Top 10 Security Concerns of Windows Mobile (and how to Overcome them)

Jason LangridgeEnterprise Mobility Solution SpecialistMicrosoft Communications Business GroupE-mail: [email protected] Blog: http://blogs.msdn.com/jasonlan

ITP205Top 10 Security Concerns of Deploying Windows Mobile©

(And How to Overcome Them)

Microsoft Windows Mobile 5.0 Security Features

Device protectionDevice lock: PIN, strong, exponential delay

Authentication protocols: PAP, CHAP, MS-CHAP, NTLM, TLS

Data protection128-bit Cryptographic services: CAPIv2

Application installation and execution

Anti-virus API

Network protectionSecure browsing: HTTP (SSL), WAP (WTLS)

Virtual Private Networking (PPTP, L2TP IPSec)

Wireless network protection (WEP, 802.1x, WPA)

Combined with Microsoft Exchange Server 2003IT Security Policy Enforcement

Remote Device Wipe

S/MIME

Certificate-based authentication

Windows Mobile 6 Security Enhancements

Storage card securityStorage card encryptionStorage card wipe (Microsoft Exchange Server 2007)

Generating a personal certificateNew desktop and device certificate enrollment toolsPFX import

Crypto/certificate servicesRoot certificate add for usersAES 128 and 256 implementation for SSL and DPAPIWildcard certificate supportSMIME configuration improvements

Built in Rights Management support for messaging and Office documents

Exchange 2007 Policies

More granular access controlBy-device ID: Allows only enterprise-provisioned devicesBy-user agent: Allows only enterprise-approved devices

Per-user policies

New incremental policiesStorage card encryption enforcementAllow/disallow attachments and maximum sizeAllow/disallow UNC/SharePoint access

New device lock policiesDevice timeout enhancementsPassword expirationPassword historyUser PIN/password reset

Top 10 Security Concerns

1. We really don’t want to have incoming ports being opened

2. How can we stop un-trusted devices accessing Exchange?

3. We have to implement two-factor authentication

4. Do we really need to use Microsoft ISA Server?

5. We don’t want to cache passwords on the device

6. There is no way we’ll allow this solution, as you can download attachments

7. We must have on-device encryption

8. What is wiped when you remote-wipe a Windows Mobile device?

9. What about anti-virus support?

10.Couldn’t someone perform a Denial of Service (DoS) attack?












We Really Don’t Want to Have Incoming Ports Being Opened

Do you use Outlook Web Access already?Most customers already do; so you will already have the necessary infrastructure in place

Only one port is required to be opened: port 443 (SSL)

Traffic can be pre-authenticated

ISA does provide filtering to ensure traffic is ActiveSync traffic Perimeter

NetworkCorporate Network

Cellular Network/Internet

ISA Server 2004 or 2006

ISA Server Mobile Devices(HTTPS access)












How Can We Stop Un-trusted Devices Accessing Exchange?

Front-door vs. back-door devices

There are two ways to address this concern1. Exchange Server 2003: Use certificate-based

authentication2. Exchange Server 2007 provides DeviceID blocking

If a user is disabled for sync they can’t sync with any device If a user is enabled for sync:

If the deviceID restriction is null, the user can sync with any device

If the deviceID restriction is populated using the task, the user can only sync with that device

To configure this feature you use the Exchange Management Shell and run the Set-CASMailbox task. See example below: Set-CASMailbox -identity:<user> -ActiveSynAllowedDeviceIDs:"<deviceID_1>", "<deviceID_2>"












We Have to Implement Two-factor Authentication

What is two-factor authentication?

Three methods used to authenticate:1. “Something you know” (such as a password, PIN

or an out of wallet response) 2. “Something you have” (such as a mobile phone,

credit card, or hardware security token) 3. “Something you are” (such as a fingerprint, a

retinal scan, or other biometric)

Two-factor authentication requires any two of the above

We Have to Implement Two-factor Authentication

Please consider user experience

“Something you have” and “Something you know” are most common approaches

Three common ways to solve this:1. Secure ID: secure ID token and device PIN2. Certificate-based authentication: certificate and

device PIN3. Private APN: SIM and device PIN

SecureID

RSA’s SecurID is currently the most popular corporate solution for two-factor authentication. In Europe, it is a de facto standard. This is now supported by Exchange ActiveSync.

RSA Authentication Agent 5.3 for Web for Internet Information Services provides support for Microsoft Exchange Server Activesync 2003

Implementation guide - http://technet.microsoft.com/en-us/library/cfecf499-32a9-4b9a-9d2a-88e393be0bd2.aspx.

Certificate-based Authentication

Certificates on the mobile device (or via cert-reading peripheral) authenticate the user to the server for gaining sync privileges

Requires SSL tunneling to the front-end server

Does not support pre-authentication at ISA or other reverse proxy

Certificate-based authentication also requires one-time cradling (plus, whenever the certificate needs to be re-provisioned)

Using Basic Authenticatio

n

Using Certificate

Authentication

Private APN

Direct Private connection

Network access controlled via proxy

Access to APN controlled via SIM

Private Network

Mobile Operator NetworkFirewall/ISA

Proxy Servers

GGSN

GIP

GGSN

Client Addressing e.g. 192.168.32.1 /24 No NAT

ISPISP

Internet

Direct Private Connection

ExchangeFE

Exch

an

ge

BE












Do We Really Need to Use ISA Server?

