Inside Research on Windows Mobile 2003
This article will appear in the March 2004 issue of Pocket PC Magazine.
This article was discussed with Microsoft due to the security concerns expressed herein.
About 3 months ago, I started researching an article for our last issue entitled “Is Windows Mobile 2003 More Secure?” (Pocket PC magazine, Dec/Jan 2004, p. 34) During the research, I was reminded of a quote:
Ø “Facts are stubborn things; and whatever may be our wishes, our inclination, or the dictates of our passions, they cannot alter the state of facts and evidence.” (John Adams, 1770)
It is in this light that I am presenting the issues herein, followed by some suggested solutions to them. It is my hope that people will take precautions to protect the integrity of their shared documents.
Testing network access
I began by setting up the following scenario: A Windows Mobile 2003 device was to access a shared folder on my Acer Tablet PC. The folder I chose to share was C:\Documents and Settings\All Users\Shared Documents with the share name Shared Documents. I used the default Simple Sharing since Microsoft recommended it.
Attempting to access the shared documents
The first time I attempted to access the Shared Documents folder, Windows Mobile 2003 prompted me to enter a username and password. So I went into Control Panel > Administrative Tools > Computer Management on my Tablet PC and set up an additional user named “Remote” with a password of “Remote.” I then attempted again to access the Shared Documents, and the Windows Mobile 2003 prompted me to enter the username and password for Remote, and I clicked the checkbox to stored them. The Windows Mobile 2003 device was then allowed access to the share.
Access survives reboots
When I was done accessing the share, I rebooted the Tablet PC, and then I tried to access the share with the Windows Mobile 2003 device, and was granted access! I then tried a soft reset of the Windows Mobile 2003 device and was still granted access! At this point I was really scratching my head. I couldn’t figure out why Windows Mobile 2003 still had access to the network share even after a reboot of the Tablet PC and a soft reset of the Windows Mobile 2003 device. I also tried renaming the user and changing its password on the Tablet PC, but Windows Mobile 2003 still could access the network share. So then I contacted Microsoft at Secure@microsoft.com, their official e-mail address for reporting security issues, to alert them to this security problem.
Identifying the problem
During my discussions with Microsoft, I was asked to uncheck “Use simple file sharing” in a file folder in the Tablet PC by clicking on the Windows Explorer menu item Tools > Folder Options > View. “Use simple file sharing” is at the bottom of the list. When I did so, I noticed that the default sharing for the folder was Everyone. “Everyone,” in Microsoft security-speak, really means that anyone can access the network share without entering a username or password. At this point I concluded that there is a bug in the username/password program for Windows Mobile 2003, which causes it to prompt the user to enter a user name and password even when there is no requirement to do so. I confirmed this hypothesis by using Windows Mobile 2003 to access a shared folder on a desktop install of Windows XP Professional and the same problem occurred.
Focusing on the problem in detail
Once I realized that Microsoft’s recommended security setting for Windows XP was allowing Everyone to access network shares by default, I tried changing the security on the Tablet PC to Authenticated Users. The Windows Mobile 2003 device was still allowed access to the network share as long as the stored username and password were the same as those on the Tablet PC. At this point I tried disabling the user on the Tablet PC. Not only was I then unable to access the network share with the Windows Mobile 2003 device, I was not prompted to enter a new username and password. So now I no longer had any access to any network share on the Tablet PC.
Testing with the Web
The situation was better with Web security. I attempted to access a Web site that had username and password security on the directory. Since I had already stored a username and password when I accessed the Windows network, Windows Mobile 2003 automatically filled in that username! I was able to overtype the username and enter in the appropriate one to access the Web, and to save the password. When the password for the Web directory was changed, Windows Mobile 2003 prompted appropriately for a replacement password.
Resolving the security issues outlined
I suggest that Windows XP Professional users disable “Use simple file sharing” and use the built-in group Authenticated Users. That will force anyone trying to gain access to the network share to enter a username and password. For users of Windows XP Home Edition, I do not know of a solution to ensure that their network shares will be secure. A Microsoft spokesperson has assured me that Microsoft is working with its partners to release an update that will allow Windows Mobile 2003 users to change or delete a stored username or password and to update the default username. I am very pleased to see Microsoft’s swift reaction to this problem and I anticipate that an update will be released soon.