Welcome to TechNet Blogs Sign in | Join | Help

Mobile device security concerns

I'm sitting in Jasons session at TechEd today.  He's talking about Windows mobile 6 and the top 10 security concerns about going mobile (and how to overcome them).  An interesting session if you're trying to convince your company to use Windows mobile and are being pushed back by management.  Here are some of the topics he covered

"We don't want to open incoming ports" (you only need port 443 opened and that's already open if you use OWA). ISA can filter traffic

Stopping untrusted devices from accessing Exchange: Use certificate based authentication (Exchange 2003) or Device ID blocking (Exchange 2007)

implementing 2 factor authentication: several ways to do this including certificate and device PIN

Using ISA server: it's recommended - not required. it can however, pre authenticate traffic before your Exchange server 

Caching passwords on the device: Use certificate based authentication

Blocking attachments to mobile devices

On-device encryption: your data is protected by PIN and remote wipe.  Storage cards are encrypted (not the device).  if you do need device encryption, use a 3rd party solution

What is wiped when you remote wipe a windows mobile device (it's a hard reset by the way).  If you're using Exchange 2007 there is storage card encryption (AES 128 bit).  The key is stored on the device so the wipe removes the key and formats the device 

Antivirus support - it's all about user education.  There is application installation and execution security, there's also a 2 tier model to prevent any installations of malicious code and trojans with code signing, and there's also built in support for anti virus solutions

Denial of service attacks (connection timeouts stop these).  Account lockouts may be an issue, but RADIUS  can deal with these...

 

Useful tips for you to convince the bosses that windows mobile is ok...

Published Tuesday, June 05, 2007 9:03 PM by Eileen_Brown

Comments

Tuesday, June 05, 2007 10:05 PM by Mary Shimkaveg

# re: Mobile device security concerns

Great summary.  I was also in the same session and liked it too.  

I will be at the Women in Technology Luncheon and look forward to seeing you.

Tuesday, June 05, 2007 11:22 PM by WM User

# re: Mobile device security concerns

Very good points, but with all these protections in place, you might as well go Blackberry...

In other words, the point of WM is to give users a chance to actually use their devices. If I wanted a 'no download', 'no third party',  'no freedom' application device, I would go with Blackberry Enterprise. WM devices allow us to create custom applications and give our users full internet access when on the road.

Plus, you failed to mention the fact that a hard reset (remote or otherwise) will result in a complete loss of content for the media card. A software glitch or misinformed user could hard reset their device and lose everything.

The point is that if you are willing to jump through a bunch of undocumented (and probably unsupported) configurations...then you might be able to prevent an attack. Unless of course, your program is vulnerable to a buffer overflow attack..........and I only know of a few people who are even publicly looking for this.

WM is not all Jason (a MS employee?) is publicized to be...

Wednesday, June 06, 2007 9:18 AM by Eric

# re: Mobile device security concerns

talking about Blackberry and Security in the same comment is quite funy.

every BES communication came into RIM buildings.

with BES encryption known by RIM.

In Europe, it cames to UK RIM Datacentre.

And according to UK law, everfy communication can be craked it there is an economic interest for UK.

So, again, if you 're  requesting Security for your company : forget BES. or ask RIM to change the way they can spy your communication.

Wednesday, June 06, 2007 9:55 AM by Jason

# re: Mobile device security concerns

WM User -

As you rightly point out flexibility is a key benefit of Windows Mobile .  The reason for my session and topics is to break down some of the competitive mis-information that is being distributed and also to give guidance.

Of course as Eric points out there are a number of concerns I hear repeatedly from customers around BES:

1) Having all your data flow through a single point of failure (NOC)

2) An inability to inspect traffic (what happens if a trojan app on a BB gets into your network)

3) The fact that BES requires a superuser account to talk to Exchange

Wednesday, June 06, 2007 9:58 PM by WM User

# re: Mobile device security concerns

To Eric and Jason:

(1) You can protect all your RIM data with a VPN. With this in place, it is solid protection...who cares what router, proxy, or relay it goes through. For that matter, WM users can use a VPN as well. The issue with what network is passes through will be a problem regardless if it is RIM's, Comcast's, or ATT's. As long as some one else owns the network, I would always assume someone is capturing the data (eg. RSA).

(2) I dont know of any Trojan BB apps. However, I do know of MANY WM apps...and have several undocumented ones at my disposal. If you want to play WM vs BB trojan apps, then you might want to do some research. WM is a FAR FAR FAR FAR easier platform to develop rouge software for than BB...though, I personally favor WM because it is also a FAR FAR FAR FAR easier platform for people to code games, apps, and custom code for as well.

If you are truly concerned about the WM users infecting your network...then perhaps you aught to consider the ways that a vulnerable PC can infect a synced WM device. I personally have never seen a BB owned by an owned PC...but have seen WM devices fall victim to infected PC's.

(3) Well, this one I can't provide solid smack down too :) However, the other two points are enough IMHO to point to BB as the more secure out of the box.

All this said.......

WM can be made as secure (if not more so) than BB. It just requires a serious policy and ownership that requires the enterprise to lock down the devices. Unfortunately, this turns the WM device into a unfriendly user device that might as well be a BB.

Still...I prefer having the option to install my own software choices...and the numerous devices out there provide a wide range of shopping options. At least until the iPhone comes out!

Thursday, June 07, 2007 10:51 AM by Jason

# re: Mobile device security concerns

WMUser - the point I was making around everything going through a single point is the potential impact that can have if it goes down.  (as happened in the US for 11hrs).  Similarly many governments have concerns of their data entering a different country and one they might not trust politically.  

As far as Trojan Apps - Windows Mobile has (particularly on Smartphone) a 2 tier security model that can protect the installation or execution of applications using code signing.  This avoids the majority of issues in this area.

New Comments to this post are disabled
 
Page view tracker