Pocket PC Security
[an error occurred while processing this directive]
So you've purchased a Pocket PC and you want to make sure your data is secure? Or you want to securely access your corporate network? Well this article explains what security features that the Pocket PC 2002 supports.
Right out of the box, the Pocket PC 2002 offers some level of security. Users can set a power on password, use a VPN (Virtual Private Network), access websites that support 128 bit encryption or E-Mail security.
Power on Password
By clicking Start - Settings - Passwords, you can setup either a 4 digit numeric or a stronger alphanumeric password. You can also set the amount of time that the Pocket PC is not used before the password is displayed from 1 minute to 24 hours. There is also an option for 0 minutes which appears to mean only when the unit is turned on. There are a few caveats to using this password mechanism that every user should know. If you mistype the password, you will have to wait a longer and longer time each time you attempt to enter the password in. This is done to discourage a brute force attempt to access your Pocket PC. Also, if you forget your password, there is no workaround to get the data out of your Pocket PC. So if you forget your password, then you can perform a hard reset and resynchronize and install your applications.
VPN - Virtual Private Network
Microsoft included support for connecting your Pocket PC to a VPN. The VPNs that Microsoft had in mind are running on a Windows NT, or Windows 2000 server. The VPN client does not provide support for other servers or routers that offer VPN connectivity. Movian VPN from Certicom ( www.certicom.com ) supports some additional servers and routers. The VPN solution supports automatic connections to internal resources whenever the user is connected to the internet and they attempt to access an internal network resource. This is implemented by looking at the host name. If the host name has a period in it, then the request is sent to the internet otherwise it is sent over the vpn to the internal network. The down side to this implementation is that users will not be able to access the internet through the vpn or access any other server that has a period in the host name. The vpn implementation supports 128 bit encryption and NT challenge for password authentication.
Pocket Internet Explorer supports accessing websites with 128 bit encryption using PCT and SSL protocols. While this sounds like it should work great to access these resources, most web sites check the version of the web browser to see if the web browser version is 4.0 or later. Since Pocket Internet Explorer on the Pocket PC reports that it is Internet Explorer 3.02, this causes most secure websites to not allow users to access them. Well there is a workaround in RegKing 2002 ( www.doctorce.com/regking.htm ), which allows users to change the web browser version to Internet Explorer 5.0 on Windows NT. While this fix is not ideal, it does allow users to access these resources in most cases.
The Pocket PC implements the ability to authenticate the user before allowing the user to send e-mail. The authentication method supported is called Secure Password Authentication (SPA) which MSN and Exchange support. This feature allows remote users to send e-mail through a server without opening that e-mail server up to spammer abuse.
The most secure desktop PC solutions include additional encryption support for connecting via dialup and e-mail, the ability to store passwords in documents, and memory encryption. So if corporations are requiring more advanced security (like the 128 bit high encryption pack) in their environments, the Pocket PC may only have limited access to network resources.
The Pocket PC does not support the ability to encrypt all data sent over a dialup connection. Currently the 128bit high encryption pack provides the ability to encrypt all data sent over a dialup connection for PCs. There is no equivalent for the Pocket PC..
The Pocket PC does not support SSL based encrypted connections for POP3/IMAP4/SMTP to e-mail servers. Some corporations are using SSL in this way to prevent unauthorized access to the information sent to or received from their mail server. Also, the Pocket PC does not support S-MIME, the certificate based MIME encryption protocol that some e-mail systems are now using to ensure the privacy of the information being sent.
The Pocket PC does not support the ability to encrypt individual files. Also, it does not support the standard Word and Excel password protected files to sync. Your best alternative right now is to use an application like PGP (Pretty Good Privacy).
Right now the Pocket PC does not encrypt the data stored in the internal ram known as the object store. Also, the Pocket PC 2002 introduced support for Secure Digital (SD) cards to store data on. Secure Digital cards also support built-in encryption of the files stored on the card. From my discussions with Microsoft, I do not believe that the Pocket PC supports the ability to encrypt or decrypt data stored on SD cards.
Right now the Pocket PC does support WEP with both 40 and 128 bit keys that 802.11b supports. Since WEP keys are very easy to break, they do not represent a good security model. The latest in wireless encryption is called 802.11z. It requires the device to support certificates that are issued by the server and use those to encrypt the data. The Pocket PC does not support the newer 802.11z certificate based encryption standard that some corporations are using for higher security.
Right now the Pocket PC does not support a Certificate Manager like the desktop PC does. So if you have applications that require certificates to be installed, such as e-mail, there is no option to do this. The Pocket PC can use a certificate for a specific website however that certificate is not stored.
So if corporations are requiring more advanced security in their environments, the Pocket PC access will vary from no access to limited access to network resources. I highly recommend that Microsoft keep the Pocket PC's security in lock step with the more advanced security features available on the desktop in order for the Pocket PC to be the best enterprise client.
[an error occurred while processing this directive]