of 23
8/14/2019 Windows Phone 8 Security Overview
1/23
Windows Phone8Security Guide
This white paper is part of a series of technical papers designed for IT professionals.
This whitepaper reviews how security is implemented on Windows Phone in apps and
with data and also reviews how Mobile Device Management (MDM) and Exchange
ActiveSync can be used to implement a managed and security-enhanced environment for
Windows Phone.
September 2013
8/14/2019 Windows Phone 8 Security Overview
2/23
Legal Disclaimer
2013 Microsoft Corporation. All rights reserved. This document is provided "as-is." Information and
views expressed in this document, including URL and other Internet Web site references, may change
without notice. You bear the risk of using it.
This document does not provide you with any legal rights to any intellectual property in any Microsoftproduct. You may copy and use this document for your internal, reference purposes.
Published: September 2013
8/14/2019 Windows Phone 8 Security Overview
3/23
1
Windows Phone 8 Security Guide 1WINDOWS PHONE OVERVIEW..2PLATFORM INTEGRITY..3
APP PLATFORM SECURITY..6CHAMBERS AND CAPABILITIES..6THE BROWSER..7WINDOWS PHONE STORE..7ENTERPRISE LINE-OF-BUSINESS (LOB)APPS
..8WINDOWS PHONE UPDATES..8
DATA PROTECTION..9DEVICE ACCESS AND SECURITY POLICIES..9DEVICE ENCRYPTION..10REMOVABLE STORAGE..10INFORMATION RIGHTS MANAGEMENT..10CERTIFICATES..11
MOBILE DEVICE MANAGEMENT.....13SUPPORTED EXCHANGEACTIVESYNC FEATURES BY EXCHANGE SERVER
VERSION..14EXCHANGEACTIVESYNC SECURITY..16
SUPPORTED EXCHANGEACTIVESYNC POLICY SETTINGS..16DIRECT PUSH AND FIREWALL SETTINGS..19SSLFOR EXCHANGE SERVER ENCRYPTION AND
AUTHENTICATION..21
Table of Contents
8/14/2019 Windows Phone 8 Security Overview
4/23
2
Windows Phone Overview
As organizations of all sizes expand their support for an
increasingly mobile workforce, privacy and security are essential.
Windows Phone is designed with security in mind for both users
and organizations. The result is a feature-rich and flexible
smartphone that uses a holistic approach to security design.
Smartphones help organizations to be productive and competitive,
but these technologies also require increased security vigilance.
The pervasive threat of malicious software, or malware, and the
need to prevent data leakage are two of the reasons why a
thoughtful, comprehensive security design is essential.
Organizations want smartphones that protect data when it is
stored and when it is communicated. Windows Phone 8 uses a
defense-in-depth, multi-layered approach that addresses
organizational security requirements in numerous ways. Because
Windows Phone 8 uses the same NT Kernel as Windows 8 and
Windows Server 2012, it shares the same driver model, developer
platform, security and networking stack, and graphics and media
platform with the desktop operating systems. The result is a
smartphone that has security features that are unique in todaysmarketplace.
8/14/2019 Windows Phone 8 Security Overview
5/23
3
Platform integrity
Trusted Boot and code signing help to ensure the platform
integrity of Windows Phone 8. These features help to safeguard
the Windows Phone 8 boot process and operating system from
malware attacks, especially rootkits, by allowing only validated
software components to execute. These features help to deliver a
security-enhanced platform for application developers and
corporate customers alike, and helps to assure consumers that
steps have been taken to help safeguard the information that they
care about.
Trusted Boot validates firmware images on Windows Phone
devices before they are allowed to load the operating system.
Trusted Boot is built on a root of trust, which is fused into the
device during manufacturing and ensures that all binaries, starting
with the very first boot loader loaded from system storage, must
be signed by a trusted authority.
Windows Phone architecture uses a System-on-a-Chip (SoC)
design provided by SoC vendors. The SoC vendor and device
manufactures provide the pre-UEFI boot loaders and the UEFI
environment. The UEFI environment implements the UEFI secure
boot standard that is described in section 27 of theUEFI
Specification(http://www.uefi.org/specs). This standard describes aprocess by which all UEFI drivers and applications are validated
against keys provisioned into a UEFI runtime variable before they
are executed.
