Security Considerations for Windows Mobile Messaging in the Enterprise
6/2/2010
One of the most difficult tasks facing enterprise network administrators is finding methods and technologies that can help prevent malicious attacks on their systems from sources located both inside and outside the corporate firewall.
Download
You can open or save this document. To do so, choose download this paper.
Overview
Securing servers, client computers, and mobile devices becomes even more vital as workers and contractors connect from multiple wired and wireless networks that may employ varying levels of security features. Employees can inadvertently put their businesses at risk by connecting to mission-critical systems over mobile networks and applications and unintentionally transmitting viruses or corrupt data. In addition, passing critical corporate data through an outside network operations center may increase the risk of compromise or unavailability.
With the right technologies and network architecture in place, however, network administrators can help dramatically improve the security and management of mobile device connections. The key to a successful deployment is carefully planning how to handle permissions and security rights for these mobile workers.
Microsoft products offer a broad set of security-related technologies to help you construct a sound defense against information security threats. This paper describes the technologies available to help protect Internet e-mail and wireless communications for devices running on Windows Mobile 6, as well as on Windows Mobile 5.0 with the Messaging and Security Feature Pack (MSFP).
Windows phones function within existing Windows networks and conform to existing network security policies by using many of the same Microsoft security features found in Windows desktop and laptop computers. The technologies described in this paper apply generally to devices running Windows Mobile 5.0 with MSFP and later software. Understand, however, that actual on-device support for these security technologies may vary, depending on the mobile device in use and how it has been configured by the original equipment manufacturer (OEM) and mobile operator.
Readers should be familiar with Windows networking technology for enterprise deployments and with Microsoft certificate technology and they should have an understanding of mobile devices.
Naming Conventions
This document supports both Windows Mobile 6 and Windows Mobile 5.0.
With the introduction of Windows Mobile 6, Microsoft changed its naming conventions to better align the brand and products with the realities of today’s mobile device marketplace. The historical form-factor based distinction between Windows Mobile powered Smartphone and Windows Mobile powered Pocket PC Phone is blurring dramatically, and the terminology has been changed to better reflect the evolution of the industry. The following table summarizes the changes.
| Windows Mobile 5.0 and earlier | Windows Mobile 6 |
|---|---|
Windows Mobile for Pocket PC |
Windows Mobile 6 Classic |
Windows Mobile for Pocket PC Phone Edition |
Windows Mobile 6 Professional |
Windows Mobile for Smartphone |
Windows Mobile 6 Standard |
In This Document
This paper covers the three main components of the Windows Mobile security architecture:
- Security Considerations on the Device describing the code and features resident on a Windows Mobile powered device
- Security Considerations on the Exchange Server providing details about the ActiveSync protocol and the security policies that can be managed from Exchange Server
- Security Considerations on the Network outlining the features of a security-enhanced mobile messaging network, including ISA Server, Internet Information Services server, and protocols for data encryption and device authentication
This document supports the IT Professional in a large enterprise corporation who has the resources and the mission to deploy a strong, controlled mobile messaging solution in his or her existing corporate network configuration.
In this scenario, the IT Professional deals with both front door and back door devices. The front door devices are new devices that will likely be purchased in large quantities directly from an OEM or Mobile Operator. In this case, the IT Professional will be in a position to request specific features and work with the device provider to create a unique device configuration that meets corporate requirements. The back door devices are ones that are brought into the corporate environment by individuals or groups who have procured the devices from a retailer or have additional requirements that prevent them from using the front door devices. The challenge for the IT Professional is to control both front door and back door devices within the same protected solution.
This document provides the IT Professional with technical information needed to understand the Windows Mobile security model from both the device and the server perspectives. With this data, he or she will know what security levels and features are available on front door and back door Windows Mobile powered devices and how Exchange ActiveSync interacts with each of them. Large corporations choose to direct the ongoing device configuration, called provisioning, that can alter the security level and other features on an already functioning device.
The companion white paper, Security Model for Windows Mobile 5.0 and Windows Mobile 6 provides deeper technical information to use as a resource for provisioning and managing Windows Mobile powered devices.
IT Professionals can enhance security and improve device management by using devices running Windows Mobile 5.0 with MSFP and later software with the ActiveSync management protocols in Exchange Server 2003 SP2 or Exchange Server 2007 which can be deployed without special configuration.