Sign in with
Sign up | Sign in
Your question

PPC Secuiryt in the corporate environment

Last response: in Cell Phones & Smartphones
Share
May 25, 2005 3:24:37 PM

Archived from groups: microsoft.public.pocketpc (More info?)

I'd like to get opinions on this:

Microsoft has published an excellent whitepaper on Network Security for the
Windows Mobile Software Platform. However, although the paper stresses the
importance of managing security in the mobile environment and the importance
of tools to accomplish this, Microsoft doesn't provide any tools to allow
proper security best practices to be enforced.



The Windows server environment already has a great network administration
environment with Active Directory. I want to be able extend this to my
mobile devices which will allow me to enforce passwords, policies not
reliant on users, and be 100% sure that if a mobile device gets into the
wrong hands - which the USER might end up being - the company is protected.



Group policies are essential for managing corporate laptops. Pocket PC
devices need the same type of manageability from the top down. Imagine if a
user could take his laptop home and decide to disable password protection
because it's too much of a pain to have to log on all the time. This would
never be tolerated in a properly secured environment. So why are Pocket PC's
at the mercy of the user and not controlled by the administrator?



Given the importance Microsoft is putting on Security today, I am very
surprised that Windows Mobile 5.0 doesn't address security as the number one
priority

--
Gavin
http://sbscanada.blogspot.com
http://pocketpccanada.blogspot.com/
Anonymous
a b 8 Security
May 25, 2005 3:24:38 PM

Archived from groups: microsoft.public.pocketpc (More info?)

In article <OQK0x2TYFHA.2348@TK2MSFTNGP14.phx.gbl>,
Gavin <gavin@INTERPROM.COM.> wrote:
>
>Microsoft has published an excellent whitepaper on Network Security for the
>Windows Mobile Software Platform. However, although the paper stresses the
>importance of managing security in the mobile environment and the importance
>of tools to accomplish this, Microsoft doesn't provide any tools to allow
>proper security best practices to be enforced.

I'll say this before you get any further... As originally designed, the
Pocket PC was intended to be an extension of the desktop, and not an
independent computing device. Obviously, that's not the way that the
platform is always applied. But for now, hang on to that thought...

>The Windows server environment already has a great network administration
>environment with Active Directory. I want to be able extend this to my
>mobile devices which will allow me to enforce passwords, policies not
>reliant on users, and be 100% sure that if a mobile device gets into the
>wrong hands - which the USER might end up being - the company is protected.

I worked in a large, cross-national Windows 2000/2003 environment with all
sorts of bells and whistles (read: Active Directory schema extensions and
non-MS clients) attached. You know how they proposed dealing with security
for Windows CE devices? Run Terminal Services everywhere. Instead of
installing native tools on the Pocket PC, you allow them to connect to the
corporate network remoted (and track them by MAC address for auditing
purposes.) All the authentication is handled by AD, nothing is stored
locally on the Pocket PC. If anything goes slightly screwy with the
portable device, it's immediately replaced and no labor is wasted on
troubleshooting or repair. If a device is lost, you block the NIC from
connecting, and there's no proprietary data stored on the device.

In that kind of environment, you would do all your administrative work in
a Remote Desktop session connected to some other machine. That way, the
host terminal can be secured both physically and electronically, and the
only data that is really being transferred to and from the portable device
is graphics updates. This also plays cleanly into our 'desktop extension'
model as we're not trying to duplicate functions of the normal Windows
client onto a portable unit that has neither the horsepower nor the
security features of a standard corporate workstation.

<snip>
>Given the importance Microsoft is putting on Security today, I am very
>surprised that Windows Mobile 5.0 doesn't address security as the number one
>priority

That happens when the philosophy that drives your operating system takes a
sharp 270 degree turn unexpectedly It used to be that Windows CE was
intended as a widely portable, easily embedded OS. It supported many
processor types, application components could be added or omitted as
needed, and it was efficient and unobtrusive. Windows CE could be found on
handheld computers, in video game systems or on your lawn sprikler control
box. To an engineer or a developer who has to build something from the
ground up, Windows CE had a lot of appealing qualities.

Then the Pocket PC happened and the confusing labels started cropping up.
'Pocket PC' is a UI on top of Windows CE, unless you're talking about
'Pocket PC 2002' which is an integrated shell on top of CE.NET or whatever
it was they called version 4.1. All of a sudden, the majority of devices
run only Intel processors and so 80 percent of the existing Windows CE
library is discarded for no good reason. Now we have this 'Windows Mobile'
label that seems to apply to anything that's smaller than a breadbox.
Given how many times they've reinvented the wheel and given it a new name,
I'm not surprised that security isn't the number one thing on the list of
worries when it comes to Windows CE.

