Security Policies for Windows Mobile 5.0 and Windows Mobile 6
Article
6/2/2010
Security Policy settings on Windows Mobile powered devices are configurable. Security policies provide the flexibility to control access to the device. If a user or application is allowed access,security policies then control the boundaries for actions. For example, policies determine whether a device can be configured over the air (OTA), and whether to accept unsigned messages, applications, or files. These policies are defined globally and enforced locally in their respective components at critical points across the device architecture.
Security roles allow or restrict access to device resources. Roles define who can change each policy. The Manager role allows complete control over the device. For a list of the roles, see Security Roles for Windows Mobile 5.0 and Windows Mobile 6.
By default, only someone with Manager role permissions on the device can change most of the security policies. Using Exchange ActiveSync, network administrators can change a few policies. Additionally, if the OEM has given a mobile operator or network administrator Manager role permissions, they can change all security policies on the device by provisioning it.
You can manage a device by provisioning it. Provisioning is updating the device after manufacture; this may or may not include bootstrapping a device. Provisioning a device involves creating a provisioning XML file that contains configuration information, and then sending the file to the device. Configuration Service Providers then configure the device based on the contents of the XML file.
Helping to Protect Devices with Security Policies
The following table shows how you can use security policies to protect devices; the policy ID is shown in parentheses. Security roles define who can change each policy; the default role is listed
Protection Goals
Windows Mobile Security Policy
Block unauthorized penetration into device
Allow or deny permission for applications stored on a Multimedia Card (MMC) to run automatically when inserted into the device (2)
Default Setting: allow
Default Role: Manager
Allow or deny unsigned .cab files to be installed (4101)
Default Setting: allow for SECROLE_USER_AUTH
Default Role: Manager
Allow or deny unsigned applications to run (4102)
Default Setting: allow
Default Role: Manager
Allow or deny unsigned theme files to be installed, or allow only unsigned theme files with a specific role mask (4103)
Default Setting: allow for SECROLE_USER_UNAUTH
Default Role: Manager
Allow or deny Service Loading (SL) messages as a role mask. An SL message automatically downloads the new service, update, or provisioning file. (4108)
Default Setting: allow for SECROLE_PPG_TRUSTED
Default Role: Manager
Allow or deny Service Indication (SI) messages. An SI message is sent to the connected device to notify users of new services, service updates, and provisioning services. (4109)
Default Setting: allow for SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED
Default Role: Manager
Allow or deny unsigned WAP messages processed by a specific role mask. (4110)
Default Setting: allow for SECROLE_USER_UNAUTH
Default Role: Manager
Specify which over-the-air (OTA) provisioning messages to accept based on roles assigned to the messages. (4111)
Default Setting: Allow for SECROLE_OPERATOR_TPS | SECROLE_PPG_TRUSTED | SECROLE_PPG_AUTH | SECROLE_TRUSTED_PPG | SECROLE_USER_AUTH | SECROLE_OPERATOR
Default Role: Manager
Allow or deny the routing of Wireless Session Protocol (WSP) notifications from the WAP stack. (4113)
Default Setting: allow
Default Role: Manager
Specify whether to prompt a user to accept or reject unsigned .cab, theme, .dll, and .exe files. (4122)
Default Setting: prompt user
Default Role: Manager
Specify whether to prompt the user to confirm changes in device settings when an over-the-air (OTA) OMA Client Provisioning message is signed with only a network personal identification number (PIN). (4132)
Default Setting: do not prompt user
Default Role: Manager
Applies to Windows Mobile 5.0 and Windows Mobile 5.0 with MSFP:
Specify roles on which to base acceptance of a WAP signed OMA Client Provisioning message. (4107) In Windows Mobile 6, this policy is deprecated; use 4141, 4142, and 4143 instead.
Default Setting: SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED | SECROLE_OPERATOR_TPS
Default Role: Manager
Applies to Windows Mobile 5.0 with MSFP only
Specify that the user must always authenticate on the device to unlock it, or allow the user to enter a PIN on the desktop. (4133) In Windows Mobile 6, this policy is deprecated; use 4146 instead.
Default Setting: allow PIN on desktop
Default Role: Manager, Enterprise
Applies to Windows Mobile 6:
Allow or deny the user permission to change mobile encryption settings for removable storage media. (4134)
Default Setting: allow
Default Role: Manager, Enterprise
Allow or deny other devices permission to search Bluetooth-enabled devices (4135)
Default Setting: Bluetooth device can be set to discoverable
Default Role: Manager
Allow or deny Outlook Mobile permission to get documents on a corporate Sharepoint or UNC through ActiveSync (4145)
Default Setting: deny
Default Role: Manager
Specify whether or not the user must authenticate on the device when connected if device lock is active (4146)
Default Setting: can authenticate through shared secret on desktop
Default Role: Manager, Enterprise
Allow or deny OMA Client Provisioning network PIN message. (4141)
Default Setting: allow for SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED | SECROLE_OPERATOR_TPS
Default Role: Manager
Allow or deny an OMA Client Provisioning user PIN or user MAC signed message. (4142)
Default Setting: allow for SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED | SECROLE_OPERATOR_TPS
Default Role: Manager
Allow or deny an OMA Client Provisioning user network PIN signed message. (4143)
Default Setting: Allow for SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED | SECROLE_OPERATOR_TPS.
