Perimeter Security
4/8/2010
Perimeter security is a set of physical security and programmatic security policies that provide levels of protection against remote malicious activity. Perimeter security is enforced in the following areas:
- Physical Access Control. The security devices and policies that are enforced for physical access control prevent the spread of viruses through portable storage devices, help protect data on the phone and the Subscriber Identity Module (SIM) card.
- .cab Signing. .cab file signing provides a more secure method of packaging and delivering applications in Windows Mobile Standard. By signing the .cab files for downloads, Windows Mobile Standard can verify the source and integrity of the file.
- Device Management. The security policies that are enforced for device management help to protect the device from threats that may originate from over-the-air (OTA) downloads or push messages.
- Microsoft® ActiveSync®. The RAPI policy that is enforced for ActiveSync operations helps to protect against application-level threats.
Removable Storage Card Security
Removable storage card security provides enhanced protection from viruses and malicious applications/code that can be spread through portable storage units, such as disks and MultiMedia Cards (MMCs). For example, if this policy is turned on and an MMC is inserted into the device, files can be copied from the MMC to the device. However executable files that exist on the MMC, and files that may contain viruses will not run on the device. The AutoRun security policy enforces this protection. For more information, see Security Policy Settings.
The AutoRun security policy setting determines whether applications stored on an MMC are allowed to run automatically when inserted into the device.
Note
Using files on an MMC is not a valid method for provisioning Windows Mobile Professional or Windows Mobile Classic.
Device Lock
In case of device theft, Windows Mobile provides enhanced protection for data by locking the device and requiring user authentication through a password. Locking the device helps prevents disclosure of sensitive information, such as user credentials, and prevents malicious system modifications that require physical access to the device, such as uploading a virus, modifying system binaries, or tampering with user data.
The device lock activates an ActiveSync lock. The ActiveSync lock enforces an exponential delay after every failed unlock attempt following the first three attempts. The device lock also helps prevent an automated brute-force attack on the ActiveSync lock.
SIM Lock
The SIM lock programmatically locks the SIM card after more than three failed unlock attempts. To prevent Denial of Service attacks or brute-force attacks against the SIM lock, normal applications are prevented from accessing the SIM APIs. In addition, rogue applications cannot destroy the SIM by exceeding the maximum number of failed logon attempts.