TheUEFI and Windowsdocument (http://msdn.microsoft.com/en-
us/windows/hardware/gg463149.aspx) on MSDN describes the
advantages of using UEFI and how UEFI is supported by desktop
versions of the Windows operating system. Although the
document focuses on UEFI and Windows, most of the information
in the document also applies to Windows Phone.
Microsoft provides the Windows Phone boot manager in the UEFI
environment. After the pre-UEFI and UEFI components complete
their boot processes, the Windows Phone boot manager takes
over to complete the Windows Phone 8 boot process so that the
user can start using the smartphone. All code in the Windows
Phone operating system is signed by Microsoft, including OEM
Layered security platform diagram
http://go.microsoft.com/fwlink/?LinkID=321795&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=321795&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=321795&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=321795&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=321796&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=321796&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=321796&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=321796&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=321795&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=321795&clcid=0x4098/14/2019 Windows Phone 8 Security Overview
6/23
4
drivers and applications. Also, applications that are added after
manufacturing, or installed from the Windows Phone Store or a
private enterprise store must be properly signed to execute.
Windows Phone 8 is designed to help mitigate threats or risks with
the following platform security features:
Threat or Risk Windows Phone security feature
Access to data
because of
device theft or
loss
Strong device password protection
Device lock requires a password or PIN to
access the device when it is turned on
Local device wipe occurs after a specified
number of incorrect login attempts
Remote device wipe erases data and helps
to prevent unauthorized use
Exponential back-off if incorrect passwords
are entered
Password policy enforcement, such as
required password for sync
Access to data
during
transmission
Secure Sockets Layer (SSL) encryption of
all data transmitted between the device
and the corporate mail server
Advanced Encryption Standard for SSL
channel encryption in 128 bit cipher
strength
Encrypted data passes through a single
SSL port on the firewall
Supports Information Rights Management
protection of e-mail
Unauthorized
penetration ofphone
Security policies such as password
enforcement, password complexity, anddevice encryption, help to control over-
the-air access to device
Bluetooth discovery mode is turned on
only in Bluetooth settings
NFC can be turned off to help guard
device integrity
8/14/2019 Windows Phone 8 Security Overview
7/23
5
Malicious
software or
viruses on
mobile devices
Office for Windows Phone does not
support macros, so viruses cannot
leverage them to do damage
8/14/2019 Windows Phone 8 Security Overview
8/23
6
App platform securityMicrosoft takes a multi-pronged approach to help safeguard
Windows Phone 8 devices against malware. One aspect of this
approach is the Trusted Boot process that is described in the
previous section that helps to prevent rootkit installation. Other
methods include items such as a least privileged chamber model,
app signing, and security-enhanced browsing.
Chambers and capabilities
The Windows Phone 8 security model is based on the principle of
least privilege and uses isolation to achieve it. Every app onWindows Phone (including Microsoft apps and non-Microsoft
apps) runs in its own isolated chamber.
A chamberis a configured secured isolation boundary within which
a process can run. Each chamber is defined and implemented
using a security policy. The security policy of a specific chamber
defines the operating system capabilities that can be called by the
processes in that chamber.
A capabilityis a Windows Phone resource that has user privacy,
security, cost, or business impact. Examples of capabilities includegeographical location information, camera, microphone,
networking, and sensors.
A basic set of permissions is granted to all app chambers by
default, including access to isolated storage. However, the set of
permissions for a chamber can be expanded by using capabilities
that are granted during app installation. App permissions cannot
be elevated at run time.
The chamber concept is advantageous for the following reasons:
Attack surface reduction.Each app receives only thecapabilities that it needs to perform all its use cases.
User consent and control.Application developers are requiredto disclose app capabilities to the user on the app details page
in the Windows Phone Store, and provide an explicit prompt
8/14/2019 Windows Phone 8 Security Overview
9/23
7
upon app installation for certain capabilities, such as
geographic location.
Isolation. No communication channels exist between apps onthe phone. Apps are isolated from each other and cannot
access memory used or data stored by other applications,
including the keyboard cache.
