If you work in Information Technology or have been using Windows on your desktop, you may be aware that security and patch management are critical tasks that must be addressed, especially on any device where you store information. With Windows Mobile, you cannot afford to ignore security and patch management either. This article provides an overview of the latest in Windows Mobile 5.0 security and patch management. Where appropriate, I have included my recommendations to improve security. As with any recommendation, you must consider what is best for your environment and security requirements.
ActiveSync security
Last summer, Microsoft decided to remove ActiveSync 3.x from their Website. Bloggers later discovered that there were security concerns regarding ActiveSync 3.x. I was surprised that Microsoft did not use its Trustworthy Computing approach to issue a Security Advisory (http://microsoft.com/technet/security/advisory/archive.mspx) for ActiveSync 3.8.
Some security issues with ActiveSync 3.8 were known for about a year before Microsoft pulled ActiveSync 3.x. Airscanner published "Remote Password Compromise of Microsoft Active Sync 3.7.1 & 3.8" (http://airscanner.com/security/activesync371.htm) which explained how a hacker could use the network synchronization option in ActiveSync to attempt to break your password or prevent you from synchronizing. For a comprehensive list of ActiveSync security issues reported by third parties, see http://pocketpcfaq.com/faqs/activesync/securityadvisories.htm.
Recommended ActiveSync security
At this time, I recommend that users upgrade to ActiveSync 4.5 to avoid these security issues. If you insist on using ActiveSync 3.x because you want to sync over your network connection, then I suggest that you create a static IP address for your Windows Mobile device and configure your desktop PC's firewall to only allow the static address and 192.168.55.101 subnet 255.255.255.0 to use ActiveSync via the network and USB.
Windows Mobile device security
Power-on password security
With Windows Mobile 5.0 Messaging and Security Feature Pack (MSFP) and Exchange 2003 or 2007, you can require users to implement a power-on password. With Exchange, you can specify the length of the password as well as erase the device if the password is typed incorrectly after a number of tries. The erase of the device does not erase any data stored on a storage card.
Remote wipe
With Windows Mobile 5.0 and MSFP, users can remotely erase their devices in case they are lost or stolen. However, in order for the remote erase to work, the device must be connected to the Internet and to the Exchange server. So if a device is stolen and never connected to the internet or the Exchange server connection is deleted the device's data is not erased. Further, the Remote Wipe does not erase any data stored in flash cards.
I highly recommend that network administrators implement and support Windows Mobile 5.0 MSFP devices only and configure Exchange to offer the level of security that mirrors their corporate standards. If you choose to support 2003 devices, you will not be able to enforce password security.
Device-stored password security
One of the issues to watch out for on a Windows Mobile 5.0 device is the ability for users to store network and Website passwords. Although the user can store the password, there is no administrative option to prevent them from doing so. Further, the only way to delete the passwords that are stored is by performing a hard reset.
Therefore, I do not recommend "recycling" a Windows Mobile device without performing a hard reset on it. This is the only way to guarantee that the user's data and any stored passwords have been deleted.
Installing applications
Printer-friendly version
