Device Protection with MSFP

  • Article

Send Feedback

Using Windows Mobile 5.0-based devices with the Messaging and Security Feature Pack (MSFP) provides new security policies that enable the Exchange server to protect Windows Mobile 5.0-based devices that are directly synchronized with the server.

The following list shows how MSFP provides increased device protection:

  • Allows system administrators to remotely manage and enforce select corporate IT policies over-the-air
  • Enables automatic reset of data when the password is entered incorrectly a set number of times, and help protect unauthorized entry to the device by using local data wipe and device timeout
  • Helps administrators to better protect device data with remote reset of on-device data by using Mobile Administration Web tool.
  • Increases access security to Exchange 03 SP2 using Certificate-based Authentication to the server
  • Helps protect email content with native support for S/MIME

Remotely Enforce Device Security Policies

MSFP helps system administrators configure and manage a corporate IT policy over-the-air that requires all users to protect their mobile device with a password in order to access the Exchange server. The following list shows how the system administrator can specify the length and complexity of the password by using the Exchange System Manager:

  • Enforce password on device
  • Set minimum password length
  • Set password complexity, requiring the usage of characters or symbols
  • Require device to authenticate to Exchange Server using Certificates. This is recommended, because the recommended deployment is with SSL Encryption, Basic authentication, and an ISA Server firewall guarding everything.

The length and complexity of a password is enforced by using the MinimumPasswordLength and PasswordComplexity registry settings.

Additionally, system administrators can perform the following tasks by using the Exchange System Manager:

  • Identify users who are exempt from the setting enforcement. The administrator can set exceptions to the security policies for individual users or groups of users.
  • Ensure the device is current with corporate security settings by periodically refreshing device settings.

System administrators can use the Mobile Administration Web tool to obtain a list of users and devices that they use to log on to the Exchange server. This allows the administrator to specifically target a lost device for wiping.

Protect Unauthorized Entry with Automatic Local Wipe

To help protect unauthorized entry to the device, the Mobile Operator or system administrator can use local data wipe and device timeout to automatically reset data when the password is entered incorrectly a set number of times

The following table describes these features.

Feature Description
Local Data Wipe The local wipe automatically resets the local memory to a clean slate after a specified number of unsuccessful PIN or password entries. The wipe erases all data and certificates on the device. It does not erase external memory, such as a secure digital (SD) card. The system administrators can set this policy from the Exchange System Manager.

For the Mobile Operator, a local wipe is accomplished by using the following security policy and registry key:

  • The Password Required policy (4131)
  • The DeviceWipeThreshold registry key, which identifies the number of authentication attempts before a wipe occurs.

Before the device is wiped, a dialog box alerts the user of the possible local wipe.

To prevent random key presses from triggering a local data wipe, a code word can be displayed on the device for the user to enter. After entering the codeword, the user can continue to enter more password attempts. The number of authentication attempts before prompting the user with a code word is set in the CodeWordFrequency setting in the registry.

For more information about the Password Required policy, see Security Policy Settings.
Device Timeout The device can be set to lock itself after a specified time of inactivity. To use the device, the user much enter a PIN or password.
Note   Even if a device is locked due to timeout, it can still receive incoming calls and make emergency calls.

The system administrator can set this policy from the Exchange System Manager.

For the Mobile Operator, the device timeout is set by using the following registry keys.

  • The AEFrequencyType registry key, which identifies whether or not the device will lock itself after a set time.
  • The AEFrequencyValue registry key, which identifies the number of minutes of inactivity before a device locks.

Protect Data with Remote Device Wipe

System administrators can use remote wipe to remotely erase lost, stolen, or otherwise compromised mobile devices. Administrators can use the Mobile Administration Web tool to erase device data over-the-air and reset the device back to clean state. A remote wipe affects data stored in internal memory only and does not wipe external storage, like SD Cards.

