The Windows Mobile Security Architecture
6/2/2010
The Windows Mobile security architecture helps protect corporate data and communications while utilizing the enterprise's existing infrastructure investment. This architecture is designed to put organizations in control of their own security and data. Unlike some solutions, corporate data is not required to go through a third-party network operations center, which has associated risks of downtime and information compromise. In addition, Windows Mobile powered devices can communicate with enterprise communication services using industry-standard protocols that run on virtually all mobile operator networks, eliminating geographical restrictions on service availability.
The following figure shows a high-level view of the Windows Mobile security architecture, including Windows Mobile powered devices, Exchange Server, and existing corporate network components.
.gif)
The Windows Mobile security architecture offers the following features to help protect devices and the enterprise network against a variety of threats and risks:
| Threat or Risk | Windows Mobile Security Features | WM 5.0 | WM 5.0 with MSFP | WM 6 |
|---|---|---|---|---|
Access to data because of device theft or loss |
Strong device password protection |
X |
X |
X |
Device lock requires a password or PIN to access the device when it is turned on |
X |
X |
X |
|
Local device wipe occurs after a specified number of incorrect login attempts |
X |
X |
||
Remote device wipe erases data and helps to prevent unauthorized use |
X |
X |
||
Exponential back-off if incorrect passwords are entered |
X |
X |
X |
|
Local storage card wipe erases data and helps to prevent unauthorized use |
X |
|||
Remote storage card wipe erases data and helps to prevent unauthorized use |
X |
|||
Storage card encryption helps to prevent unauthorized use |
X |
|||
Custom Local Authentication Subsystem (LAS) and Local Authentication Plug-in (LAP) provide the infrastructure for authentication by sophisticated third-party hardware and software methods. |
X |
X |
X |
|
Password policy enforcement, such as required password for synchronization |
X |
X |
||
Access to data during transmission |
Secure Sockets Layer (SSL) encryption of all data transmitted between the device and the corporate mail server |
X |
X |
X |
Advanced Encryption Standard for SSL channel encryption in 128- and 256-bit cipher strengths. |
X |
|||
Encrypted data passes through a single SSL port on the firewall |
X |
X |
X |
|
Supports Information Rights Management protection of e-mail. |
X |
|||
Cryptographic implementations are certified by US Federal Information Processing Standard (FIPS) 140-2, and are designed to be protected against a variety of potential threats. Supported algorithms include:
|
X |
X |
X |
|
Unauthorized penetration into corporate network |
Flexible client authentication: SSL TLS, Exchange ActiveSync, Certificate-based, RSA SecurID-protected |
X |
X |
X |
Users can add root certificates without being a manager of the device; user root certificates will not compromise the level of security established by the device management security settings. |
X |
|||
Unauthorized penetration into mobile device |
Security policies help to control over-the-air access to device |
X |
X |
X |
Bluetooth discovery mode can be prohibited to help guard device integrity (Supported by Windows Mobile 6 Standard only) |
X |
|||
Device corruption |
Security policies help control acceptance of unsigned attachments, applications, or files
|
X |
X |
X |
Attachments for download can be denied or size-restricted |
X |
|||
Malicious software or viruses on mobile devices |
Office Mobile does not support macros, so viruses cannot leverage them to do damage |
X |
X |
X |
Code execution control allows the device to be locked so that only applications signed with a trusted certificate can run |
X |
X |
X |