Chris De Herrera's Windows CE Website

About
Discuss.Pocket PC FAQ Forum
Add Pocket PC FAQ to your Favorites
RSS    RSS Feeds
Wiki    Lost?
Custom Search
Subscribe    Print
Bug Lists
Miscellaneous
Table of Contents
Mobile Format

[an error occurred while processing this directive]


 
Pocket PC Magazine Best Site

Website Awards
Website Updates

By Chris De Herrera 
Copyright 1998-2007
 All Rights Reserved
A member of the Talksites Family of Websites

Windows and Windows CE are trademarks of Microsoft
Corporation
and are used
under license from owner.
CEWindows.NET is not
associated with Microsoft 
Corporation.

All Trademarks are owned
by their respective companies.

Inside Research on Windows Mobile 2003 Network Security
By Chris De Herrera, Copyright 2003

 Version 1.00  Revised 12/3/2003

[an error occurred while processing this directive]

This article will appear in the March 2004 issue of Pocket PC Magazine.

This article was discussed with Microsoft due to the security concerns expressed herein.

Bug summary

1.      Windows Mobile 2003 users who try to access network shares set up with Everyone access are prompted for a username.

2.      On their desktop PCs, Windows Mobile 2003 users need to unselect the default “Use simple file sharing” (which defaults to providing access to Everyone) that Microsoft recommends with Windows XP Professional and select “Authenticated Users” to ensure that their shared folders are secure.  

3.      Windows Mobile 2003 customers cannot change or delete a stored username or password to access network shares or Internet sites that require a username and password without performing a hard reset.

4.      When Windows Mobile 2003 customers access Internet sites that require a username or password, the stored network user name is entered as the default name.

Based on my observations, I believe that the Pocket PC 2000 and Pocket PC 2002 also have the same issues described above. Given the variety of different configurations possible, I highly recommend that users test their specific configurations to ensure they are secure.

Report any additional security bugs at https://s.microsoft.com/technet/security/contact.asp.

About 3 months ago, I started researching an article for our last issue entitled “Is Windows Mobile 2003 More Secure?” (Pocket PC magazine, Dec/Jan 2004, p. 34) During the research, I was reminded of a quote:

Ø      “Facts are stubborn things; and whatever may be our wishes, our inclination, or the dictates of our passions, they cannot alter the state of facts and evidence.” (John Adams, 1770)

It is in this light that I am presenting the issues herein, followed by some suggested solutions to them. It is my hope that people will take precautions to protect the integrity of their shared documents.

Testing network access

I began by setting up the following scenario: A Windows Mobile 2003 device was to access a shared folder on my Acer Tablet PC. The folder I chose to share was C:\Documents and Settings\All Users\Shared Documents with the share name Shared Documents. I used the default Simple Sharing since Microsoft recommended it.

Attempting to access the shared documents

The first time I attempted to access the Shared Documents folder, Windows Mobile 2003 prompted me to enter a username and password. So I went into Control Panel > Administrative Tools > Computer Management on my Tablet PC and set up an additional user named “Remote” with a password of “Remote.” I then attempted again to access the Shared Documents, and the Windows Mobile 2003 prompted me to enter the username and password for Remote, and I clicked the checkbox to stored them. The Windows Mobile 2003 device was then allowed access to the share.

Access survives reboots

When I was done accessing the share, I rebooted the Tablet PC, and then I tried to access the share with the Windows Mobile 2003 device, and was granted access! I then tried a soft reset of the Windows Mobile 2003 device and was still granted access! At this point I was really scratching my head. I couldn’t figure out why Windows Mobile 2003 still had access to the network share even after a reboot of the Tablet PC and a soft reset of the Windows Mobile 2003 device. I also tried renaming the user and changing its password on the Tablet PC, but Windows Mobile 2003 still could access the network share. So then I contacted Microsoft at Secure@microsoft.com, their official e-mail address for reporting security issues, to alert them to this security problem.

Identifying the problem

During my discussions with Microsoft, I was asked to uncheck “Use simple file sharing” in a file folder in the Tablet PC by clicking on the Windows Explorer menu item Tools > Folder Options > View. “Use simple file sharing” is at the bottom of the list. When I did so, I noticed that the default sharing for the folder was Everyone. “Everyone,” in Microsoft security-speak, really means that anyone can access the network share without entering a username or password. At this point I concluded that there is a bug in the username/password program for Windows Mobile 2003, which causes it to prompt the user to enter a user name and password even when there is no requirement to do so. I confirmed this hypothesis by using Windows Mobile 2003 to access a shared folder on a desktop install of Windows XP Professional and the same problem occurred.

Focusing on the problem in detail

Once I realized that Microsoft’s recommended security setting for Windows XP was allowing Everyone to access network shares by default, I tried changing the security on the Tablet PC to Authenticated Users. The Windows Mobile 2003 device was still allowed access to the network share as long as the stored username and password were the same as those on the Tablet PC. At this point I tried disabling the user on the Tablet PC. Not only was I then unable to access the network share with the Windows Mobile 2003 device, I was not prompted to enter a new username and password.  So now I no longer had any access to any network share on the Tablet PC.

Testing with the Web

The situation was better with Web security. I attempted to access a Web site that had username and password security on the directory. Since I had already stored a username and password when I accessed the Windows network, Windows Mobile 2003 automatically filled in that username! I was able to overtype the username and enter in the appropriate one to access the Web, and to save the password. When the password for the Web directory was changed, Windows Mobile 2003 prompted appropriately for a replacement password.

Resolving the security issues outlined

I suggest that Windows XP Professional users disable “Use simple file sharing” and use the built-in group Authenticated Users. That will force anyone trying to gain access to the network share to enter a username and password. For users of Windows XP Home Edition, I do not know of a solution to ensure that their network shares will be secure. A Microsoft spokesperson has assured me that Microsoft is working with its partners to release an update that will allow Windows Mobile 2003 users to change or delete a stored username or password and to update the default username I am very pleased to see Microsoft’s swift reaction to this problem and I anticipate that an update will be released soon.

[an error occurred while processing this directive]

Return to Chris De Herrera's Windows CE Website