Windows Mobile 2003 More Secure?
After spending quite a bit of time reviewing the features of the Windows Mobile 2003 in my last article, I decided to focus on how Microsoft has changed their security in 2003. Now maybe you think that Windows Mobile 2003 is more secure because it offers more security features like 802.1x and IPSEC however there are a number of items that are no more secure than the Pocket PC 2002 was. In this article, I am focusing on the security that is provided out of the box and how it is implemented to help users and administrators understand potential risks associated with the use of Pocket PCs.
Power On Password
The Power On Password is a good example of a good way to protect your Pocket PC data from being read or copied to others. The power on password feature has remained the same as it was in Pocket PC 2002. You can use a 4 digit password or a much stronger alphanumeric password to protect your data. Further with Windows Mobile 2003, Microsoft added a new feature – a hint can now be displayed to help users remember what the password was. One other important aspect of the power on password that administrators need to know is that there is NO BACKDOOR into the system. So if the user forgets their password or leaves the company and does not tell you the password, all you can do is hard reset.
As you may be aware, Microsoft easily allows users to store both network and internet passwords on their Pocket PCs – they have been able to do this since Pocket PC 2000. With 2003, Microsoft now stores the passwords in a special file system which prevents unauthorized access. Right now Windows Mobile 2003 still has the same difficulties that prior versions did when it comes to managing the stored passwords. Microsoft does not provide a facility to change passwords. The only way to change a password is when the system prompts the user that the existing stored password no longer works. Further the only way to delete a stored username and password from the Windows Mobile 2003 is to hard reset your device – OUCH! Other passwords can also be stored on your 2003 device as well such as your Exchange 2003 or Mobile Information Server password, your VPN password as well as your POP3/IMAP4/SMTP password. Microsoft does NOT offer the ability to deny users the ability to store passwords on their device, so this presents a significant security issue if the passwords can be extracted out of the device, even in an encrypted state.
Pocket PC 2003 expands the security that Microsoft supported when it came to website access. You can now easily store your own digital certificates on your Pocket PC by just copying the certificate using File Explorer and click on it on the Pocket PC and it will be installed. The area that Microsoft has not improved security has to do with scripting and ActiveX controls as well as installation of programs via the CAB file. Right now all versions of the Pocket PC allow ActiveX controls to install without prompting the user and scripts to run (such as Jscript) as well as installation of .CAB files by just clicking on a file on a website. You can eliminate the ability to run scripts, install ActiveX controls and install applications using RegKing 2003 as well as with other 3rd party security applications.
Are there Profiles?
Part of the Pocket PC 2002 and even more so with Windows Mobile 2003 is the support for user profiles for the Pocket PC. The profile functionality shows in the directory structure of the Pocket PC and where documents and features are stored. So far the concept of profiles has not expanded to allow multiple users to utilize the Windows Mobile 2003 with separate authentication like users can on other Windows operating systems.
Does Windows Mobile 2003 Support Policies?
Microsoft has been using Policies to allow network administrators to define security values as a default for users when they first login to a network since Windows 95. So far Microsoft has not added any functionality to centrally manage the security features of the Windows Mobile 2003 or any prior release of the Pocket PC. However while reviewing the registry I did find that there is an option to control whether or not applications can be installed on the Pocket PC depending on the decision by the administrator. The registry setting enables and Administrator icon in the Control Panel which prompts for a strong password to prevent the installation of applications I have this as a hack for RegKing 2003 as an example of how this could work..
Really Want to Be Secure?
Some companies require security be evaluated prior to implementing new systems, however all network administrators should review the security functionality of their devices while they consider what kind of data is being stored on them. In order to make sure you are secure, I highly recommend that you test each function you are securing to understand how they work and what you can do to control them. Administrators need to know that there are specialized applications that can be used to increase the security of the Pocket PC. Some are specialized security applications while others such as RegKing 2003 are free so it’s really easy to ensure that your Windows Mobile 2003 is more secure than it shipped from Microsoft.
Secure Computing Initiative?
I wonder what happened to the Pocket PC when it comes to Microsoft’s Secure Computing initiative which was designed to make Microsoft’s products more secure? I easily see multiple ways that Microsoft could have secured the Pocket PC by default to minimize the security risks right out of the box just like Windows Server 2003 does – and it shipped before the Windows Mobile 2003 by 3 months. Clearly Microsoft must do more to make the Pocket PC inherently safe as soon as a user takes it out of the box. I just hope they take Pocket PC security as serious as they do in their server and desktop operating systems.
I hope that we see Microsoft place more effort into offering complete control over the username and passwords that are stored on the device. Further I think that adding the functionality to disable potential security risks such as the ones I have outlined here would be beneficial to users and administrators that are not familiar with the design and implementation of security on Windows Mobile 2003.