About 3 months ago, I started researching an article for our last issue entitled “Is Windows Mobile 2003 More Secure?” (Pocket PC magazine, Dec/Jan 2004, p. 34) During the research, I was reminded of a quote:
“Facts are stubborn things; and whatever may be our wishes, our inclination, or the dictates of our passions, they cannot alter the state of facts and evidence.” (John Adams, 1770)
It is in this light that I am presenting these issues, followed by suggested solutions to them. It is my hope that people will take precautions to protect their networks.
Testing network access
I set up the following scenario: A Windows Mobile 2003 (WM2003) device was to access a shared folder on my Acer Tablet PC. The folder I shared was C:\Documents and Settings\All Users\Shared Documents with the share name Shared Documents. I used the default Simple Sharing which Microsoft recommends.
Attempting to access the shared documents
The first time I attempted to access the Shared Documents folder, WM2003 prompted me to enter a username and password. So I went into Control Panel > Administrative Tools > Computer Management on my Tablet PC and set up an additional user named “Remote” with a password of “Remote.” I then attempted again to access the Shared Documents. WM2003 prompted me to enter the password for Remote, I clicked the checkbox to store it. The WM2003 device was then allowed access to the share.
Access survives reboots
When I was done accessing the share, I rebooted the Tablet PC; then I tried to access the share with the WM2003, and was granted access! I then tried a soft reset of WM2003 and was still granted access! At this point I was really scratching my head. I couldn’t figure out why WM2003 still had access to the network share even after a reboot of the Tablet PC and a soft reset of WM2003. I also tried renaming the user and changing its password on the Tablet PC, but WM2003 still could access the network share. So then I contacted Microsoft at http://Secure@microsoft.com to alert them to this security problem.
Identifying the problem
During my discussions with Microsoft, I was asked to uncheck “Use simple file sharing” in a file folder in the Tablet PC by clicking on the Windows Explorer menu item Tools > Folder Options > View. “Use simple file sharing” is at the bottom of the list. When I did so, I noticed that the default sharing for the folder was Everyone. “Everyone,” in Microsoft security-speak, really means that anyone can access the network share without entering a username. At this point I concluded that there is a bug in the username/password program for WM2003, which causes it to prompt for username even when there is no requirement to do so. I confirmed this hypothesis by using WM2003 to access a shared folder on a desktop install of Windows XP Professional and the same problem occurred.
Focusing on the problem in detail
Once I realized that Microsoft’s settings for Windows XP was allowing Everyone to access network shares by default, I tried changing the security on the Tablet PC to Authenticated Users. The WM2003 device was still allowed access to the network share as long as the stored username and password were the same as those on the Tablet PC. At this point I tried disabling the user on the Tablet PC. I then unable to access the network share with the WM2003 device and I was not prompted to enter a new username and password. Now I no longer had any access to any network share on the Tablet PC.
Testing with the Web
The situation was better with Web security. I attempted to access a Web site that had password security on the directory. Since I had already stored a username and password when I accessed the Windows network, WM2003 automatically filled in that username! I was able to overtype the username and enter in the appropriate one to access the Web, and to save the password. When the password for the Web directory was changed, WM2003 prompted appropriately for a replacement password.
Resolving the security issues outlined
Printer-friendly version