The advanced security features in MSFP can be used to meet more stringent security requirements.
If SSL basic authentication does not meet your security requirements and you have an existing Public Key Infrastructure (PKI) using Microsoft Certificate Server, you may wish to use the certificate-based authentication feature in Exchange ActiveSync. If you use this feature in conjunction with the other features described in this document, such as local device wipe and the enforced use of a power-on password, you can transform the mobile device itself into a smartcard. The private key and certificate for client authentication is stored in memory on the device. However, if an unauthorized user attempts to brute force attack the power-on password for the device, all user data is purged including the certificate and private key.
For more information, see Appendix A: Overview of Deploying Exchange ActiveSync Certificate-Based Authentication.
Microsoft has created a tool for deploying Exchange ActiveSync certificate-based authentication. Download the tool and documentation from the Microsoft Download center Web site.
Support for S/MIME Encrypted Messaging
The Messaging and Security Feature Pack for Windows Mobile 5.0 provides native support for digitally signed, encrypted messaging. When encryption with the Secure/Multipurpose/Internet Mail Extension (S/MIME) is deployed, users can view and send S/MIME-encrypted messages from their mobile device.
The S/MIME control:
Is a standard for security enhanced e-mail messages that use a Public Key Infrastructure (PKI) to share keys
Offers sender authentication by using digital signatures
Ensures that only the intended recipient can read the message
Encrypts e-mail data at rest on the device to protect privacy
Works well with any standard-compliant e-mail client
For guidance on how to implement the S/MIME control with Microsoft® Exchange Server 2003 SP2, see the Exchange Server Message Security Guide.
Administering the Messaging and Security Feature Pack
Safeguards like password policies and remote wipe capabilities provide you with the security features to help you protect your organization’s data. With the combination of the management capabilities built into Exchange Server 2003 SP2 and the security and configuration protocols included in the Windows Mobile 5.0-based devices that have the Messaging and Security Feature pack, your control over mobile devices has been streamlined. You will see that most of the administration of the security features for the mobile device happens on the Exchange Server or on the Exchange ActiveSync Mobile Administration Web tool.
The following table summarizes the features and the settings required on the Exchange Server or on the mobile device.
Protect configuration with firewall or ISA Server
Extend session timeout on all firewalls and network appliances
No preliminary device setup required. The device automatically switches from SMS to direct push technology when it synchronizes with ActiveSync. User steps thru ActiveSync wizard upon login to Exchange server.
Enabled by default with Exchange Server 2003 SP2
Set parameters by using Exchange System Manager’s Mobile Services Properties