What's New in Security for Windows Mobile 6

4/12/2010

The following security features are new in Windows Mobile 6. Additional software requirements are listed with each feature. If there are any additional hardware requirements, those requirements are also listed.

Security Feature Description

Certificate Enrollment

Enhanced security features that are available in Windows Mobile 6 support application-initiated enrollment and deployments that require non-password authentication of the enrollment, such as smart cards. They also provide a way to renew expiring certificates. Specifically, these features:

  • Provide a way to enroll in an environment where domain authentication is stronger than password-based authentication is required. This is done by using a desktop computer that is network accessible to the web-based enrollment site.
  • Provide a flexible, platform certificate enrollment solution that OEMs can configure on the device by using XML.
  • Allow an IT administrator to preset an XML configuration file for each user. This permits enrollment to be run without user interaction.
  • Allow applications to call into the certificate enrollment process programmatically to initiate enrollment.
  • Support certificate renewal.

Storage Card Encryption

Windows Mobile devices support the encryption of data that is stored in external removable storage cards. Specifically, they:

  • Encrypt data written from the mobile device to removable media. The data is encrypted for use on the encrypting device only.
  • Enable "Over the Air" provisioning of encryption through Microsoft Exchange Server or some other OTA DM solution.
  • Allow OEMs and system integrators to provision encryption policy during a cold boot of the device.
  • Encryption is transparent to both applications and the user, except for performance impacts.
  • Desktop access to encrypted data files is through ActiveSync file explorer.
  • The user may configure mobile encryption.

Device Lock in Windows Mobile 6

Device Lock is the interaction of the following features:

  • Enhanced PIN strength
  • Password/PIN expiration
  • Sequences and patterns in passwords/PINs
  • Password history

User PIN Reset is determined by these policies. When users request a PIN reset, they must meet the requirements that are defined for unlocking the device.

Enhanced PIN Strength

Enhanced PIN Strength in Windows Mobile 6 prevents users from choosing a PIN that contains a simple pattern or that has too few digits. The Microsoft Default Local Authentication Plug-in (LAP) can be configured to:

  • Enable a policy that requires end users to choose a PIN that does not contain a repeating sequence such as '1111'.
  • Enable a policy that requires end users to choose a PIN that does not contain a sequence with a predictable difference between values such as "1234" or "1357".
  • Provide a mechanism for IT administrators to configure policies by using a third-party device management solution.

Requires Microsoft Exchange Server 2007.

Password/PIN Expiration

Password/PIN expiration allows an IT administrator to set the expiration time of a password or PIN on a device by using the Microsoft Default LAP. The new feature:

  • Provides a policy that requires end users to choose a new password or PIN after a preconfigured period of time (in seconds).
  • Provides a mechanism for IT administrators to configure policies by using a third-party device management solution.

Requires Exchange Server 2007.

User PIN Reset

User password/PIN on a device that uses the Microsoft Default LAP can be reset by using an Authentication Reset Component (ARC). Unlike the other security features, the ARC can be used with a custom LAP. The ARC is a pluggable component. An OEM can create an ARC for use with a custom LAP or for use with the default LAP. The feature:

  • Provides the ability for the end user to request a password or PIN reset.
  • Ensures that devices lock reliably.
  • Supports infrastructures that use certificate authentication or that rely on credentials to authenticate a user to the system.
  • Supports OEM customization of the LAP.
  • Supports OEM replacement of the ARC.

Requires Exchange Server 2007.

Password History

Password History uses the Microsoft Default LAP to maintain password history and to store passwords on the device securely to prevent the reuse of a password. The feature:

  • Enables the OEM to use a policy that requires end users to choose a new password or PIN that is different from a previous password.
  • Provides data about the number of stored passwords to the end user if the new password matches a previous password.
  • Provides a mechanism for IT administrators to configure policies by using a third-party device management solution.

Requires Exchange Server 2007.