Windows Phone Hardening

Table of Contents

Windows 7.5 Device Overview ...... 2

WP 7.5 Firmware -1 ...... 3

WP 7.5 Firmware -2 ...... 4

WP 7.5 Password ...... 5

WP 7.5 Password Attempts ...... 7

WP 7.5 Encryption Settings Overview ...... 9

WP 7.5 Bluetooth ...... 10

WP 7.5 Wiping...... 11

WP 7.5 Remote Wipe ...... 12

WP7.5 Backups ...... 14

Notices ...... 15

Page 1 of 15 Windows 7.5 Device Overview

Windows 7.5 Device Overview

WP 7.5 phones provide a weaker default security posture compared to the three other operating systems. • Passcodes are limited to 4 digit numeric; unless the device is connected to an Exchange server. • Full disk encryption is not available. • Removable storage media cannot be encrypted.

175

**175 Okay, Windows Phone 7.5 then. Unfortunately Windows Phone or Windows-- yes, Windows Phone 7.5 phones provide a weaker default security posture compared to the other three. It's just the way it is right now.

Passcodes are limited to 4-digit numeric. For personal phones I cannot set a password more than four digits; don't even have the option.

I can't full disk encrypt the device; not even available on a consumer level device. Not supported over an enterprise device either, or enterprise connection connected device either.

Page 2 of 15 And removable storage-- it says removable storage cannot be encrypted. Well it doesn't support removable storage; like who cares if it can't be encrypted?

WP 7.5 Firmware -1

WP 7.5 Firmware -1

WP 7.5 devices will notify the user when a firmware update is available. Major updates to WP 7.5 require connecting the device to a computer running Zune software. Update the device to the latest major firmware: • Connect the device to the computer • Start Zune software (or Windows 7 Phone Connector for Mac) — An update to the software may be required. • In the Zune software click Update Now • In the Windows Phone 7 Connector for Mac click Install Updates

176

**176 Firmware. Windows Phone 7.5 phones, devices, will notify the user when a firmware update is available. Major updates-- so this was when it went from 7.0 to 7.5; that was a major version-- require the device- connecting the device to a computer running the Zune software. So right now everything is handled through the Zune Media Player software.

Page 3 of 15 To update to the latest major version: Connect the device to the computer; start the Zune software, or if you're using a Mac the Windows 7 Phone Connector. If you're running an older version of the Zune software or the Windows 7 Phone Connector, you may have to update that software first. In the Zune software click Update Now. In the Windows Phone 7 Connector click Install Updates. If there's a major update, your device will then load it on the device.

WP 7.5 Firmware -2

WP 7.5 Firmware -2

Minor updates will be provided over-the-air and the device user will simply follow the prompts.

177

**177 Minor updates however can be provided over-the-air. So you'll get a prompt on your message basically

Page 4 of 15 that looks exactly like this. First you have to agree to the Terms of Service; eventually you'll get to the point where you can actually update your phone. This happens over-the- air. So just follow the prompts for these updates.

WP 7.5 Password

WP 7.5 Password

To set WP 7.5 Password Options: • Swipe left • Select Settings • Select Lock & Wallpaper • Change Password to On — Set a 4 digit password • Change Require a password after — Set to each time

178

**178 Windows Phone 7.5 Passwords. On a Windows-- that can be edited out I'm sure-- on a Windows 7.5 phone, or a Windows Phone, instead of having a Settings menu, you can swipe left and right to get to different options.

So to get to the Password option, you have to swipe left; Select Settings; Select Lock & Wallpaper-- which is

Page 5 of 15 what this screen- these screens show; Set the- change the password to On, and then you can set a 4-digit password.

Once you've set the password, I can set a Change Require-- or let me rephrase that. Once the password's set, I have another option that I can set. I can set the length of time, once the device locks, how soon do I have to enter a password?

So the device locks. Do I have to enter a password immediately to unlock it, or five minutes from now, or 20 minutes from now to unlock it? That's what this setting does.

So I can require a password after each time, or immediately, or one of 30 seconds, a minute, three minutes, five minutes.

I recommend each time. If you're using a password to protect the device, set it to each time so that when it's locked a password is required to unlock it.

Page 6 of 15 WP 7.5 Password Attempts

WP 7.5 Password Attempts

By default WP 7.5 does not provide a menu option to enable data wiping after a number of invalid password attempts. An organization can set a policy on an WP 7.5 device which is being managed by a mobile device management tool or by Microsoft Exchange.

179

**179 Password Attempts. By default Windows Phone 7.5 does not provide a menu option to enable data wiping after a number of invalid password attempts.

