Pocket PC Security
Pocket PC Security
Lately, I have seen more and more questions regarding Pocket PC Security. This article will outline different areas that network administrators and security officers should consider when deploying Pocket PCs. A list of applications is also provided to allow for research on how to address any concerns over security.
Areas to Secure
I believe that the following areas should be considered when designing appropriate security for the Pocket PC:
1. Power On Password – protect unauthorized people from seeing your data.
Unlike other Microsoft operating systems, there is no option to require specific settings as part of a System Policy.
Built-in Security Power On Password
The Pocket PC has some built in security. Users can select the option to enter a power on password. The power on password can be as simple as a 4 digit number or as complex as a alphanumeric password up to 29 characters long. Also you can specify a timeout if the Pocket PC is unused from 1 minute to 24 hours. These settings can be entered on the Pocket PC by clicking Start – Settings – Password. Users are still able to synchronize their Pocket PCs with their desktop. They will be prompted the password in order to sync each time. Also be aware that there is no backdoor to remove the password once it is set. Further if someone were to try guessing, Microsoft uses a logarithmic algorithm to lengthen the amount of time between guesses.
As part of Microsoft’s focus on security on the desktop, they are using Digital Certificates (also known as Root Certificates). The Digital Certificates are administered by the company and are assigned to specific devices that are allowed access to specific resources. Microsoft’s Mobile Information Server (MIS) is an example of an enterprise application that can take advantage of this functionality. To install a Root Certificate, Microsoft has created Knowledge Base articles for the Pocket PC 2000 - http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q290288& and Pocket PC 2002 - http://support.microsoft.com/default.aspx?scid=kb;en-us;Q322956 .
There are some issues that concern me regarding the default functionality of the Pocket PC. When a user is accessing a network or VPN, the password is stored. There is no option to prompt for the password. In order to delete it you will have to delete the connection.
The following third party solutions will help you address the areas of concern I outlined above. Please keep in mind that security is an ever changing function so the features and capabilities of these applications will change over time.
Card based Keys
The following vendors offer card based keys Jgui AccessRights ( http://www.jgui.net/accessrights/ ), RSA Security ( http://www.rsasecurity.com/company/news/releases/pr.asp?doc_id=1410 ).
Handwriting Recognition based
KeCrypt ( http://www.kecrypt.com/home.htm ) supports recognition of the user of a specific Pocket PC based on the shape, density and speed of the writing.
You can use the following vendors encryption programs to protect files on your Pocket PC – PGP Mobile ( http://www.pgp.com/display.php?pageID=24 ), F-Secure ( http://www.f-secure.com/news/2001/news_2002031201.shtml ), PointSec ( http://www.pointsec.com/solutions/solutions_pocketpc.asp ), Sentry 2020 ( http://www.softwinter.com/sentry_ce.html ), Lucifer ( http://guinness.cs.stevens-tech.edu/~fpessaux/files/Lucifer1_2.zip ), Vieka PE Encrypt ( http://vieka.com/products.htm#peencrypt ), Applian Pocket Lock ( http://www.applian.com/pocketpc/pocketlock/index.php?AID=4135294&PID=819064 ) and movianCrypt ( http://www.certicom.com/products/movian/moviancrypt.html ).
Virtual Private Networks (VPN)
Microsoft provides VPN support for their PPTP implementation that works with Windows NT and 2000. In addition there are multiple 3rd party solutions such as movianVPN ( http://www.certicom.com/products/movian/movianvpn.html ), Funk Software ( http://www.funk.com/ipsec/enterprise/a1pocketpc_ds.asp ) and SafeNet ( http://www.safenet-inc.com/news/viewstory.asp?ID=209 ). Also there are vendor specific VPN drivers from Check Point VPN-1 ( http://www.checkpoint.com/wince/ ).
The following vendors offer complete security solutions for the Pocket PC – Trust Digital ( http://www.trustdigital.com/prod16e.htm ), PDA Defense ( http://www.pdadefense.com/ ) and SafeBoot ( http://www.controlbreak.co.uk/products/psafeboot.html ).
Security Starts at Enforcement
In order to maintain a secure environment, it’s all up to the company to enforce the controls. So along with considering what security to implement, I suggest that you adopt company policies that management will enforce with users. That way all the users will be notified of what you expect to enforce in your environment.