The browserWindows Phone 8 includes Internet Explorer 10 for Windows
Phone. Internet Explorer helps to protect the user as it runs in an
isolated chamber and prevents web apps from accessing other
app resources. In addition, Internet Explorer does not support a
plug-in model, so malicious plug-ins cannot be installed.
SmartScreen technology is also available in Internet Explorer for
Windows Phone. This technology warns users of websites that are
known to be malicious.
Windows Phone Store
To help protect users, Microsoft uses a carefully architected store
submission and approval process to help prevent malware from
reaching its marketplace. All Windows Phone apps that are
submitted to the store must be certified before they can be made
available to users for downloading and installation.The
certification process checks Windows Phone apps for
inappropriate content, store policies, and security issues. This
process plays an important role in helping to safeguard Windows
Phones against malware. In addition, Microsoft scans all apps for
known viruses before publication. Although most malware exists
on the Internet, apps that are developed in unmanaged
environments with minimal security precautions could be
unwitting transmitters of malware. Apps must also be signed
during the certification process before they can be installed and
run on Windows Phones.
Screenshot: SmartScreen technology
blocking a malicious website
http://msdn.microsoft.com/en-us/library/hh184843(v=VS.92).aspxhttp://msdn.microsoft.com/en-us/library/hh184843(v=VS.92).aspxhttp://msdn.microsoft.com/en-us/library/hh184843(v=VS.92).aspxhttp://msdn.microsoft.com/en-us/library/hh184843(v=VS.92).aspx8/14/2019 Windows Phone 8 Security Overview
10/23
8
Enterprise line-of-business (LOB)
apps
With Windows Phone 8, enterprise customers can register withMicrosoft to obtain the tools to privately sign and distribute
custom LOB apps directly to their employees. Enterprise customers
are no longer required to submit business apps to the Windows
Phone Store before deploying them. After registration,
organizations can privately develop, package, sign, and distribute
apps to employees using a validated process.
To provide a way for employees and other users to install
company apps, an enterprise can develop a Company Hub app. A
Company Hub is an app that acts as a portal to company-specificexperiences on the phone. At a minimum, a Company Hub enables
users to discover, install, and optionally run LOB apps created by
the enterprise. Company Hubs can also provide other company-
specific experiences or features, such as displaying current
company news, upcoming company events, and alerts from the IT
department.
For more information about LOB app distribution and Company
Hubs for Windows Phone, see theCompany app distribution for
Windows Phonetopic (http://msdn.microsoft.com/en-
us/library/windowsphone/develop/jj206943(v=vs.105).aspx) on
MSDN.
Windows Phone updates
Windows Phone updates are delivered to customers using the
Windows Phone update service. Microsoft manages and
distributes feature updates and improvements that are developed
by hardware manufacturers, mobile operators, and the WindowsPhone engineering team.
Also, Windows Phone was designed using the industry-leading
Microsoft Security Development Lifecycle (SDL).SDL is a software
development security assurance process used by all Microsoft
engineering teams that includes extensive threat modeling,
Screenshot: Example of a custom
developed Company Hub
http://go.microsoft.com/fwlink/?LinkID=321797&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=321797&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=321797&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=321797&clcid=0x409http://www.microsoft.com/security/sdl/default.aspxhttp://www.microsoft.com/security/sdl/default.aspxhttp://go.microsoft.com/fwlink/?LinkID=321797&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=321797&clcid=0x4098/14/2019 Windows Phone 8 Security Overview
11/23
9
penetration testing, and security development practices, all of which
help to prevent unauthorized access to phone resources.
Data protectionThe Windows Phone security design addresses the need for data
protection. To accomplish this, every Windows Phone supports the
same set of management and security controls, regardless of
hardware manufacturer, enabling organizations to manage all
Windows Phones in a consistent, predictable way that helps to
mitigate risk.
Device access and security policies
As a first line of defense, a user can set a PIN or password via the
settings panel to lock their phone.
IT departments can use Exchange ActiveSync policies to require
users to set PINs or passwords, and also to configure additional
password policies to manage password length, complexity, and
other parameters. Exchange ActiveSync policies can also be used
to configure additional security functionality.
