Jason LangridgeEnterprise Mobility Solution SpecialistMicrosoft Communications Business GroupE-mail: [email protected] Blog: http://blogs.msdn.com/jasonlan
ITP205Top 10 Security Concerns of Deploying Windows Mobile©
(And How to Overcome Them)
Microsoft Windows Mobile 5.0 Security Features
Device protectionDevice lock: PIN, strong, exponential delay
Authentication protocols: PAP, CHAP, MS-CHAP, NTLM, TLS
Data protection128-bit Cryptographic services: CAPIv2
Application installation and execution
Anti-virus API
Network protectionSecure browsing: HTTP (SSL), WAP (WTLS)
Virtual Private Networking (PPTP, L2TP IPSec)
Wireless network protection (WEP, 802.1x, WPA)
Combined with Microsoft Exchange Server 2003IT Security Policy Enforcement
Remote Device Wipe
S/MIME
Certificate-based authentication
Windows Mobile 6 Security Enhancements
Storage card securityStorage card encryptionStorage card wipe (Microsoft Exchange Server 2007)
Generating a personal certificateNew desktop and device certificate enrollment toolsPFX import
Crypto/certificate servicesRoot certificate add for usersAES 128 and 256 implementation for SSL and DPAPIWildcard certificate supportSMIME configuration improvements
Built in Rights Management support for messaging and Office documents
Exchange 2007 Policies
More granular access controlBy-device ID: Allows only enterprise-provisioned devicesBy-user agent: Allows only enterprise-approved devices
Per-user policies
New incremental policiesStorage card encryption enforcementAllow/disallow attachments and maximum sizeAllow/disallow UNC/SharePoint access
New device lock policiesDevice timeout enhancementsPassword expirationPassword historyUser PIN/password reset
Top 10 Security Concerns
1. We really don’t want to have incoming ports being opened
2. How can we stop un-trusted devices accessing Exchange?
3. We have to implement two-factor authentication
4. Do we really need to use Microsoft ISA Server?
5. We don’t want to cache passwords on the device
6. There is no way we’ll allow this solution, as you can download attachments
7. We must have on-device encryption
8. What is wiped when you remote-wipe a Windows Mobile device?
9. What about anti-virus support?
10.Couldn’t someone perform a Denial of Service (DoS) attack?
Top 10 Security Concerns
1. We really don’t want to have incoming ports being opened
2. How can we stop un-trusted devices accessing Exchange?
3. We have to implement two-factor authentication
4. Do we really need to use Microsoft ISA Server?
5. We don’t want to cache passwords on the device
6. There is no way we’ll allow this solution, as you can download attachments
7. We must have on-device encryption
8. What is wiped when you remote-wipe a Windows Mobile device?
9. What about anti-virus support?
10.Couldn’t someone perform a Denial of Service (DoS) attack?
We Really Don’t Want to Have Incoming Ports Being Opened
Do you use Outlook Web Access already?Most customers already do; so you will already have the necessary infrastructure in place
Only one port is required to be opened: port 443 (SSL)
Traffic can be pre-authenticated
ISA does provide filtering to ensure traffic is ActiveSync traffic Perimeter
NetworkCorporate Network
Cellular Network/Internet
ISA Server 2004 or 2006
ISA Server Mobile Devices(HTTPS access)
Top 10 Security Concerns
1. We really don’t want to have incoming ports being opened
2. How can we stop un-trusted devices accessing Exchange?
3. We have to implement two-factor authentication
4. Do we really need to use Microsoft ISA Server?
5. We don’t want to cache passwords on the device
6. There is no way we’ll allow this solution, as you can download attachments
7. We must have on-device encryption
8. What is wiped when you remote-wipe a Windows Mobile device?
9. What about anti-virus support?
10.Couldn’t someone perform a Denial of Service (DoS) attack?
How Can We Stop Un-trusted Devices Accessing Exchange?