Default Role: Manager
Protect against application corruption
Allow or deny access of remote applications that are using Remote API (RAPI) to implement ActiveSync operations, or restrict RAPI ActiveSync access to User Authenticated role. (4097)
Note:
RAPI being unrestricted means that the user has Manager permissions on the device.
Default Setting: allow for SECROLE_USER_AUTH
Default Role: Manager
Protect sensitive data during transmission
Many of the policies that protect data during transmission are used in Secure Multipurpose Internet Mail Extensions (S/MIME), which allows you to encrypt or digitally sign e-mail messages. S/MIME encryption and/or digital signing are available when sending e-mail via Outlook 2003 or Outlook Web Access (OWA).
In Windows Mobile 6, the device has full support for S/MIME. However, for a Windows Mobile 6 device to view and send S/MIME messages in a supported way, the device must be synchronizing against an Exchange 2003 SP2 server.
Applies to Windows Mobile 5.0 with MSFP only
Specify whether the Inbox application will sign all messages and, if so, the algorithm used for signing. This policy is used in S/MIME. (4125) In Windows Mobile 6, this policy is deprecated; use 4137 and 4139 instead.
Default Setting: do not sign
Default Role: Manager
Specify whether the Inbox application will encrypt all sent messages and, if so, the algorithm to use for encryption. This policy is used in S/MIME. (4126) In Windows Mobile 6, this policy is deprecated; use 4138 and 4140 instead.
Default Setting: do not encrypt
Default Role: Manager
Applies to Windows Mobile 5.0 with MSFP and later
Allow or deny software certificates to be used to sign outgoing messages. This policy is used in S/MIME. (4127)
Default Setting: allow
Default Role: Manager
Applies to Windows Mobile 6:
Allow or deny Inbox application to negotiate the encryption algorithm when the specified encryption algorithm is not supported. (4144)
Default Setting: do not negotiate
Default Role: Manager
Allow or deny HTML messages. (4136)
Default Setting: allow
Default Role: Manager
Require encryption of Inbox S/MIME messages. (4138)
Default Setting: encryption is optional
Default Role: Manager
Make signing of Inbox S/MIME messages required or optional. (4137)
Default Setting: optional
Default Role: Manager
Specifies the algorithm used to sign a message. This policy is used in S/MIME.(4139)
Default Setting: sign with the default algorithm
Default Role: Manager
Specify the algorithm used to encrypt a message. This policy is used in S/MIME.(4140)
Default Setting: encrypt with the default algorithm
Default Role: Manager
Protect sensitive data in case of device theft or loss
Specify the maximum number of times the user is allowed to try to authenticate a Wireless Application Protocol (WAP) PIN-signed message. (4105)
Default Setting: 3
Default Role: Manager
Applies to Windows Mobile 5.0 with MSFP and later
Specify whether a password must be configured on the device. (4131).
Default Setting: password required
Default Role: Manager, Enterprise
Specify security level
Grant User Authenticated system administrative privileges to other security roles specified with role mask. (4120)
Default Setting: SECROLE_USER_AUTH
Default Role: User Authenticated
Specify which DRM rights messages are accepted by the DRM engine based on the role assigned to the message. (4129)
Default Setting: accept from SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED
Default Role: Manager
Grant Manager system administrative privileges to other security roles. (4119)
Note:
Any role added to this policy becomes a Manager of the device. For example, if User Authenticated role is added, the user becomes a manager to the device.
Default Setting: SECROLE_OPERATOR_TPS for Windows Mobile 6 Professional; SECROLE_USER_AUTH for Windows Mobile 6 Classic; OPERATOR_TPS for Windows Mobile 6 Standard
Default Role: Manager
Specify which application access model is implemented on the device (one-tier or two-tier) (4123)
Default Setting: two tier access for Windows Mobile 6 Professional; one tier for Windows Mobile Standard.
Default Role: Manager
Specify whether mobile operators can be assigned the Trusted Provisioning Server (TPS) role. (4104)
Default Setting: TPS role disabled
Default Role: Manager
Specify the permissions required to create, modify, or delete a trusted proxy. (4121)
Default Setting: allow for SECROLE_OPERATOR | SECROLE_OPERATOR_TPS | SECROLE_MANAGER
Default Role: Manager
Allow operator to override https to use http or wsps to use wsp. (4124)
Default Setting: use http or wsp
Default Role: Manager