So for a personal device, there's no setting for wiping after five bad passwords. It won't wipe the data after 20 bad passwords.

Now, just like with Apple, as you're entering invalid passwords, there's a wait period before you can enter the next password.

Page 7 of 15 With an Exchange or with a Windows Phone 7.5 device though that's attached to a Exchange Server, the Exchange policy can set a password attempt number. So if it's attached to an Exchange, I can say: "After the user does five invalid passwords, the data is wiped." But that's only for devices that are attached to an Exchange environment; which are mostly going to be work devices.

Most often it won't be a personal device. I don't know many people with an Exchange Server in their house.

Page 8 of 15 WP 7.5 Encryption Settings Overview

WP 7.5 Encryption Settings Overview

WP 7.5 does not contain full disk encryption. If a device is stolen it should be immediately wiped if it contains sensitive information.

180

**180 Encryption. Doesn't contain full disk encryption. If a device is stolen, your only course of action is to wipe it; do a remote wipe on it, that's your only course action for them. There's no backend encryption that's going to protect the data on the Physical layer.

Page 9 of 15 WP 7.5 Bluetooth

WP 7.5 Bluetooth

Turn off Bluetooth when it is not being used: • Settings • Bluetooth • Click Bar Turn off Wireless when it is not being used: • Settings • Wi-Fi • Click Bar

181

**181 Bluetooth. Turn it off when not in use. Settings; Bluetooth; and then click on the Bluetooth name. And that will turn it off.

Same with Wireless; turn it off when it's not in use: Settings; Wi-Fi; click on the bar. It'll turn off Wi-Fi.

Page 10 of 15 WP 7.5 Wiping

WP 7.5 Wiping

Before selling/returning/repairing a device all user data should be overwritten on the device. Overwriting the user data ensures that the next owner will not be able to access any sensitive user data that was stored on the device. • Settings • About • Tap reset your phone • Tap Yes

182

**182 Wiping. Before selling it, again-- before getting rid of it-- wipe the data on it. To wipe the data for a device you have physical control of, go to Settings; go to About; tap Reset your phone; and then tap Yes. And the wipe process will start.

Page 11 of 15 WP 7.5 Remote Wipe

WP 7.5 Remote Wipe

To remotely wipe a WP 7.5 device: • Open a browser and go to www.windowsphone.com • Sign in using Windows Live ID — Created/Used when initially configuring the phone for use • Click My Phone • Click Find My Phone • Click Erase

183

**183 To Remote Wipe. Open a browser and go to www.windowsphone.com. And you have to sign in using your Windows Live ID.

So when you first buy a Windows Phone, just like with an Android phone, you have to provide the phone with your Windows Live ID. With an Android phone it's your Google ID.

The password, or the username and password you set when you first set up your phone is the same username and password you use to access this website.

Page 12 of 15 So again, make it a good password. Otherwise people could wipe your phone or locate you, using your phone.

Click My Phone; and then either click Find My Phone; and then click Erase. And that will remote wipe the device. And it will also, you can see, give you a location for where it thinks that device is located.

I tested it on my brother's phone-- one second-- I tested it on my brother's phone. It actually showed him in his-- it showed his house with a dot over his house; and that's exactly where he was at the time I clicked the button. So it can be fairly accurate. Yes sir?

Student: Does this work if Wi-Fi's disabled on the phone?

Shawn Fleury: As long as cellular is available, no. It does have to have a connection; so either a cellular or Wi-Fi connection in order to do it. One or the other is fine.

Page 13 of 15 WP7.5 Backups

WP7.5 Backups

The default WP 7.5installation does not contain the ability for the user to create local backups. The only time a backup is made is when the device is being upgraded from an older version. The backup is used by the Zune software in the event the upgrade process fails.

184

**184 Backups. By default you cannot create a local backup. You just don't have the ability to create local backups.

The only time a backup is made is during a major firmware update. So 7.0/7.5, a backup was created in case something went wrong during the update process. However, once it finished successfully, that backup was removed. But as a user you can't be- you can't-- it's not like iPhone or BlackBerry where I can create my own backups if I want to. You just don't have the option.

Page 14 of 15 Notices

Notices

Copyright 2013 Carnegie Mellon University

This material has been approved for public release and unlimited distribution except as restricted below. This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study. Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at [email protected].

This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The U.S. Government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide. Although the rights granted by contract do not require course attendance to use this material for U.S. Government purposes, the SEI recommends attendance to ensure proper understanding. NO WARRANTY. THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT). CERT® is a registered mark of Carnegie Mellon University. .

Page 15 of 15