Front-door vs. back-door devices
There are two ways to address this concern1. Exchange Server 2003: Use certificate-based
authentication2. Exchange Server 2007 provides DeviceID blocking
If a user is disabled for sync they can’t sync with any device If a user is enabled for sync:
If the deviceID restriction is null, the user can sync with any device
If the deviceID restriction is populated using the task, the user can only sync with that device
To configure this feature you use the Exchange Management Shell and run the Set-CASMailbox task. See example below: Set-CASMailbox -identity:<user> -ActiveSynAllowedDeviceIDs:"<deviceID_1>", "<deviceID_2>"
Top 10 Security Concerns
1. We really don’t want to have incoming ports being opened
2. How can we stop un-trusted devices accessing Exchange?
3. We have to implement two-factor authentication
4. Do we really need to use Microsoft ISA Server?
5. We don’t want to cache passwords on the device
6. There is no way we’ll allow this solution, as you can download attachments
7. We must have on-device encryption
8. What is wiped when you remote-wipe a Windows Mobile device?
9. What about anti-virus support?
10.Couldn’t someone perform a Denial of Service (DoS) attack?
We Have to Implement Two-factor Authentication
What is two-factor authentication?
Three methods used to authenticate:1. “Something you know” (such as a password, PIN
or an out of wallet response) 2. “Something you have” (such as a mobile phone,
credit card, or hardware security token) 3. “Something you are” (such as a fingerprint, a
retinal scan, or other biometric)
Two-factor authentication requires any two of the above
We Have to Implement Two-factor Authentication
Please consider user experience
“Something you have” and “Something you know” are most common approaches
Three common ways to solve this:1. Secure ID: secure ID token and device PIN2. Certificate-based authentication: certificate and
device PIN3. Private APN: SIM and device PIN
SecureID
RSA’s SecurID is currently the most popular corporate solution for two-factor authentication. In Europe, it is a de facto standard. This is now supported by Exchange ActiveSync.
RSA Authentication Agent 5.3 for Web for Internet Information Services provides support for Microsoft Exchange Server Activesync 2003
Implementation guide - http://technet.microsoft.com/en-us/library/cfecf499-32a9-4b9a-9d2a-88e393be0bd2.aspx.
Certificate-based Authentication
Certificates on the mobile device (or via cert-reading peripheral) authenticate the user to the server for gaining sync privileges
Requires SSL tunneling to the front-end server
Does not support pre-authentication at ISA or other reverse proxy
Certificate-based authentication also requires one-time cradling (plus, whenever the certificate needs to be re-provisioned)
Using Basic Authenticatio
n
Using Certificate
Authentication
Private APN
Direct Private connection
Network access controlled via proxy
Access to APN controlled via SIM
Private Network
Mobile Operator NetworkFirewall/ISA
Proxy Servers
GGSN
GIP
GGSN
Client Addressing e.g. 192.168.32.1 /24 No NAT
ISPISP
Internet
Direct Private Connection
ExchangeFE
Exch
an
ge
BE
Top 10 Security Concerns
1. We really don’t want to have incoming ports being opened
2. How can we stop un-trusted devices accessing Exchange?
3. We have to implement two-factor authentication
4. Do we really need to use Microsoft ISA Server?
5. We don’t want to cache passwords on the device
6. There is no way we’ll allow this solution, as you can download attachments
7. We must have on-device encryption
8. What is wiped when you remote-wipe a Windows Mobile device?
9. What about anti-virus support?
10.Couldn’t someone perform a Denial of Service (DoS) attack?
Do We Really Need to Use ISA Server?
