Chris De Herrera's Windows CE Website

About
Discuss.Pocket PC FAQ Forum

Add Pocket PC FAQ to your Favorites
RSS    RSS Feeds
Wiki    Lost?
Custom Search
Subscribe    Print
Miscellaneous
Table of Contents
Mobile Format
News

[an error occurred while processing this directive]


 
Pocket PC Magazine Best Site

Website Awards
Website Updates

By Chris De Herrera 
Copyright 1998-2007
 All Rights Reserved
A member of the Talksites Family of Websites

Windows and Windows CE are trademarks of Microsoft
Corporation
and are used
under license from owner.
CEWindows.NET is not
associated with Microsoft 
Corporation.

All Trademarks are owned
by their respective companies.

Pocket PC Security
By Chris De Herrera, Copyright 2002
 Version 1.00  Revised 11/14/2002

[an error occurred while processing this directive]

Pocket PC Security

Lately, I have seen more and more questions regarding Pocket PC Security. This article will outline different areas that network administrators and security officers should consider when deploying Pocket PCs. A list of applications is also provided to allow for research on how to address any concerns over security.

Areas to Secure

I believe that the following areas should be considered when designing appropriate security for the Pocket PC:

1. Power On Password � protect unauthorized people from seeing your data.
2. File Security � RAM. This is where all your files are stored internally on the Pocket PC
3. File Security � Flash. This is where your files are stored on CompactFlash or SecureDigital Cards. You should note that the Secure Digital Cards support encryption, however this is NOT implemented in the Pocket PC 2002.
4. Object Store Databases � The internal databases for the calendar, contacts and tasks as well as the registry.
5. Installation of programs � Whether or not users are allowed to install additional programs on the Pocket PC.
6. Changing Settings � What do you allow staff to change in their configuration?
7. Backups � Do you want users to perform backups of their data?
8. Synchronization � Do you want users to synchronize at home and work? Who owns the data on the Pocket PC?

Unlike other Microsoft operating systems, there is no option to require specific settings as part of a System Policy.

Built-in Security Power On Password

The Pocket PC has some built in security. Users can select the option to enter a power on password. The power on password can be as simple as a 4 digit number or as complex as a alphanumeric password up to 29 characters long. Also you can specify a timeout if the Pocket PC is unused from 1 minute to 24 hours. These settings can be entered on the Pocket PC by clicking Start � Settings � Password. Users are still able to synchronize their Pocket PCs with their desktop. They will be prompted the password in order to sync each time. Also be aware that there is no backdoor to remove the password once it is set. Further if someone were to try guessing, Microsoft uses a logarithmic algorithm to lengthen the amount of time between guesses.

Root Certificates

As part of Microsoft�s focus on security on the desktop, they are using Digital Certificates (also known as Root Certificates). The Digital Certificates are administered by the company and are assigned to specific devices that are allowed access to specific resources. Microsoft�s Mobile Information Server (MIS) is an example of an enterprise application that can take advantage of this functionality. To install a Root Certificate, Microsoft has created Knowledge Base articles for the Pocket PC 2000 - http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q290288&  and Pocket PC 2002 - http://support.microsoft.com/default.aspx?scid=kb;en-us;Q322956 .

Security Concerns

There are some issues that concern me regarding the default functionality of the Pocket PC. When a user is accessing a network or VPN, the password is stored. There is no option to prompt for the password. In order to delete it you will have to delete the connection.

Third-Party Solutions

The following third party solutions will help you address the areas of concern I outlined above. Please keep in mind that security is an ever changing function so the features and capabilities of these applications will change over time.

Card based Keys

The following vendors offer card based keys Jgui AccessRights ( http://www.jgui.net/accessrights/ ), RSA Security (  http://www.rsasecurity.com/company/news/releases/pr.asp?doc_id=1410 ).

Handwriting Recognition based

KeCrypt ( http://www.kecrypt.com/home.htm ) supports recognition of the user of a specific Pocket PC based on the shape, density and speed of the writing.

File Encryption

You can use the following vendors encryption programs to protect files on your Pocket PC � PGP Mobile ( http://www.pgp.com/display.php?pageID=24 ), F-Secure ( http://www.f-secure.com/news/2001/news_2002031201.shtml ), PointSec ( http://www.pointsec.com/solutions/solutions_pocketpc.asp ), Sentry 2020 ( http://www.softwinter.com/sentry_ce.html ), Lucifer ( http://guinness.cs.stevens-tech.edu/~fpessaux/files/Lucifer1_2.zip ), Vieka PE Encrypt ( http://vieka.com/products.htm#peencrypt ), Applian Pocket Lock ( http://www.applian.com/pocketpc/pocketlock/index.php?AID=4135294&PID=819064 ) and movianCrypt ( http://www.certicom.com/products/movian/moviancrypt.html ).

Virtual Private Networks (VPN)

Microsoft provides VPN support for their PPTP implementation that works with Windows NT and 2000. In addition there are multiple 3rd party solutions such as movianVPN ( http://www.certicom.com/products/movian/movianvpn.html ), Funk Software ( http://www.funk.com/ipsec/enterprise/a1pocketpc_ds.asp ) and SafeNet ( http://www.safenet-inc.com/news/viewstory.asp?ID=209 ). Also there are vendor specific VPN drivers from Check Point VPN-1 ( http://www.checkpoint.com/wince/ ).

All-in-One Solutions

The following vendors offer complete security solutions for the Pocket PC � Trust Digital ( http://www.trustdigital.com/prod16e.htm ), PDA Defense ( http://www.pdadefense.com/ ) and SafeBoot ( http://www.controlbreak.co.uk/products/psafeboot.html ).

Security Starts at Enforcement

In order to maintain a secure environment, it�s all up to the company to enforce the controls. So along with considering what security to implement, I suggest that you adopt company policies that management will enforce with users. That way all the users will be notified of what you expect to enforce in your environment.

[an error occurred while processing this directive]

Return to Chris De Herrera's Windows CE Website