Security Policies for Windows Mobile 5.0 and Windows Mobile 6

  • Article

6/2/2010

Security Policy settings on Windows Mobile powered devices are configurable. Security policies provide the flexibility to control access to the device. If a user or application is allowed access,security policies then control the boundaries for actions. For example, policies determine whether a device can be configured over the air (OTA), and whether to accept unsigned messages, applications, or files. These policies are defined globally and enforced locally in their respective components at critical points across the device architecture.

Security roles allow or restrict access to device resources. Roles define who can change each policy. The Manager role allows complete control over the device. For a list of the roles, see Security Roles for Windows Mobile 5.0 and Windows Mobile 6.

By default, only someone with Manager role permissions on the device can change most of the security policies. Using Exchange ActiveSync, network administrators can change a few policies. Additionally, if the OEM has given a mobile operator or network administrator Manager role permissions, they can change all security policies on the device by provisioning it.

You can manage a device by provisioning it. Provisioning is updating the device after manufacture; this may or may not include bootstrapping a device. Provisioning a device involves creating a provisioning XML file that contains configuration information, and then sending the file to the device. Configuration Service Providers then configure the device based on the contents of the XML file.

Helping to Protect Devices with Security Policies

The following table shows how you can use security policies to protect devices; the policy ID is shown in parentheses. Security roles define who can change each policy; the default role is listed

Protection Goals Windows Mobile Security Policy

Block unauthorized penetration into device
  • Allow or deny permission for applications stored on a Multimedia Card (MMC) to run automatically when inserted into the device (2)
    Default Setting: allow
    Default Role: Manager
  • Allow or deny unsigned .cab files to be installed (4101)
    Default Setting: allow for SECROLE_USER_AUTH
    Default Role: Manager
  • Allow or deny unsigned applications to run (4102)
    Default Setting: allow
    Default Role: Manager
  • Allow or deny unsigned theme files to be installed, or allow only unsigned theme files with a specific role mask (4103)
    Default Setting: allow for SECROLE_USER_UNAUTH
    Default Role: Manager
  • Allow or deny Service Loading (SL) messages as a role mask. An SL message automatically downloads the new service, update, or provisioning file. (4108)
    Default Setting: allow for SECROLE_PPG_TRUSTED
    Default Role: Manager
  • Allow or deny Service Indication (SI) messages. An SI message is sent to the connected device to notify users of new services, service updates, and provisioning services. (4109)
    Default Setting: allow for SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED
    Default Role: Manager
  • Allow or deny unsigned WAP messages processed by a specific role mask. (4110)
    Default Setting: allow for SECROLE_USER_UNAUTH
    Default Role: Manager
  • Specify which over-the-air (OTA) provisioning messages to accept based on roles assigned to the messages. (4111)
    Default Setting: Allow for SECROLE_OPERATOR_TPS | SECROLE_PPG_TRUSTED | SECROLE_PPG_AUTH | SECROLE_TRUSTED_PPG | SECROLE_USER_AUTH | SECROLE_OPERATOR
    Default Role: Manager
  • Allow or deny the routing of Wireless Session Protocol (WSP) notifications from the WAP stack. (4113)
    Default Setting: allow
    Default Role: Manager
  • Specify whether to prompt a user to accept or reject unsigned .cab, theme, .dll, and .exe files. (4122)
    Default Setting: prompt user
    Default Role: Manager
  • Specify whether to prompt the user to confirm changes in device settings when an over-the-air (OTA) OMA Client Provisioning message is signed with only a network personal identification number (PIN). (4132)
    Default Setting: do not prompt user
    Default Role: Manager

Applies to Windows Mobile 5.0 and Windows Mobile 5.0 with MSFP:

  • Specify roles on which to base acceptance of a WAP signed OMA Client Provisioning message. (4107) In Windows Mobile 6, this policy is deprecated; use 4141, 4142, and 4143 instead.
    Default Setting: SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED | SECROLE_OPERATOR_TPS
    Default Role: Manager

Applies to Windows Mobile 5.0 with MSFP only

  • Specify that the user must always authenticate on the device to unlock it, or allow the user to enter a PIN on the desktop. (4133) In Windows Mobile 6, this policy is deprecated; use 4146 instead.
    Default Setting: allow PIN on desktop
    Default Role: Manager, Enterprise

Applies to Windows Mobile 6:

  • Allow or deny the user permission to change mobile encryption settings for removable storage media. (4134)
    Default Setting: allow
    Default Role: Manager, Enterprise
  • Allow or deny other devices permission to search Bluetooth-enabled devices (4135)
    Default Setting: Bluetooth device can be set to discoverable
    Default Role: Manager
  • Allow or deny Outlook Mobile permission to get documents on a corporate Sharepoint or UNC through ActiveSync (4145)
    Default Setting: deny
    Default Role: Manager
  • Specify whether or not the user must authenticate on the device when connected if device lock is active (4146)
    Default Setting: can authenticate through shared secret on desktop
    Default Role: Manager, Enterprise
  • Allow or deny OMA Client Provisioning network PIN message. (4141)
    Default Setting: allow for SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED | SECROLE_OPERATOR_TPS
    Default Role: Manager
  • Allow or deny an OMA Client Provisioning user PIN or user MAC signed message. (4142)
    Default Setting: allow for SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED | SECROLE_OPERATOR_TPS
    Default Role: Manager
  • Allow or deny an OMA Client Provisioning user network PIN signed message. (4143)
    Default Setting: Allow for SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED | SECROLE_OPERATOR_TPS.
    Default Role: Manager