Sorry, that was way off-topic. My point? A portable device is absolutely
the wrong platform for doing the security operations you're looking to
perform. Unless you're willing to build and maintain your own toolset, the
best option now is to isolate those functions to a server-class device and
remotely control it. And that's only if you have an absolute, drop-dead
requirement to be able to move mailboxes or to disable user accounts from
a Pocket PC.

By the way, my story above has a punchline... It's been four years now and
they still haven't implemented a corporate standard for mobile devices.
That nameless company is still bogged down in a debate over which is the
best platform, Palm or Pocket PC. Given their history, they'll probably
settle on Symbian. :) 

-KKC, who wonders when they'll nail down the 802.11 standards...
--
--S.S.B. is the code name for America's daring, highly | kendrick @io .com
trained special mission force. Its purpose: to |
defend human freedom against al-Qaeda, a ruthless | Please don't use
terrorist organization determined to rule the world! | eBay. Ask me why.
Anonymous
a b 8 Security
May 25, 2005 3:46:03 PM

Archived from groups: microsoft.public.pocketpc (More info?)

"Gavin" <gavin@INTERPROM.COM.> wrote in message
news:o QK0x2TYFHA.2348@TK2MSFTNGP14.phx.gbl...
>
> Group policies are essential for managing corporate laptops. Pocket PC
> devices need the same type of manageability from the top down. Imagine if
> a user could take his laptop home and decide to disable password
> protection because it's too much of a pain to have to log on all the time.
> This would never be tolerated in a properly secured environment. So why
> are Pocket PC's at the mercy of the user and not controlled by the
> administrator?
>
>


You want a personal device to share the password model of a laptop - And we
all know how secure a laptop with a password is to a laptop's actual
contents...

I think you might be living in a false sense of protection. Don't be
insulted, I see this all the time when the words "corporate" and
"administrator" are used together.

A PDA with a password is actually more secure than a laptop, minus storage
cards. Now, about that storage card - password protection on a PDA will
leave the storage card wide open for use in another device. Yet the
coporate mentaility is, "Why can the user turn off the password on the
PDA?". You miss the concept of "properly secured environment" here by a
mile.

Forgive me for being blunt, but don't be confined by the current paradigm of
protection you are now employing - it WILL leave your security with holes,
more than those that already exist. A false sense of security breeds
complacency, which is actually worse than no hard security with an active
guard up.


..02, FWIW
Related resources
Can't find your answer ? Ask !
May 25, 2005 6:25:19 PM

Archived from groups: microsoft.public.pocketpc (More info?)

I agree - ultimately we are only as secure as either our users
"honesty/intelligence", or the chains we put on our filling cabinets.

However, Microsoft is selling PPC's the "enterprise" as mobile workforce
devices. Should the fact that USB Keys or SD Cards are available stop them
from making top down administration possible?

I can think of many reasons why active directory integration would or could
be beneficial. Ultimately you are correct - there is no 100% secure
environment. But that doesn't mean I don't want to try.

BTW - I really do appreciate your perspective and comments. I may use them
in an article after gaining your permission.
--
Gavin
http://sbscanada.blogspot.com
http://pocketpccanada.blogspot.com/


"xTenn" <xTennREmoveThisPart@tds.net> wrote in message
news:o BinZDUYFHA.1240@TK2MSFTNGP14.phx.gbl...
>
> "Gavin" <gavin@INTERPROM.COM.> wrote in message
> news:o QK0x2TYFHA.2348@TK2MSFTNGP14.phx.gbl...
>>
>> Group policies are essential for managing corporate laptops. Pocket PC
>> devices need the same type of manageability from the top down. Imagine if
>> a user could take his laptop home and decide to disable password
>> protection because it's too much of a pain to have to log on all the
>> time. This would never be tolerated in a properly secured environment. So
>> why are Pocket PC's at the mercy of the user and not controlled by the
>> administrator?
>>
>>
>
>
> You want a personal device to share the password model of a laptop - And
> we all know how secure a laptop with a password is to a laptop's actual
> contents...
>
> I think you might be living in a false sense of protection. Don't be
> insulted, I see this all the time when the words "corporate" and
> "administrator" are used together.
>
> A PDA with a password is actually more secure than a laptop, minus storage
> cards. Now, about that storage card - password protection on a PDA will
> leave the storage card wide open for use in another device. Yet the
> coporate mentaility is, "Why can the user turn off the password on the
> PDA?". You miss the concept of "properly secured environment" here by a
> mile.
>
> Forgive me for being blunt, but don't be confined by the current paradigm
> of protection you are now employing - it WILL leave your security with
> holes, more than those that already exist. A false sense of security
> breeds complacency, which is actually worse than no hard security with an
> active guard up.
>
>
> .02, FWIW
>
>
Anonymous
a b 8 Security
May 25, 2005 6:52:38 PM