ISA Server is “recommended,” not “required”

Any firewall that can publish port 443 (SSL) can be used

ISA is recommended because it has:

The ability to pre-authenticate all traffic before it reaches your Exchange ServerThe option to inspect Exchange ActiveSync traffic passing through it and validate it is genuineISA Server 2006 provides Kerberos-constrained delegation to the Exchange server












We Don’t Want to Cache Passwords on The Device

Username/domain name/password are stored hashed, double encrypted using 128-bit RC4 encryption

If you still aren’t comfortable with that, you can use certificate-based authentication

Using basic authentication

Using certificate-

based authentication












There is No Way We’ll Allow This Solution, as You Can Download Attachments

Exchange Server 2003: You can use URL Scan

and block the X-MS-ENUMATTS verb to stop attachments from being downloaded. http://blogs.msdn.com/jasonlan/archive/2006/09/07/744780.aspx

Exchange Server 2007: You can allow/disallow attachment download through policy












We Must Have On-Device Encryption

All data is protected by device PIN and remote wipe

Windows Mobile 6 has storage card encryption but we do not encrypt device

First separate PIM (e-mail/calendar/contact data) from LOB data

If it is an absolute requirementFor LOB solutions, you can use Microsoft SQL Compact Edition native encryption or our Crypto APIIf you require full-device encryption

Credant Mobile GuardianTrust Digital












What is Wiped When You Remote-Wipe a Windows Mobile Device?

When device memory is wiped it is effectively a hard reset

Windows Mobile 6 and Exchange Server 2007Storage card encryption uses AES 128-bit encryptionKey is stored on deviceEncrypted data is stored on cardWipe removes key and formats card

Exchange 2003 and Windows Mobile 5.0 Yes No Exchange 2003 and Windows Mobile 6 Yes No Exchange 2007 and Windows Mobile 5.0 Yes No Exchange 2007 and Windows Mobile 6 Yes Yes

ScenarioDevice Memory

wipedStorage Card

wiped

Device Wipe

Windows Mobile 6 Remote Kill Functionality












What About Anti-virus?

User education is critical

Windows Mobile includes application installation and execution security

Uses code signing to determine the trust level for: An application installation

An application process

Primary defense for enterprises against malicious code

Built-in APIs for anti-virus solutionsComputer Associates

F-Secure

McAfee

SOFTWIN

Airscanner

Trend

Symantec

Copyright 2006 - Trend Micro Inc.

RedBrow

CxoverVlasco

Win CE BRADOR

Infamous Mobile Threats (2004-2006)

29Dec04

1Feb05

Locknut (Gavno)

21Nov04

Skulls20June04

Cabir

17Jul04

5Aug04

Win CE DUTS

= = Symbian OS

= = Windows CE/Mobile

= = Java (J2ME)

8Mar05

Comwar7Mar05

Dampig

12Aug04

Qdial

4Apr05

Mabir

Fontal

6Apr05

Drever

18Mar05

Hobbes15Apr05

Doomed

4Jul05

Boottoon

8Jul05

Skudoo

19Jul05

Cadmesk

21Sep05

Cardtrp

2Oct05

Cardblk

23Nov05

PBSteal

Blanfon

10Aug05

2004 2005 2006

19Jul05

23Jan06

Sndtool

28Feb06

15Mar06

30Mar06

Flexspy

3Apr06

OneJump

18Jun06

Romride

31Aug06

Mobler

Wesber7Sep06

4Sep06

Acallno












Couldn’t Someone Perform a Denial of Service (DoS) Attack?

Spoofing/intercepting these connections is impossible

Potential for DoS attack is mitigated by complexity of performing “well-formed” requests

Major concerns are:Incomplete Handshakes. (Mitigated by TCP Connection timeouts.)Opening lots of connections. (Mitigated by connection timeouts.)Opening connections and issuing lots of HTTP requests. (Mitigated by connection timeouts.)Account lockout . (Eliminated using RADIUS authentication.)

Security is Everywhere!

Top 10 Review

User education is critical Good security = technology and policySo what did I miss?

Resources

Security for Windows Mobile Messaginghttp://blogs.msdn.com/jasonlan/archive/2007/03/13/new-whitepaper-security-for-windows-mobile-messaging-in-the-enterprise.aspx

Security model for Windows Mobile 5.0 and 6http://blogs.msdn.com/jasonlan/archive/2007/03/13/new-whitepaper-security-model-for-windows-mobile-5-0-and-windows-mobile-6.aspx

http://www.microsoft.com/security/default.mspx

Other great sessions:APP215: Windows Mobile© Application Security Model ITP305: Security Analysis for Mobile Deployments

Fill out your session evaluationEnter to win a Windows Mobile® phone or Zune™

Geek out with a huge rack of serversEnterprise Mobility in Action is in the Expo Hall

While You're Here

Meet the geeksThe Expert Cabana is packed with MEDC speakers and MVPs

© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date

of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.