Exchange ActiveSync is a time-tested and robust communications
protocol that provides Windows Phone users with world-class
mailbox synchronization functionality as well as policy control.
Windows Phone 8 is compatible with version 14.1 of the Exchange
ActiveSync protocol and supports the synchronization of email,
calendar, task, and contact information with Exchange Server 2003
SP2 and all subsequent releases as well as with Microsoft Office
365.
If a Windows Phone is lost or stolen, IT administrators can initiate a
remote wipe of the device by using the Exchange Server
Management Console, and users can initiate a remote wipe of the
device by using Outlook Web App. After registering their phone at
http://www.windowsphone.com,users can map the location of
their phone, make it ring, and wipe its data if necessary.
http://go.microsoft.com/fwlink/?LinkID=320495&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=320495&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=320495&clcid=0x4098/14/2019 Windows Phone 8 Security Overview
12/23
10
Device encryption
Windows Phone 8 uses BitLocker technology to support the
encryption of all internal data storage on the phone with AES 128.
Encryption is enabled by either Exchange ActiveSync policy
RequireDeviceEncryptionor device management policy. After
BitLocker is enabled, the phone automatically begins encrypting
the internal storage. The encryption key is protected by the Trust
Platform Module (TPM), which is bound to UEFI Trusted Boot to
ensure that the encryption key will only be released to trusted
boot components.
With both PIN-lock and BitLocker enabled, the combination of
data encryption and device lock would make it extremely difficult
for an attacker to recover sensitive information from a device.
Removable storage
Windows Phone 8 supports removable storage using micro SD
cards, so users can easily extend the memory available for storage
on their phones to store pictures, movies, or music when needed.
The Windows Phone operating system allows users to store only
media files on SD cards.
Although the Windows Phone 8 operating system and user data
partitions are encrypted, files that are stored on SD cards that are
inserted in the phone are not encrypted.
IT professionals can prevent the use of external storage cards on
Windows Phones by configuring an Exchange ActiveSync policy
setting.
Information Rights Management
Windows Phone is currently the only smartphone that offers native
support for IRM, enabling users to fully participate in IRM-
protected email conversations and to access IRM-protected
documents on their phones. Support for IRM in Windows Phone is
based on Windows Rights Management Services. When IRM is
8/14/2019 Windows Phone 8 Security Overview
13/23
11
employed, the data in rights-protected documents or email
messages is encrypted, so that it can only be viewed by authorized
users. IRM can also be used to limit other rights to a document or
message, such as by limiting access to read-only, by preventing
content in the document or message from being copied, or by
preventing the document or message from being printed.
IRM relies on Windows Rights Management Services (Windows
RMS), a Windows Server-based technology that IT administrators
can configure to create the issuance license and perform the
encryption of rights-protected documents. In addition, Windows
RMS can be applied to email so that messages can circulate in a
protected environment, but not be forwarded outside the
organization. Windows RMS can also be applied to documents
that are attached to email or stored on Microsoft SharePoint
servers, limiting distribution and editing capabilities and helping to
prevent information from being leaked to unauthorized personnel.
IRM can be configured by using the Exchange ActiveSync policy
Allow IRM over EAS.
For more information about Information Rights Management, see
theInformation Rights Managementtopic
(http://technet.microsoft.com/dd638140.aspx) on TechNet.
Certificates
Windows Phone 8 applications are signed with certificates that are
unique to the application and that establish a license for the
application. Only signed applications are allowed to run on
Windows Phone 8.
