11/11/2008

The following describes some security best practices for your System Center Mobile Device Manager (MDM) infrastructure.

Require strong enrollment passwords

The enrollment process uses an enrollment password to grant access to managed devices and establish their identity on the company network. A strong enrollment password helps keep the company network environment more secure. A strong password makes it more difficult for an attacker to impersonate a device and then join the domain. This could result in compromised company data.

Note:
To help keep the company environment more secure, we recommend that you require strong passwords, even if users can only access the server on an internal network. An example would be to require a strong password by authorized IT personnel who perform device enrollment for the user. Then, the IT person can give the fully enrolled device to the user.

The longer the enrollment validity period, the longer the password length should be. We recommend that you require a 10-character minimum password for a 24-hour enrollment period. If the enrollment period is longer than 24 hours, the password should be longer to maintain the same effective strength.

You should use the default alphanumeric character set configuration unless there is a compelling business reason to use numeric-only enrollment passwords.

Prevent untrusted or unknown code from executing

To help protect the device against spoofing and privilege elevation, you should prevent untrusted or unknown code from executing on Windows Mobile 6.1. To do this, you must restrict application execution by configuring the Application Disable policies, or other security policies, to allow only applications signed by trusted authorities to run.

The following shows the Application Disable policies that you can use:

  • Allow specified unsigned applications to run as privileged

  • Allow specified unsigned applications to run as Normal

The following shows Security Policies that you can use:

  • Block unsigned .cab file installation

  • Block unsigned theme installation

  • Block unsigned applications from running on a device

  • Turn off user prompts on unsigned files

Allow only trusted users to access IIS settings

The security of MDM depends on the correct configuration of Internet Information Services (IIS). After you install MDM, you should not configure the IIS metabase or change IIS settings that are related to MDM.

We strongly recommend that you do not manually adjust IIS settings in MDM, unless instructed otherwise. Do not change the IIS configuration for the following Web sites:

MDM Enrollment Server

  • EnrollmentAdmin

  • Enrollment

MDM Device Management Server

  • MobileDeviceManagerAdmin

  • MobileDeviceManager

MDM Gateway Server

  • Gateway Management Web site

Do not modify Web configuration files

All MDM Web services have a Web.config file. You should not modify Web configuration files. Changes to the Web.config files may adversely affect MDM performance, or lead to failures within the system.

Run Setup files from a protected location

Run Setup (.msi) files and Active Directory configuration files only from a protected location. It is important to run Setup from a protected location and not from a network share.

Implement firewall rules for MDM Gateway Server and MDM DM Server.

Communication always initiates from MDM Device Management Server to MDM Gateway Server. You can set up your firewall accordingly.

Do not block applications that interfere with basic device functionality

Be careful not to block in-ROM applications that are needed for basic device functionality, such as the ability to make a telephone call or an emergency telephone call. For example, do not block cdial.exe or cprog.exe.

Do not block the file extensions used by MDM

MDM servers and services use files that have .asmx and .ashx extensions for basic functionality. Do not block the following file extensions on the respective servers:

  • Enrollment Server – The enrollment service and the enrollment administration service use .asmx files.

  • Device Management Server – The device management service uses .ashx files, while the device management administration service uses .asmx files.

  • Gateway Server – The Alerter agent and VPN agent use .ashx files.

Set root certification authorities expiration time in such a way that renewal is not needed

You cannot renew the root certification authority in Windows Mobile.

We recommend that you follow the best practices for PKI as outlined in the PKI documentation:

Write trace log files to a protected area

Trace log files may contain Group Policy object (GPO) information. Make sure that you write the log files to a protected area on disk.

See Also

[an error occurred while processing this directive]