ISA Server is “recommended,” not “required”
Any firewall that can publish port 443 (SSL) can be used
ISA is recommended because it has:
The ability to pre-authenticate all traffic before it reaches your Exchange ServerThe option to inspect Exchange ActiveSync traffic passing through it and validate it is genuineISA Server 2006 provides Kerberos-constrained delegation to the Exchange server
Top 10 Security Concerns
1. We really don’t want to have incoming ports being opened
2. How can we stop un-trusted devices accessing Exchange?
3. We have to implement two-factor authentication
4. Do we really need to use Microsoft ISA Server?
5. We don’t want to cache passwords on the device
6. There is no way we’ll allow this solution, as you can download attachments
7. We must have on-device encryption
8. What is wiped when you remote-wipe a Windows Mobile device?
9. What about anti-virus support?
10.Couldn’t someone perform a Denial of Service (DoS) attack?
We Don’t Want to Cache Passwords on The Device
Username/domain name/password are stored hashed, double encrypted using 128-bit RC4 encryption
If you still aren’t comfortable with that, you can use certificate-based authentication
Using basic authentication
Using certificate-
based authentication
Top 10 Security Concerns
1. We really don’t want to have incoming ports being opened
2. How can we stop un-trusted devices accessing Exchange?
3. We have to implement two-factor authentication
4. Do we really need to use Microsoft ISA Server?
5. We don’t want to cache passwords on the device
6. There is no way we’ll allow this solution, as you can download attachments
7. We must have on-device encryption
8. What is wiped when you remote-wipe a Windows Mobile device?
9. What about anti-virus support?
10.Couldn’t someone perform a Denial of Service (DoS) attack?
There is No Way We’ll Allow This Solution, as You Can Download Attachments
Exchange Server 2003: You can use URL Scan
and block the X-MS-ENUMATTS verb to stop attachments from being downloaded. http://blogs.msdn.com/jasonlan/archive/2006/09/07/744780.aspx
Exchange Server 2007: You can allow/disallow attachment download through policy
Top 10 Security Concerns
1. We really don’t want to have incoming ports being opened
2. How can we stop un-trusted devices accessing Exchange?
3. We have to implement two-factor authentication
4. Do we really need to use Microsoft ISA Server?
5. We don’t want to cache passwords on the device
6. There is no way we’ll allow this solution, as you can download attachments
7. We must have on-device encryption
8. What is wiped when you remote-wipe a Windows Mobile device?
9. What about anti-virus support?
10.Couldn’t someone perform a Denial of Service (DoS) attack?
We Must Have On-Device Encryption
All data is protected by device PIN and remote wipe
Windows Mobile 6 has storage card encryption but we do not encrypt device
First separate PIM (e-mail/calendar/contact data) from LOB data
If it is an absolute requirementFor LOB solutions, you can use Microsoft SQL Compact Edition native encryption or our Crypto APIIf you require full-device encryption
Credant Mobile GuardianTrust Digital
Top 10 Security Concerns
1. We really don’t want to have incoming ports being opened
2. How can we stop un-trusted devices accessing Exchange?
3. We have to implement two-factor authentication
4. Do we really need to use Microsoft ISA Server?
5. We don’t want to cache passwords on the device
6. There is no way we’ll allow this solution, as you can download attachments
7. We must have on-device encryption
8. What is wiped when you remote-wipe a Windows Mobile device?
9. What about anti-virus support?
10.Couldn’t someone perform a Denial of Service (DoS) attack?
What is Wiped When You Remote-Wipe a Windows Mobile Device?
When device memory is wiped it is effectively a hard reset
Windows Mobile 6 and Exchange Server 2007Storage card encryption uses AES 128-bit encryptionKey is stored on deviceEncrypted data is stored on cardWipe removes key and formats card
Exchange 2003 and Windows Mobile 5.0 Yes No Exchange 2003 and Windows Mobile 6 Yes No Exchange 2007 and Windows Mobile 5.0 Yes No Exchange 2007 and Windows Mobile 6 Yes Yes
ScenarioDevice Memory
wipedStorage Card
wiped
Device Wipe
Windows Mobile 6 Remote Kill Functionality
Top 10 Security Concerns
1. We really don’t want to have incoming ports being opened
2. How can we stop un-trusted devices accessing Exchange?
3. We have to implement two-factor authentication
4. Do we really need to use Microsoft ISA Server?
5. We don’t want to cache passwords on the device
6. There is no way we’ll allow this solution, as you can download attachments
7. We must have on-device encryption
8. What is wiped when you remote-wipe a Windows Mobile device?
9. What about anti-virus support?
10.Couldn’t someone perform a Denial of Service (DoS) attack?