The system administrator can use the Mobile Administration Web tool to perform the following actions:

  • View a list of all devices that are being used by any user.
  • Select or de-select devices to be remotely erased.
  • View the status of pending remote erase requests for each device.
  • View a transaction log that indicates which administrators have issued remote erase commands, in addition to the devices those commands pertained to.
  • Wipe the device even when the Password Required or DeviceWipeThreshold is not enforced.
  • Delegate remote wipe access to the help desk.

The following list describes how the remote device wipe works:

  1. The administrator sends the remote erase order to a specific device.
  2. The next time the device connects to Exchange, the server sends the erase order.
  3. The device acknowledges that the command was received.
  4. When the device receives the next command, the device wipes its data.

If the device was connected using Direct Push technology, the wipe process will be initiated immediately and should take place in seconds.

If the Password Required policy (4131) and the DeviceWipeThreshold registry key are set, the device is protected by a password and local wipe, so the device will not be able to perform any operation other than to receive the remote wipe notification and report that it has been wiped.

Use Certificate-Based Authentication

With MSFP, the user can access the Exchange server using Public Key Infrastructure (PKI) software certificates instead of corporate login credentials.

Note   Typically, certificate-based authentication is used to support stringent security requirements in very large companies. Microsoft created the Exchange ActiveSync Certificate-based Authentication tool to help Enterprise companies to properly set up this environment. The Exchange ActiveSync Certificate-based Authentication tool can be downloaded from this Microsoft Web site.

If certificate-based authentication is used in conjunction with other MSFP features, such as local device wipe and the enforced use of a power-on password, the mobile device acts as a smartcard. The private key and certificate for client authentication is stored in memory on the device. However, certificates limit what a user can do on a corporate network. If an unauthorized user attempts to brute-force attack the power-on password for the device, all user data is purged including the certificate and private key.

With certificate-based authentication, a user receives an alert 14 days before certificate expiration. If the certificate expires, the user must cradle the device to obtain access.

Certificate-based Authentication feature requires a Certificate Authority (CA) deployment. The recommended authority is Windows Protocol Transition for CA deployment.

Requirements for Certificate-Based Authentication

  • Direct synchronization with the Exchange Server. PC synchronization is needed only for Certificate-based Authentication, which requires a one-time connection to ActiveSync for certificate deployment and periodic connection at certificate renewal time.
  • Network configuration requirements include implementing Kerberos-constrained delegation and protocol transitioning, using Server Publishing and configuring the mobile devices with XML through desktop ActiveSync 4.1

Protect E-Mail with S/MIME Encrypted Messaging

The MSFP provides native support for digitally signed, encrypted messaging. When encryption with the Secure/Multipurpose/Internet Mail Extension (S/MIME) is deployed, users can view and send S/MIME-encrypted messages from their mobile device.

To encrypt or sign a message, the user presses the Menu button while composing an email, and then selects Message Options. A dialog box allows them to encrypt or sign a message, or both.

The S/MIME control:

  • Is a standard for security enhanced e-mail messages that use a Public Key Infrastructure (PKI) to share keys
  • Offers sender authentication by using digital signatures
  • Can be encrypted to protect privacy
  • Works well with any standard-compliant e-mail client

All data transmitted between the Exchange Server and a Windows Mobile-based device is sent using an encrypted HTTPS connection to help prevent interception by a third party. This enhances message security during transport.

Optionally, client certificate-based authentication to corporate messaging systems, managed through Internet Information Services version 6.0 and native support for S/MIME (Secure Multipurpose Internet Mail Extension).

For guidance on how to implement the S/MIME control with Microsoft® Exchange Server 2003 SP2, see the Exchange Server Message Security Guide at this Microsoft Web site.

See Also

Messaging and Security Feature Pack Overview | Administering the Messaging and Security Feature Pack

Send Feedback on this topic to the authors

Feedback FAQs

© 2006 Microsoft Corporation. All rights reserved.