Archived from groups: microsoft.public.pocketpc (More info?)

"Gavin" <gavin@INTERPROM.COM.> wrote in message
news:%23zfYdcVYFHA.3584@TK2MSFTNGP12.phx.gbl...
>I agree - ultimately we are only as secure as either our users
>"honesty/intelligence", or the chains we put on our filling cabinets.
>
> However, Microsoft is selling PPC's the "enterprise" as mobile workforce
> devices. Should the fact that USB Keys or SD Cards are available stop them
> from making top down administration possible?
>
> I can think of many reasons why active directory integration would or
> could be beneficial. Ultimately you are correct - there is no 100% secure
> environment. But that doesn't mean I don't want to try.
>
> BTW - I really do appreciate your perspective and comments. I may use them
> in an article after gaining your permission.


SD cards are used more integrally in a typical PPC than a usb key in a
laptop. In a *lot* of cases a PPC will not function as set up or needed
without a storage card (due to memory, etc. users often keep programs
and/or data on the sd card as an active portion of work being done), whereas
a USB key on a laptop is basically backup or file exchange. I think this
should be of major concern from a security standpoint, and but one of the
reason why the shift in a typical security paradigm must occur when
encompassing these devices on a corporate level. Having a locked device as
designed will not solve the issue of unencrypted data on said card, possibly
current as of the last use (nor would it in a laptop if disassembly was
allowed, but that is probably another conversation).

Microsoft's marketing notwithstanding, of course.


Consider permission given. :) 
Anonymous
a b 8 Security
May 26, 2005 5:38:14 AM

Archived from groups: microsoft.public.pocketpc (More info?)

"xTenn" <xTennREmoveThisPart@tds.net> wrote in message
news:e%23IdtrVYFHA.2288@TK2MSFTNGP14.phx.gbl...
>

> Having a locked device as designed will not solve the issue of
> unencrypted data on said card,

This program is like having a pgp encrypted disk on the PPC:

http://www.softwinter.com/sentry_ce.html
Anonymous
a b 8 Security
May 26, 2005 2:47:18 PM

Archived from groups: microsoft.public.pocketpc (More info?)

"Chance Hopkins" <chance_hopkins@hotmail.com> wrote in message
news:uuJanTbYFHA.1204@TK2MSFTNGP10.phx.gbl...
>
> "xTenn" <xTennREmoveThisPart@tds.net> wrote in message
> news:e%23IdtrVYFHA.2288@TK2MSFTNGP14.phx.gbl...
>>
>
>> Having a locked device as designed will not solve the issue of
>> unencrypted data on said card,
>
> This program is like having a pgp encrypted disk on the PPC:
>
> http://www.softwinter.com/sentry_ce.html

Nice setup, and something like this should be used on PPC AND Laptops - a
device entry password is not sufficient at any time, and a secure area on
any storage medium should be accepted as the norm.

The bad news is that it is not an automatic process - it requires diligence
on the part of the user to make use of these kinds of programs, and the
corporate mentality too often sees an optional action as a non-enforceable
one, making it undesirable in the enterprise solution. It is too bad as
well, since the trust of that person (who interprets, extrapolates and
alters said data ) is paramount to the corporate survival to begin with.
Again showing that a false sense of security (this time in the system
itself, not the people) gives way to a sense of complacency that could be
damaging.

Is that an issue? Well, the topic at hand is "Should personal devices be
password encrypted and not be modifiable by the user/owner of said personal
device", which to me shows a flawed corporate solution, both in short term
( passwords do not protect storage cards) and long term (the person who sees
the data is the biggest threat ).

The paradigm shift in Corporate Security as personal devices get more
robust is not as simple as making sure the data is encrypted, since each
person will have at their disposal more data than ever before. If anything,
an excessive attempt could only be a hindrance to the job at hand without
affording real protection.

Something to think about, anyways.
!