What About Anti-virus?
User education is critical
Windows Mobile includes application installation and execution security
Uses code signing to determine the trust level for: An application installation
An application process
Primary defense for enterprises against malicious code
Built-in APIs for anti-virus solutionsComputer Associates
F-Secure
McAfee
SOFTWIN
Airscanner
Trend
Symantec
Copyright 2006 - Trend Micro Inc.
RedBrow
CxoverVlasco
Win CE BRADOR
Infamous Mobile Threats (2004-2006)
29Dec04
1Feb05
Locknut (Gavno)
21Nov04
Skulls20June04
Cabir
17Jul04
5Aug04
Win CE DUTS
= = Symbian OS
= = Windows CE/Mobile
= = Java (J2ME)
8Mar05
Comwar7Mar05
Dampig
12Aug04
Qdial
4Apr05
Mabir
Fontal
6Apr05
Drever
18Mar05
Hobbes15Apr05
Doomed
4Jul05
Boottoon
8Jul05
Skudoo
19Jul05
Cadmesk
21Sep05
Cardtrp
2Oct05
Cardblk
23Nov05
PBSteal
Blanfon
10Aug05
2004 2005 2006
19Jul05
23Jan06
Sndtool
28Feb06
15Mar06
30Mar06
Flexspy
3Apr06
OneJump
18Jun06
Romride
31Aug06
Mobler
Wesber7Sep06
4Sep06
Acallno
Top 10 Security Concerns
1. We really don’t want to have incoming ports being opened
2. How can we stop un-trusted devices accessing Exchange?
3. We have to implement two-factor authentication
4. Do we really need to use Microsoft ISA Server?
5. We don’t want to cache passwords on the device
6. There is no way we’ll allow this solution, as you can download attachments
7. We must have on-device encryption
8. What is wiped when you remote-wipe a Windows Mobile device?
9. What about anti-virus support?
10.Couldn’t someone perform a Denial of Service (DoS) attack?
Couldn’t Someone Perform a Denial of Service (DoS) Attack?
Spoofing/intercepting these connections is impossible
Potential for DoS attack is mitigated by complexity of performing “well-formed” requests
Major concerns are:Incomplete Handshakes. (Mitigated by TCP Connection timeouts.)Opening lots of connections. (Mitigated by connection timeouts.)Opening connections and issuing lots of HTTP requests. (Mitigated by connection timeouts.)Account lockout . (Eliminated using RADIUS authentication.)
Security is Everywhere!
Top 10 Review
User education is critical Good security = technology and policySo what did I miss?
Resources
Security for Windows Mobile Messaginghttp://blogs.msdn.com/jasonlan/archive/2007/03/13/new-whitepaper-security-for-windows-mobile-messaging-in-the-enterprise.aspx
Security model for Windows Mobile 5.0 and 6http://blogs.msdn.com/jasonlan/archive/2007/03/13/new-whitepaper-security-model-for-windows-mobile-5-0-and-windows-mobile-6.aspx
http://www.microsoft.com/security/default.mspx
Other great sessions:APP215: Windows Mobile© Application Security Model ITP305: Security Analysis for Mobile Deployments
Fill out your session evaluationEnter to win a Windows Mobile® phone or Zune™
Geek out with a huge rack of serversEnterprise Mobility in Action is in the Expo Hall
While You're Here
Meet the geeksThe Expert Cabana is packed with MEDC speakers and MVPs
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date
of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.