Additional Security Settings

6/2/2010

The main elements of the Windows Mobile security model are security policies, roles, and certificates. There are, however, additional methods of protecting the device, such as by registry settings, or by the Enterprise administrator using Exchange Server ActiveSync.

Device Wipe

When a mobile device is lost or stolen, the potential security risk can be significant. Mobile devices often contain sensitive business data, including personally identifiable information of employees and customers, sensitive e-mail messages, and other items. Exchange ActiveSync addresses this risk by providing two levels of device wipe capability.

Wiping the device locally or remotely has the effect of performing a factory or “hard” reset; all programs, data, and user-specific settings are removed from the device. The Windows Mobile device wipe implementation wipes all data, settings, and private key material on the device by overwriting the device memory with a fixed bit pattern, greatly increasing the difficulty of recovering data from a wiped device.

Local device wipes are triggered on a device with device lock enforced if a user incorrectly enters a PIN more than a specified number of times (the policy default is 8 times, but the administrator can adjust this value). After every two missed attempts, the device displays a confirmation prompt that requires the user to type a confirmation string (usually “A1B2C3”) to continue. This prevents the device from being wiped by accidental key presses. Once the PIN retry limit is reached, the device immediately wipes itself, erasing all local data.

Remote wipes occur when the administrator issues an explicit wipe command through the Exchange ActiveSync management interface. With OWA 2007 and Exchange Server 2007, the device user can also initiate a wipe command if they've lost their device. Remote wipe operations are separate from local wipes, and a device can be wiped remotely even if Exchange ActiveSync security policies are not in force. The wipe command is pushed as an out-of-band command, so that the device receives it on its next synchronization. The device sends an acknowledgement message when it receives the wipe command, alerting the administrator that the wipe has occurred. The device user cannot opt out of the remote wipe.

Local Wipe

Local device wipe is accomplished by using both the Password Required Policy (4131) and the following registry key:

Registry\HKLM\Comm\Security\Policy\LASSD\DeviceWipeThreshold

This setting's value is the number of incorrect password attempts to allow before the device's memory is erased. The value can be 1 through 4294967295 (0xFFFFFFFF).

This registry key does not exist by default. If it does not exist, is set to zero (0), or is set to 4294967295 (0xFFFFFFFF), the local wipe feature is turned off.

The Manager and Enterprise role can change this setting. This setting corresponds with a setting available on the Device Security Settings dialog box in Exchange Server 2003 SP2.

• For Windows Mobile 5.0 and Windows Mobile 5.0 with MSFP, use Desktop Unlock Policy (4133)
• For Windows Mobile 6, use Desktop Quick Connect Authentication Policy (4146)

Remote Wipe

The Exchange administrator can use the Exchange Server Configuration Tools directly to wipe the device even when Password Required or DeviceWipeThreshold is not enforced.

Lock a Device

Locking a device after inactivity is the interaction of the following features:

• Password and PIN Expiration
• Sequences and Patterns in Passwords and PINs
• Password History
• Enhanced PIN Strength

These settings are enforced through Local Authentication Subsystem (LASS) and Local Authentication Plug-ins (LAP).

The IT administrator configures policies and device requirements in Exchange System Manager interface in Exchange Server 2003 SP2 or Exchange Server 2007 ActiveSync Mailbox Policy wizard. They configure the following information:

• Whether to require the user to automatically lock the device after a period of inactivity.
• The maximum amount of idle time before requiring the device to lock.
• The minimum password strength and length required

This information is saved in a protected portion of the registry.

The user configures their device with settings that meet the minimum requirements set by the IT administrator, including configuring their password or PIN, and setting the length of inactivity time before the device locks.

If the IT administrator places a recovery pass code in Outlook Web Access (OWA), users can create a new device password or PIN if they forget the one that they chose.

Authentication with LAS and LAP

Local Authentication Subsystem (LASS) allows flexible integration of Local Authentication Plug-ins (LAPs).

LASS provides the infrastructure for authentication by sophisticated third-party hardware and software methods, including biometrics, Smartcard use, a hardware button combination, or user signature. LASS can also be used to specify event-based policies to authenticate users. For example, device lock can be triggered programmatically, not just when a device is turned on.

A LAP is an authentication mechanism that plugs into LASS. Windows Mobile 5.0 and later contains a built-in password LAP. OEMs and ISVs can build custom pluggable authentication modules.

The Microsoft LAP provides two types of password enforcement that can be configured with policies on the server: a minimum password length, and either a strong alphanumeric password or simple PIN.

Applies to Windows Mobile 6:

The following list describes the additional LAP functionality in Windows Mobile 6:

• Enhanced PIN Strength. Enhanced PIN Strength in Windows Mobile 6 prevents users from choosing a PIN that contains a simple pattern or has too few digits.
• Password/PIN Expiration. Password/PIN expiration permits setting the expiration time of a password or PIN on a device using the Microsoft Default LAP.
• User PIN Reset. User password/PIN on a device using the Microsoft Default LAP can be reset using an Authentication Reset Component (ARC).
• Password History. Password History ensures that users choose unique passwords by comparing the new password against a specified number of previous passwords.

