Windows Phone Highlights Table of Contents Microsoft Windows Phone Update ................................................................................................ 2 Windows Phone – Enterprise -1 ..................................................................................................... 3 Windows Phone – Enterprise -2 ..................................................................................................... 4 Windows Phone – Trusted Hardware ............................................................................................. 6 Windows Phone – App Security ...................................................................................................... 8 Windows Phone – AppContainer .................................................................................................. 10 Windows Phone – ASLR & DEP ..................................................................................................... 11 Windows Phone – Storage ............................................................................................................ 14 Windows Phone – Assigned Access .............................................................................................. 16 Windows Phone – Authentication ................................................................................................ 18 Windows Phone – VPN ................................................................................................................. 19 Windows Phone – Remote Assistant ............................................................................................ 20 Notices .......................................................................................................................................... 21 Page 1 of 21 Microsoft Windows Phone Update Microsoft Windows Phone Update 110 **110 Mark Williams: Some of the security features in Windows phone that are of note and are interesting. Page 2 of 21 Windows Phone – Enterprise -1 Windows Phone – Enterprise -1 Ubiquitous OS • Consistent look / feel — Whether using a phone, desktop, tablet, other Common security features • Unified Extensible Firmware Interface (UEFI) • Trusted Platform Module (TPM) • Data Execution Prevention (DEP) • Address Space Layout Randomization (ASLR) • BitLocker Drive Encryption • AppContainer Sandbox • Information Rights Management (IRM) 111 **111 One is the fact that Windows has done a-- Microsoft has gone a long way to try to make a ubiquitous operating system, one that will work on the desktop system, one that will work on the tablet and even on your phone. And so, that operating system is going-- supposed to give us a seamless communication between all the devices and a seamless user interface. Some of the common security features that we're going to discuss that Windows has-- or Microsoft has provided for us in their Windows phone is that fact that we have this unified, extensible firmware interface. Page 3 of 21 They incorporate a trusted protection or trusted platform module into the system. We'll look at the concept of data execution prevention, as well as address space layout randomization, and a couple other neat little feature and functionality that Microsoft has added to provide this seamless enterprise experience for the phone. Windows Phone – Enterprise -2 Windows Phone – Enterprise -2 Mobile Device Management – Organization can easily enroll WP in MDM system • Manage and push security policies to devices Assigned Access – Organizations can create a “white list” of authorized apps Enterprise Wi-Fi – Support for enterprise level wireless access • Extensible Authentication Protocol – Transport Layer Security (EAP- TLS) • EAP-Tunneled Transport Layer Security (EAP-TTLS) • Certificate based authentication 112 **112 Some other things that they have done to make it much more of an enterprise friendly environment is they've given us the ability to tie it in with MDM systems and software, mobile device management, so that Page 4 of 21 the enterprise can control the policies and security feature and functionality and what programs and applications are able to run on your phone. We'll talk a little bit about this concept of assigned access where we can specifically say via a whitelist of what's going to be allowed on the system. And if it's not on the whitelist, what's going to be prevented. And also from an enterprise standpoint, it allows us to integrate into the enterprise wireless environment by natively supporting various VPN technologies such as-- and authentication such as TLS and extensible authentication protocol. Page 5 of 21 Windows Phone – Trusted Hardware Windows Phone – Trusted Hardware UEFI = BIOS + Security • Creates a “chain of trust” for the boot process • Firmware digitally signed by device manufacturer • Required for “trusted boot” Trusted Platform Module • Tamper resistant security processor Trusted Boot • Stores cryptographic keys • Stores hashes used to verify firmware and critical files • Stores BitLocker keys Trusted Boot • UEFI & TPM work together to ensure integrity of boot process 113 **113 So, what are some of the more noteworthy security features that we have? One is the unified extensible firmware interface. Basically, this is a secure form of BIOS. The idea here is Microsoft has created this code that has been signed by Microsoft-- signed by the device manufacturer, actually. And when this code boots up, we know it is a trusted code. And that's going to eliminate the ability for malware manufacturers to introduce root kits and other types of malware at the lower levels of the operating system, before the operating system takes place. Page 6 of 21 And UEFI works with this trusted platform module. And together, they provide what's referred to as trusted boot. And the idea behind trusted boot is if we think about security on any device, much of the security is provided by the operating system. And so, a simple way of bypassing security is to bypass that operating system in its entirety. So, trusted boot simply says you're not going to be able to do that. You have to be an authorized individual to be able to boot this device, which means that when we first turn it on, we have to provide some sort of credentials to authenticate ourselves. Well, those credentials are not going to be just stored in an insecure location. They are stored in the TPM, the trusted platform module. The TPM is basically a secure chip and a secure set of code for storing all of our authentication credentials and our encryption keys. Page 7 of 21 Windows Phone – App Security Windows Phone – App Security Windows Phone Store security controls combined with applications sandboxing (AppContainer) • Offers limited protection, especially when sideloading • Organizations should review sideloaded apps to ensure they meet policy Manage apps through policy • Disable access to Windows Phone Store • Disable sideloading • Allow / block specific apps 114 **114 Windows phone also has what's referred to as an AppContainer. The AppContainer, we're trying to establish trust in all the apps that we run on our phones, whether they be apps provided to us from Microsoft, or whether they be apps that we get from a third party. So, the way Windows phone provides security of our apps, it's kind of a twofold system. First, the Windows phone store adds some security measures. So, they will, in the Windows phone store, when apps are supplied there, they will verify that they are free of malware. And then also, on the phone itself, when an Page 8 of 21 app is ran, it is sandboxed, which is-- to remind you, it is that containment of the app where we see that app cannot have any access to any resources locally on the machine. It can only have access to resources that were downloaded along with the application. And Microsoft increases the level of application security by allowing us to create various policies. The policies can say here are the apps that we're going to allow access. Here are the apps that we're going to block access to. We can even say you can only get apps from a certain location. So, maybe you have an enterprise app server. And that's the only place we can get apps from. And users will not be allowed to maybe go out to the Windows phone store and download apps directly from that. Or they won't be able to side load. They can only get apps that you have authorized, that you have trusted through your local enterprise environment. So, application security is what we have. Page 9 of 21 Windows Phone – AppContainer Windows Phone – AppContainer Least Privilege AppContainer policy defines specific capabilities to which the app processes have access to • Location • Camera • Microphone • Networking • Sensors 115 **115 That AppContainer that I just mentioned, it's following the concept of least privilege. It basically is allowing us to set specific policies for what the different features and functionality of the phone are going to be allowed to do. So, what apps can utilize the camera? What apps can utilize location-based services? What apps can use the various sensors that are on there? So, an enterprise could set a policy that says this app, because it's a map, it needs to have access to the GPS capabilities. This app over here is a calendar. It doesn't really need access to the GPS, so we're going to limit its abilities in that way. So, Page 10 of 21 AppContainer allows us to implement that concept of least privilege. Windows Phone – ASLR & DEP Windows Phone – ASLR & DEP Apps are written by humans, therefore apps will