The only sources of apps for Windows Phone 8 are theWindows
Phone Store(http://windowsphone.com/store) and company sites
that offer line-of-business apps that are signed with enterprise
certificates. A company can sign and distribute its own apps by
following the procedures outlined in theCompany app
distribution for Windows Phonetopic
(http://msdn.microsoft.com/en-
us/library/windowsphone/develop/jj206943(v=vs.105).aspx) on
MSDN to acquire an enterprise certificate from Symantec.
http://go.microsoft.com/fwlink/?LinkID=321798&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=321798&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=321798&clcid=0x409http://go.microsoft.com/fwlink/?LinkId=321802&clcid=0x409http://go.microsoft.com/fwlink/?LinkId=321802&clcid=0x409http://go.microsoft.com/fwlink/?LinkId=321802&clcid=0x409http://go.microsoft.com/fwlink/?LinkId=321802&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=321797&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=321797&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=321797&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=321797&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=321797&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=321797&clcid=0x409http://go.microsoft.com/fwlink/?LinkId=321802&clcid=0x409http://go.microsoft.com/fwlink/?LinkId=321802&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=321798&clcid=0x4098/14/2019 Windows Phone 8 Security Overview
14/23
12
Applications and games can be made available in the Windows
Phone Store through theWindows Phone Dev Center
(http://dev.windowsphone.com). All submissions are reviewed for
compliance with app policies. Approved applications and games
are signed with VeriSign certificates.
Certificates in Windows Phone 8 are primarily used to:
Create a secure channel using Secure Sockets Layer (SSL)between a phone and a web server or service.
Authenticate a user to a reverse proxy server that is usedto enable Microsoft Exchange ActiveSync (EAS) for email.
Install and license applications (from the Windows PhoneStore or a custom company distribution site).
Certificates can be installed on the phone using either of the
following two methods:
Installing certificates via Internet Explorer: A certificate canbe posted on a website and made available to users
through a device-accessible URL that they can use to
download the certificate. When a user accesses the page
and taps the certificate, it opens on the device. The user
can inspect the certificate, and if they choose to continue,
the certificate is installed on the device.
Installing certificates via email: The certificate installersupports .cer, .p7b, .pem, and .pfx files. To installcertificates via email, make sure that your mail filters do
not block .cer files. Certificates that are sent via email
appear as message attachments. When a certificate is
received, a user can tap on the certificate file to review the
contents and install the certificate. Typically, when an
identity certificate is installed, the user is prompted for the
password (or passphrase) that protects it.
Note: Certificates may also be installed via Mobile Device
Management service provider.
http://go.microsoft.com/fwlink/?LinkID=255551&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=255551&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=255551&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=255551&clcid=0x4098/14/2019 Windows Phone 8 Security Overview
15/23
13
Mobile Device
ManagementWindows Phone 8 has native mobile device management (MDM)
based off the OMA DM device management protocol, which
organizations can use with Windows Intune or third-party MDM
systems such as AirWatch, Mobile Iron, Zenprise, Symantec, and
others to implement a managed environment for Windows Phone.
MDM provides capabilities that include device enrollment and
management, software distribution, configuration management,
and reporting. If organizations also have Microsoft System Center
Configuration Manager 2012 SP1, the Configuration Management
console can be used to set policies, distribute apps, and viewreports.
The use of MDM offers several advantages over solely using EAS
policy:
One-step device enrollment and policy provisioning Line-of-business app deployment and automated
deployment of company apps
Ongoing app deployment and automatic app updates Remote or local removal of device enrollment, line-of-
business apps, and related app data
Asset and inventory management Management of a custom Company Hub
The use of an MDM solution also facilitates comprehensive
reporting functionality including:
Server configured policy values Query installed enterprise apps Device name Device ID OS platform type Firmware version OS version Device local time Processor type Device model
8/14/2019 Windows Phone 8 Security Overview
16/23
14
Device manufacturer Device processor architecture Device language
Supported Exchange ActiveSync
features by Exchange Server
version
Although Windows Phone 8 supports the latest Exchange
ActiveSync EAS features, previous versions of Exchange Server
might not support all EAS features that are supported by Windows
Phone. The following table shows the Exchange ActiveSync
features that are supported in each version of Exchange Server.
