Can I have my Windows Mobile device wipe its memory after failed logons
on August 28, 2008 at 12:00 am
Did you know you can wipe a lost or stolen Windows Mobile device if you configure it before hand? As an Administrator using Microsoft Exchange Server 2003 (SP2), you now have tools with which to set and enforce your mobile device security policies. You can also control some of the features on the mobile devices by using provisioning tools. Check this out:
Excessive failed logon attempts may signal that a wireless device has been lost or stolen — a serious security risk. Find out how to configure your Windows Mobile 5 and 6 devices for local wiping, so they automatically destroy their data after a specified number of failed logons.
Most security policies for Windows Mobile devices are what I call “scorched-earth” policies. Essentially, an Exchange administrator remote wipes a mobile device to mitigate a specific security risk, such as a lost or stolen device. All Exchange Server data is completely erased when a wireless device is “wiped clean.”
You can trigger a remote wipe of a mobile device through Exchange Server 2007 and Outlook Web Access (OWA) 2007, but that presumes the wireless device will contact the Exchange server at some point.
It makes sense to allow mobile devices to wipe themselves when certain prerequisite conditions are met, such as a specified number of failed personal identification number (PIN) entries or incorrect password attempts. This mobile security feature is called a local wipe.
Windows Mobile 5 and 6 devices have provisions for performing local wipes. However, this setting is not enabled by default, and for good reason. Discovering that your Windows Mobile device has committed digital suicide after you messed up your fifth attempt to punch in your PIN can be aggravating — especially if you didn’t know such a policy was in place to begin with.
But if your organization wants to implement this additional layer of security around Windows Mobile devices, it can be done — with a little work.
* First, the Password Required Policy (security policy ID 4131), a Windows Mobile security policy setting, must be enabled for the device in question.
* Next, a registry entry has to be set on the mobile device to enable this feature. In HKLM\Comm\Security\Policy\LASSD, create the decimal key DeviceWipeThreshold and set it to any positive number. This number will be the number of incorrect password logon attempts to allow before the device’s memory is wiped. This setting is also available in the Device Security Settings dialog box in the Exchange Management Console.
NOTE: In Windows Mobile 4, this function did not erase any external memory on the device, such as an SD card or other plug-in memory device. However, Windows Mobile 6 devices will erase external memory cards as well.
About the author: Serdar Yegulalp is editor of Windows Insight, a newsletter devoted to hints, tips, tricks, news and goodies for all flavors of Windows users.
[Via TechTargetl]
Discussion (18) ¬
Wow I can imagine a pissed off sales rep who forgot his password one time too many!
The post was just linked to by Lifehacker – and the commenters over there are recomending a program called Sprite Terminator from [www.spritesoftware.com] It is $20…
Any other suggestions on how to secure your data on a mobile device once it is stolen?
Is there any way to have remote wipe functionality without requiring a password?
Like a remote kill switch? That is what this Sprite Terminator does.
Thanks. Do you know of anything that works on non-WM devices? I’ve got a few iPhone users and it would be great to be able to remotely wipe them, but I know users would balk at being required to use a password every time.
I don’t really see why the two are related. Not using a password may not be as safe as using one, but why should the lack of a password prevent me from wiping the device?
This actually works on anything that connects up to your Exchange server. This is right from Apple’s web site:
IT administrators can securely manage any iPhone that contains confidential company information using remote wipe and enforced security and password policies. These device configuration and remote management capabilities allow IT departments to quickly and seamlessly deploy iPhone throughout their companies.
I will take a look around and see if I can locate a third party product that doesn’t use a PW.
Can anyone please post how to modify the Windows Mobile security policy setting?
http://msdn.microsoft.com/en-us/library/aa458984.aspx
You can modify the default security policy document provided with Windows Mobile-based devices by replacing it with a custom security policy document. This XML provisioning document contains the current values for all of the security policies implemented on the device. The manager role is required for modifying this document.
Note An XML provisioning document may not install on a Windows Mobile device if the .cab file containing the document is not signed. You use the Microsoft Authenticode tools to sign .cab files. For information about Microsoft Authenticode tools, see the Authenticode documentation under “Security” in the MSDN library. For information about .cab files, see Application Security.
You can base the custom security policy document on one of the following security templates provided by Microsoft:
* High level security template — Incorporate the restricted application security configuration.
* Medium level security template — Incorporate the standard application security configuration.
* Low level security template — Incorporate the unrestricted application security configuration.
For information about application security configurations, see Application Security.
To modify the security policy provisioning document
1. Open Notepad to create a custom security policy document.
2. Add provisioning XML to specify the security policies and policy values for the Windows Mobile-based device, as shown in the following example. The name and value attributes specify the policy ID and value, respectively. For certain security policies, the value is a security role that you reference using a decimal value.
I have a samsung omnia and running lotus notes on my laptop. I believe I can change the security setting on my WM6 device to allow activesync to let easysync drop email and PIM data to my device. Does anyone know what value in security/policy/policies/0000101b – it is currently 1 but I believe this is three level security that I want to reduce to one level – what value do I set 0000101b to?