Protect against application corruption
  • Allow or deny access of remote applications that are using Remote API (RAPI) to implement ActiveSync operations, or restrict RAPI ActiveSync access to User Authenticated role. (4097)
    Note:
    RAPI being unrestricted means that the user has Manager permissions on the device.
    Default Setting: allow for SECROLE_USER_AUTH
    Default Role: Manager

Protect sensitive data during transmission

Many of the policies that protect data during transmission are used in Secure Multipurpose Internet Mail Extensions (S/MIME), which allows you to encrypt or digitally sign e-mail messages. S/MIME encryption and/or digital signing are available when sending e-mail via Outlook 2003 or Outlook Web Access (OWA).

In Windows Mobile 6, the device has full support for S/MIME. However, for a Windows Mobile 6 device to view and send S/MIME messages in a supported way, the device must be synchronizing against an Exchange 2003 SP2 server.

Applies to Windows Mobile 5.0 with MSFP only

  • Specify whether the Inbox application will sign all messages and, if so, the algorithm used for signing. This policy is used in S/MIME. (4125) In Windows Mobile 6, this policy is deprecated; use 4137 and 4139 instead.
    Default Setting: do not sign
    Default Role: Manager
  • Specify whether the Inbox application will encrypt all sent messages and, if so, the algorithm to use for encryption. This policy is used in S/MIME. (4126) In Windows Mobile 6, this policy is deprecated; use 4138 and 4140 instead.
    Default Setting: do not encrypt
    Default Role: Manager

Applies to Windows Mobile 5.0 with MSFP and later

  • Allow or deny software certificates to be used to sign outgoing messages. This policy is used in S/MIME. (4127)
    Default Setting: allow
    Default Role: Manager

Applies to Windows Mobile 6:

  • Allow or deny Inbox application to negotiate the encryption algorithm when the specified encryption algorithm is not supported. (4144)
    Default Setting: do not negotiate
    Default Role: Manager
  • Allow or deny HTML messages. (4136)
    Default Setting: allow
    Default Role: Manager
  • Require encryption of Inbox S/MIME messages. (4138)
    Default Setting: encryption is optional
    Default Role: Manager
  • Make signing of Inbox S/MIME messages required or optional. (4137)
    Default Setting: optional
    Default Role: Manager
  • Specifies the algorithm used to sign a message. This policy is used in S/MIME.(4139)
    Default Setting: sign with the default algorithm
    Default Role: Manager
  • Specify the algorithm used to encrypt a message. This policy is used in S/MIME.(4140)
    Default Setting: encrypt with the default algorithm
    Default Role: Manager

Protect sensitive data in case of device theft or loss
  • Specify the maximum number of times the user is allowed to try to authenticate a Wireless Application Protocol (WAP) PIN-signed message. (4105)
    Default Setting: 3
    Default Role: Manager

Applies to Windows Mobile 5.0 with MSFP and later

  • Specify whether a password must be configured on the device. (4131).
    Default Setting: password required
    Default Role: Manager, Enterprise

Specify security level
  • Grant User Authenticated system administrative privileges to other security roles specified with role mask. (4120)
    Default Setting: SECROLE_USER_AUTH
    Default Role: User Authenticated
  • Specify which DRM rights messages are accepted by the DRM engine based on the role assigned to the message. (4129)
    Default Setting: accept from SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED
    Default Role: Manager
  • Grant Manager system administrative privileges to other security roles. (4119)
    Note:
    Any role added to this policy becomes a Manager of the device. For example, if User Authenticated role is added, the user becomes a manager to the device.
    Default Setting: SECROLE_OPERATOR_TPS for Windows Mobile 6 Professional; SECROLE_USER_AUTH for Windows Mobile 6 Classic; OPERATOR_TPS for Windows Mobile 6 Standard
    Default Role: Manager
  • Specify which application access model is implemented on the device (one-tier or two-tier) (4123)
    Default Setting: two tier access for Windows Mobile 6 Professional; one tier for Windows Mobile Standard.
    Default Role: Manager
  • Specify whether mobile operators can be assigned the Trusted Provisioning Server (TPS) role. (4104)
    Default Setting: TPS role disabled
    Default Role: Manager
  • Specify the permissions required to create, modify, or delete a trusted proxy. (4121)
    Default Setting: allow for SECROLE_OPERATOR | SECROLE_OPERATOR_TPS | SECROLE_MANAGER
    Default Role: Manager
  • Allow operator to override https to use http or wsps to use wsp. (4124)
    Default Setting: use http or wsp
    Default Role: Manager

See Also

Concepts

Security Model for Windows Mobile 5.0 and Windows Mobile 6