Re: PPC Secuiryt in the corporate environment

Tech-Archive recommends: Fix windows errors by optimizing your registry

In article <OQK0x2TYFHA.2348@xxxxxxxxxxxxxxxxxxxx>,
Gavin <gavin@xxxxxxxxxxxxxx> wrote:
>
>Microsoft has published an excellent whitepaper on Network Security for the
>Windows Mobile Software Platform. However, although the paper stresses the
>importance of managing security in the mobile environment and the importance
>of tools to accomplish this, Microsoft doesn't provide any tools to allow
>proper security best practices to be enforced.

I'll say this before you get any further... As originally designed, the
Pocket PC was intended to be an extension of the desktop, and not an
independent computing device. Obviously, that's not the way that the
platform is always applied. But for now, hang on to that thought...

>The Windows server environment already has a great network administration
>environment with Active Directory. I want to be able extend this to my
>mobile devices which will allow me to enforce passwords, policies not
>reliant on users, and be 100% sure that if a mobile device gets into the
>wrong hands - which the USER might end up being - the company is protected.

I worked in a large, cross-national Windows 2000/2003 environment with all
sorts of bells and whistles (read: Active Directory schema extensions and
non-MS clients) attached. You know how they proposed dealing with security
for Windows CE devices? Run Terminal Services everywhere. Instead of
installing native tools on the Pocket PC, you allow them to connect to the
corporate network remoted (and track them by MAC address for auditing
purposes.) All the authentication is handled by AD, nothing is stored
locally on the Pocket PC. If anything goes slightly screwy with the
portable device, it's immediately replaced and no labor is wasted on
troubleshooting or repair. If a device is lost, you block the NIC from
connecting, and there's no proprietary data stored on the device.

In that kind of environment, you would do all your administrative work in
a Remote Desktop session connected to some other machine. That way, the
host terminal can be secured both physically and electronically, and the
only data that is really being transferred to and from the portable device
is graphics updates. This also plays cleanly into our 'desktop extension'
model as we're not trying to duplicate functions of the normal Windows
client onto a portable unit that has neither the horsepower nor the
security features of a standard corporate workstation.

<snip>
>Given the importance Microsoft is putting on Security today, I am very
>surprised that Windows Mobile 5.0 doesn't address security as the number one
>priority

That happens when the philosophy that drives your operating system takes a
sharp 270 degree turn unexpectedly It used to be that Windows CE was
intended as a widely portable, easily embedded OS. It supported many
processor types, application components could be added or omitted as
needed, and it was efficient and unobtrusive. Windows CE could be found on
handheld computers, in video game systems or on your lawn sprikler control
box. To an engineer or a developer who has to build something from the
ground up, Windows CE had a lot of appealing qualities.

Then the Pocket PC happened and the confusing labels started cropping up.
'Pocket PC' is a UI on top of Windows CE, unless you're talking about
'Pocket PC 2002' which is an integrated shell on top of CE.NET or whatever
it was they called version 4.1. All of a sudden, the majority of devices
run only Intel processors and so 80 percent of the existing Windows CE
library is discarded for no good reason. Now we have this 'Windows Mobile'
label that seems to apply to anything that's smaller than a breadbox.
Given how many times they've reinvented the wheel and given it a new name,
I'm not surprised that security isn't the number one thing on the list of
worries when it comes to Windows CE.

Sorry, that was way off-topic. My point? A portable device is absolutely
the wrong platform for doing the security operations you're looking to
perform. Unless you're willing to build and maintain your own toolset, the
best option now is to isolate those functions to a server-class device and
remotely control it. And that's only if you have an absolute, drop-dead
requirement to be able to move mailboxes or to disable user accounts from
a Pocket PC.

By the way, my story above has a punchline... It's been four years now and
they still haven't implemented a corporate standard for mobile devices.
That nameless company is still bogged down in a debate over which is the
best platform, Palm or Pocket PC. Given their history, they'll probably
settle on Symbian. :)

-KKC, who wonders when they'll nail down the 802.11 standards...
--
--S.S.B. is the code name for America's daring, highly | kendrick @io .com
trained special mission force. Its purpose: to |
defend human freedom against al-Qaeda, a ruthless | Please don't use
terrorist organization determined to rule the world! | eBay. Ask me why.
.

Relevant Pages