Exchange ActiveSync
feature
Exchange
Server
2007
Exchange
Server
2010
Exchange
Server
2013
Direct Push Yes Yes Yes
Email sync Yes Yes Yes
Calendar sync Yes Yes Yes
Contacts sync Yes Yes Yes
Remote wipe Yes Yes Yes
Sync multiple folders Yes Yes Yes
128-bit SSL encrypted
transmission
Yes Yes Yes
User-initiated remote
wipe
Yes Yes Yes
Link access Yes Yes Yes
HTML mail Yes Yes Yes
GAL lookup Yes Yes Yes
Follow-up flags Yes Yes Yes
Meeting attendee
information
Yes Yes Yes
8/14/2019 Windows Phone 8 Security Overview
17/23
15
Exchange ActiveSync
feature
Exchange
Server
2007
Exchange
Server
2010
Exchange
Server
2013
Autodiscover Yes Yes Yes
Bandwidth reductions Yes Yes Yes
Reply state No Yes Yes
Nickname cache No Yes Yes
Block/Allow/Quarantine
list
No Yes Yes
Allow attachment
download
No Yes Yes
256-bit SSL encrypted
transmission
No Yes Yes
8/14/2019 Windows Phone 8 Security Overview
18/23
16
Exchange ActiveSync
Security
Supported Exchange ActiveSync
policy settings
Similar to Group Policy settings for PC operating systems,
Exchange ActiveSync (EAS) mailbox policies allow an administrator
to apply a common set of policy and security settings to a group
of users.
EAS security-related configuration policy settings that can be
managed by using the Exchange Management Console include
those shown in the following table:
Policy setting Description
AllowSimpleDevicePassword Specifies whether a simple device
password is allowed. A simple
password is one consisting only of
repeated "2222" or sequential
abcd" characters. The default is
$true.
AlphanumericDevicePasswordReq
uired
Specifies whether the password
for the mobile phone must be
alphanumeric. The default is
$false.
DevicePasswordEnabled Specifies whether a password is
required. When set to $true,
DevicePasswordEnabledrequires
that the user set a password for
the mobile phone. The default is
$false.
8/14/2019 Windows Phone 8 Security Overview
19/23
17
Policy setting Description
DevicePasswordExpiration Specifies the length of time, in
days, that a password can be
used. After this length of time, a
new password must be created.The format of the setting is
dd.hh.mm:ss; for example,
24.00:00 = 24 hours.
DevicePasswordHistory Specifies the number of previously
used passwords to store. When a
user creates a new password, the
user can't reuse a stored password
that was previously used.
IrmEnabled Specifies whether IRM is enabled
for the mailbox policy.
MaxDevicePasswordFailedAttemp
ts
Specifies the number of attempts
a user can make to enter the
correct password for the mobile
phone before a device reset to
factory settings is initiated. You
can specify any number from 4
through 16. The default is 8.
MaxInactivityTimeDeviceLock Specifies the length of time that
the mobile phone can be inactive
before the password is required toreactivate it. You can specify any
interval between 30 seconds and 1
hour. The default is 15 minutes.
The format of the setting is
hh.mm:ss; for example, 15:00 = 15
minutes.
8/14/2019 Windows Phone 8 Security Overview
20/23
18
Policy setting Description
MinDevicePasswordComplexChara
cters
Specifies the number of character
groups that are required to be
present in the password. The
character groups are defined as:Lowercase alphabetical
characters
Uppercase alphabetical
characters
Numbers
Non-alphanumeric characters
For example, if the value of
MinDevicePasswordComplexChara
cters is 2, a password with both
uppercase and lowercasealphabetical characters would be
sufficient, as would a password
with lowercase alphabetical
characters and numbers.
MinDevicePasswordLength Specifies the minimum number of
characters in the device password.
You can specify any number from
1 through 16. The maximum
length a password can be is 16
characters. The default is 4.
RequireDeviceEncryption Specifies whether encryption is
required on the device. Once set,
device encryption automatically
begins on the internal storage of
the phone. The default is $false.
RemoteWipe Deletes data on the user data
partition and resets the phone to
default settings.
8/14/2019 Windows Phone 8 Security Overview
21/23
19
Policy setting Description
AllowNonProvisionableDevices Specifies with the server running
Exchange. When set to $true, it
enables all mobile phones to
synchronize with the Exchangeserver, regardless of whether the
phone can enforce all the specific
settings established in the
Exchange ActiveSync policy. This
also includes mobile phones
managed by a separate device
management system. When set to
$false, this setting blocks mobile
phones that aren't provisioned
from synchronizing with the
Exchange server. The default is$false.
