authentication (CA) has been a big ask from top security-conscious customers User can now access Exchange using PKI Software Certificates instead of corporate login credentials If user loses device to an unauthorized party, it cannot gain access to the user’s corporate LAN network Certificates limit what a user can do on a corporate network Upon certificate expiration, user needs to cradle device again User gets an alert 14 days before expiration
Certificate-Based Authentication: Screenshots Using Certificate Authentication Using Basic Authentication
SMS 2003 Device Management Feature Pack Add-on to SMS 2003 Features include Discovery/Identification Hardware Inventory Software Inventory and File Collection Software Distribution Script Execution
Information Device name Hardware ID Device model Power (battery status) Display resolution Generate reports on any hardware characteristic Can be extended to capture other hardware inventory information Asset Management Hardware Inventory File system MemoryNetwork Operating system
Information Presence of files File details Last software scan Product details Specify directories Specify wildcard file extensions List of files or applications in the file system Permits collection of log/data files Generate reports on any software or file Asset Management Software Inventory and File Collection
Software Inventory
Configuration Management Device Settings SMS provides integrated experience to configure and deploy settings Example of configurable settings: Network GPRS Network PPP Network VPNSecurityCertificates Registry Entry Applications ActiveSync & Exchange Internet Proxy Browser Favorite
Configuration Management Password Policy Centralized control of device password policy Configure mandatory numeric or strong password Force password setting prior to use Power off timeout maybe defined Administrator defined ‘lockout’ strong password applies after certain failed device entry attempts Implementation Password applet contained in a separate install from core SMS client Password policy configured and deployed as part of settings
Deploy applications or execute scripts Provides rich administrator control Target specific groups of devices based on inventory Specify whether application is mandatory Schedule deployment time and configure reoccurrence Configure “anytime”/“only when docked”/”only over a fast network” Sophisticated deployment Simple download and execute command line model Checkpoint restart for downloads Generate reports on deployment status Status: download started, program execution start and finish Application Deployment
Windows Mobile Application Level Security Features Security Level Execution Security Device Mgmt Security Security OFF No security checks at all. All executables from any source can install and run with maximum access to the device. All configuration files from all sources will execute with maximum privileges. Prompt User is prompted when source is unknown or anonymous. User visibility into install and execution when source is not known. User must OK changes from unknown sources. 3rd Party Signed 3 rd party vendors identified through the Mobile-to-Market program are allowed access. An app must be M2M signed in order to run on the device. M2M signed app vendors are required not to make configuration changes that impact security. Locked Only the OEM & Operator, or their licensed vendors, are allowed access. Third party apps are not allowed to run or install. Only Operator can change configuration.
Mobile Security Threat Windows Mobile Solution Physical access to device itself Policy-enforced password*; remote & local wipe* Access to device User Interface Policy-enforced password; remote & local wipe Access to data at rest (stored on device) Policy-enforced password; remote & local wipe; S/MIME support* Access to data in motion (network) Encrypted synch; Virtual Private Network client; secure WLAN access Access to the corporate network Certificate-based synch*; secure WLAN access Access to mobile applications Policy-enforced password; remote & local wipe; application installation & execution security model; programmatic device lock access* Viruses/malware/spyware Rich platform support for 3 rd party antivirus and firewall products * New for Windows Mobile 5.0, MSFP
Pocket PC Security Recommendations Risk assessment is key Evaluate applicability of organisation’s standards for laptop computers Passwords Activate power-on password No power-on password, prohibit storing corporate network password Anti-virus Consider anti-virus software that runs locally on the mobile device Flash-able ROM Consider placing systems management, security, and virus protection applications in flash ROM Encryption Encrypting sensitive information in the devices and on external storage cards End-to-end network encryption when using a virtual private network (VPN) connection 802.1x authentication/encryption over b WLANs
Windows Mobile 6 Security Enhancements Storage Card Security:Storage Card Security: Storage Card Encryption Storage Card Encryption Storage card wipe (Exchange 2007) Storage card wipe (Exchange 2007) Generating a Personal CertificateGenerating a Personal Certificate New desktop and device certificate enrollment tools New desktop and device certificate enrollment tools PFX import PFX import Crypto/Certificate ServicesCrypto/Certificate Services Root Certificate Add for users Root Certificate Add for users AES 128 and 256 implementation for SSL and DPAPI AES 128 and 256 implementation for SSL and DPAPI Wildcard Certificate Support Wildcard Certificate Support SMIME configuration improvements SMIME configuration improvements Built in Rights Management support for messaging and Office documentsBuilt in Rights Management support for messaging and Office documents
Windows Mobile Update The “Windows Update” client is turned off by default but will ship on every Windows Mobile device. Users have an option to enable the client WMU will be used to distribute critical security fixes only WMU enables rapid distribution of fixes to respond to urgent security issues WMU will be available with Windows Mobile 6 based devices
Signature authentication Certicom Corporation Communication Intelligence Corporation TSI/Crypto-SignVASCO Enhanced password protection Hewlett-Packard Pictograph authentication Pointsec Mobile Technologies Fingerprint authentication Biocentric Solutions Inc. HP iPAQ 5400 Card-based authentication RSA Security Schlumberger Sema Certificate Authentication on a Storage Card JGUI Software Storage Encryption F-Secure Pointsec Mobile Technologies Trust Digital LLC Encrypt Application Data Certicom Corporation Glück & Kanja Group Ntrū Cryptosystems, Inc. Virtual Private Networking Certicom Corporation Check Point Software Technologies Ltd. Columbitech Entrust, Inc. Epiphan Consulting Inc. Disable Applications Trust Digital LLC Device Wipe Asynchrony.com Public Key Infrastructure (PKI) Certicom Corporation Diversinet Corp. Dreamsecurity Co., Ltd. Glück & Kanja Group Thin Client Technology Citrix FinTech Solutions Ltd. Microsoft 3 rd Party Solution Providers
References Pages on the Windows Mobile site: Software Developer’s kit: /mobility/thekit/ /mobility/thekit/ Windows Mobile Enterprise White Papers: business/whitepapers/default.mspx business/whitepapers/default.mspx Third Party Software Solutions for IT Pros: /providers/mpdsearch.aspx /providers/mpdsearch.aspx Windows CE 5.0 on MSDN: /html/wce50oriWelcomeToWindowsCE.asp /html/wce50oriWelcomeToWindowsCE.asp /html/wce50oriWelcomeToWindowsCE.asp