Enhanced PIN Strength

The Microsoft Default LAP can be configured to prevent users from choosing a PIN that contains a simple pattern or has too few digits. This feature requires Microsoft Exchange Server 2007.

The feature will:

• Enable a policy that requires end users to choose a PIN that does not contain a repeating sequence, such as 1111.
• Enable a policy that requires end users to choose a PIN that does not contain a sequence with a predictable difference between values, such as 1234 or 1357.
• Provide a mechanism for IT administrators to configure policies via a third-party device-management solution.

When administrators enable this policy, users are prevented from specifying a PIN with a uniform offset between successive digits. For example, when this policy is enabled users cannot set a PIN to a sequence like '1111', '1234', or '1357'.

HKEY_LOCAL_MACHINE\Comm\Security\LASSD\LAP\lap_pw\AllowSimplePIN

The following list shows the possible values:

• 0 indicates that the policy defined in the local authentication plug-in is applied.
• 1 indicates that simple PINs are allowed.

If the device has an existing device lock PIN when this policy is distributed, the user will have to enroll again because it is not possible to determine if an existing PIN value conforms to a policy or not. The PIN value is stored as a hash so there is no way to determine if an existing PIN satisfies the policy.

Password/PIN Expiration

Applies to Windows Mobile 6:

Password/PIN expiration permits setting the expiration time of a password or PIN on a device using the Microsoft Default LAP. This feature requires Microsoft Exchange Server 2007.

The feature will:

• Provide a policy that requires end users to choose a new password or PIN after a configured time period (in seconds).
• Provide a mechanism for IT administrators to configure policies via a third-party device-management solution.

The Microsoft default LAP allows administrators to enforce a policy of how often a user must choose a new password. The password expiration feature is dependent on the phone clock. Once the expiration period is reached the user is prompted to change their password. The new password must meet the other requirements such as password or PIN strength and password history

The password or PIN expiration information is stored in a protected area of the registry.

User PIN Reset

Applies to Windows Mobile 6:

User password/PIN on a device using the Microsoft Default LAP can be reset using an Authentication Reset Component (ARC). Unlike the other features, the use of the ARC with a custom LAP is supported. The ARC is a pluggable component and an OEM may create an ARC for use with a custom LAP or the default LAP. This feature requires Microsoft Exchange Server 2007.

The feature will:

• Provide the ability for the end user to request a reset from their administrator or by using Outlook Web Access.
• Help ensure that devices lock reliably.
• Support infrastructures that use certificate authentication or rely on credentials to authenticate a user to the system.
• Support OEM customization of the LAP.
• Support OEM replacement of the ARC.

During Authentication reset, the Reset Password option appears on the password screen menu. This functionality is enabled through the following registry key:

HKEY_LOCAL_MACHINE\Comm\Policy\LASSD\AuthReset\AuthenticationReset

A value of 0 indicates that Authentication Reset is disabled; a value of 1 indicates that it is enabled.

The recovery PIN is an important element of the reset process. The recovery PIN is a 16-character alphanumeric value created during setup without user interaction. In fact, the user is not aware that the recovery PIN is created and transmitted to the Exchange Server. When a user runs setup the first time, the recovery PIN is created on the device and transmitted to the Exchange server where it is stored. The recovery PIN is used to encrypt the Master Key.

The following list describes the process for a user PIN reset:

1. The user creates a new PIN to unlock the device.
   When creating the new PIN, any PIN history and strength policies are applied. The device lock policies are applied to the new password before the user is allowed to continue with the User PIN Reset process.
2. The user obtains the recovery PIN through Outlook Web Access or by calling a Helpdesk.
3. The user enters the recovery PIN and then enters the new PIN created in the first step of this process to unlock the device.

The recovery PIN is considered compromised so it is discarded following the User PIN Reset process. A new recovery PIN is created on the device and transmitted to the Exchange Server.

Password History

Applies to Windows Mobile 6:

Password History uses the Microsoft Default LAP to maintain password history and store passwords on the device to prevent reuse of a password. This feature requires Microsoft Exchange Server 2007.

The feature will:

• Enable a policy that requires end users to choose a new password or PIN that is different from a previous password.
• Provide data about the number of stored passwords to the end user if the new password matches a previous password.
• Provide a mechanism for IT administrators to configure policies via a third-party device-management solution.

The number of previous passwords to check is contained in the following registry setting:

HKEY_LOCAL_MACHINE\Comm\Security\LASSD\LAP\lap_pw\NumberOfPasswords

The value is the number of passwords stored for historical comparison.

Users often reuse passwords when creating a new password, in part because it is difficult to invent a memorable password. Matching is exact so only a password that matches exactly (including case) will be rejected. The implementation will store the number of previous passwords as salted hashes encrypted using DPAPI.

The Exchange Server administrator can set the number of saved passwords in Exchange Server 2007. Passwords are not stored until the device receives a policy and the policy is only activated when a user attempts to change the device lock password.