Direct Push and Firewall Settings
For Direct Push to work through the network firewall, TCP port 443
must be open. This port is required for Secure Sockets Layer (SSL)
and must be opened between the Internet and the Client Accessserver.
The network idle connection time-out value indicates how long a
connection is permitted to live without traffic after a TCP
connection is fully established.
The firewall session interval must be set to allow the heartbeat
interval and enterprise session interval to communicate effectively.
If the firewall closes the session, mail would be undelivered until
the client reconnects, and the user could be unsynchronized for an
extended period of time. By setting the firewall session timeout toa value that is equal to or greater than the idle timeout value on
the mobile operator's network, the firewall will not close the
session.
Microsoft recommends setting the firewall's idle connection
timeouts as follows:
8/14/2019 Windows Phone 8 Security Overview
22/23
20
Mobile operators should set the idle connection timeoutvalues on outgoing firewalls to 30 minutes.
Organizations should set timeout values on their incomingfirewalls to 30 minutes.
Web servers, network security appliances, and system networkstacks have several time-based thresholds that are intended to
insulate them from insufficiently tested or malicious clients. You
should be able to safely increase the idle connection time-out
value setting without compromising the security of the network.
The following table shows examples of attacks and describes how
other settings can be used to mitigate exposure to them:
Denial of service (DoS)
threat
Mitigation of exposure to attacks
A DoS attack is launched by
failing to complete the
handshake that is implicit in the
creation of a TCP connection.
The attacker attempts to create
a large number of partially
open TCP connections.
The time within which a TCP handshake
must be completed is a separate
threshold that is governed by the
Windows TCP/IP stack.
A DoS attack is launched
against IIS by opening a large
number of TCP connections but
never issuing an HTTP request
over any of them.
IIS mitigates this threat by requiring
that a client submit a fully-formed
HTTP request within a certain time
before dropping the connection. The
name of the connection time-out
setting in the IIS management console
is misleading; TCP connections are
closed when the connection time-out
value is exceeded (120 seconds by
default).
An attacker establishes a large
number of TCP connections,
issues HTTP requests over all ofthem, but never consumes the
responses.
This threat is mitigated by the same
time-out as the previous scenario. The
connection time-out setting in IISdefines the time within which a client
must issue either its first request after a
TCP connection is established or a
subsequent request in an HTTP keep-
alive scenario.
8/14/2019 Windows Phone 8 Security Overview
23/23
21
A short time-out value causes the mobile phone to initiate a new
HTTPS request more frequently. This can shorten the battery life of
the mobile phone.
Higher heartbeat intervals result in longer battery life for the
phone.
SSL for Exchange Server encryption
and authentication
To help protect outgoing and incoming data, deploy SSL to
encrypt all Exchange Server traffic. You can configure SSL security
features on an Exchange server to help prevent Internet-based
server spoofing attacks and other types of attacks. The Exchangeserver, just like any web server, requires a valid server certificate to
establish SSL communications.
By default, when the Client Access Server role is installed,
Exchange ActiveSync is configured to use either Basic
authentication or Certificate-Based authentication (CBA) with
Secure Sockets Layer (SSL).
Exchange ActiveSync runs on a computer with Exchange that has
the Client Access server role installed. This server role is installed
with a default self-signed digital certificate. Although the self-
signed certificate is supported for Exchange ActiveSync, it isn't the
most secure method of authentication. For additional security,
consider deploying a trusted certificate from a third-party
commercial certification authority (CA) or a trusted Windows
public key infrastructure (PKI) certification authority.
You can save a digital certificate to a file and install a digital
certificate on a Windows Phone. A digital certificate might need to
be installed on the Windows Phone device if Exchange ActiveSync
is required to use Secure Sockets Layer (SSL) and yourorganization uses a certificate that isn't from a trusted commercial
certification authority (CA).
For more information about using SSL for server authentication,
see theConfiguring SSL and Exchange ActiveSynctopic
(http://technet.microsoft.com/en-us/bb430752(v=exchg.141).aspx)
on TechNet.
http://go.microsoft.com/fwlink/?LinkID=321799&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=321799&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=321799&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=321799&clcid=0x409