Windows Embedded 8 Handheld Network and Security Guide
Contents
1. Settings Application Default Administrator Associate Microsoft About Allow Allow Allow Microsoft Accessories Allow Allow Disallow Microsoft Advertisingld Allow Allow Disallow Microsoft AirplaneMode Allow Allow Allow Microsoft AppCorner Allow Allow Disallow Microsoft CloudStorageCPL Allow Allow Disallow Microsoft BatterySaver Allow Allow Disallow Microsoft Bluetooth Allow Allow Disallow Microsoft Brightness Allow Allow Disallow Microsoft CellularConn Allow Allow Disallow Microsoft DataSmart Allow Allow Disallow Microsoft DateTime Allow Allow Allow WLAN Only devices Disallow otherwise Microsoft DrivingMode Allow Allow Disallow Microsoft Accessibility Allow Allow Disallow Microsoft Accounts Allow Allow Disallow Microsoft Feedback Allow Allow Disallow Microsoft FindMyPhone Allow Allow Disallow Microsoft Games Allow Disallow Disallow Microsoft RoamingCpl Allow Allow Disallow Microsoft TouchKeyboard Allow Allow Disallow Microsoft KidZone Allow Disallow Disallow Microsoft Language Allow Allow Disallow Microsoft Location Allow Allow Disallow Micorosoft PhoneLock Allow Allow Allow Microsoft FlashAppSetting Allow Allow Disallow Microsoft MusicVideo Allow Disallow Disallow Microsoft Proximity Allow Allow Disallow Microsoft NOcenterSettings Allow Allow Disallow Microsoft Updates Allow Allow Disallow Microsoft MirrorUS Allow Allow Disallow Microsoft DoNotDisturb Allow Allow Disallow Microsoft Regional Allow Allow Disallow2. Use a VPN when the system requires data to traverse an untrusted network Mobile Device Management MDM software Use Transport Layer Security TLS 1 0 or greater for communication between native applications and specialty servers http blogs windows com buildingapps 201 4 10 13 winsock and more open source for your windows store apps Use intrusion detection on wireless local area networks WLANs See Intrusion Detection page 8 1 or http www sans org security resources idfaq Unauthorized Internal Access This threat encompasses unauthorized access from people or systems with direct access to a WE8H device This threat is the most difficult to counter since attackers may have legitimate access to part of the system and are simply trying to exceed their permitted access Unauthorized internal access can result in loss of system availability the capture modification or deletion of data and the theft or damage of system contents Mitigation Steps Mitigation Steps More Information Do nat allow the use of unauthorized removable media such as microSD or microSDHC cards on WE8H devices http msdn microsoft com en us magazine cc982153 aspx Implement password protection on WESH devices Mobile Device Management MDM software Monitor system access Add other mitigations for disabling radios such as 802 11 near field communication NFC location se
3. It is critical to keep the latest patches and software versions on your Windows Embedded 8 Handheld WE8H devices This is especially true for software that has reported Common Vulnerabilities and Exposures CVE The MITRE Corporation and the National Institute of Standards and Technology NIST track CVEs and mark their level of criticalness For example when a critical vulnerability was found in the popular OpenSSL cryptographic software in April of 2014 the TLS heartbeat read overrun CVE 2014 0160 was tracked and marked by both organizations A CVE such as the CVE 2014 0160 must be addressed as soon as possible Microsoft provides system updates for both security and feature related purpose If the third party software has been installed Honeywell recommends testing the update on a non production system to ensure WE8H software continues to operate correctly Attention Before installing any critical updates or making any system changes ALWAYS back up the system This will provide a safe and efficient recovery path if the update fails Additional Resources Security Resources The MITRE Corporation http www mitre org http cve mitre org National Institute of Standards and Technology NIST http www nist gov Open Web Application Security Project OWASP http www owasp org U S National Vulnerability Database NVD http nvd nist gov Software updates and service packs tested and approved by Honeywell may be foun
4. prevent Connectivity AllowBluetooth 1 allow O prevent Connectivity AllowVPNRoamingOverCellular 1 allow 1 allow Connectivity AllowVPNOverCellular 1 allow 1 allow Connectivity AllowUSBConnection 1 allow active sync O prevent Connectivity AllowCellularDataRoaming 1 allow 1 allow System AllowStorageCard 1 allow 0 prevent System AllowTelemetry 2 allow O prevent System AllowLocation 1 allow O prevent Accounts AllowMicrosoftAccountConnection 1 allow 0 prevent Accounts AllowAddingNonMicrosoftAccountsManually 1 allow 0 prevent Security AllowManualRootCertificatelnstallation 1 allow O prevent Security RequireDeviceEncryption 1 allow 1 allow ApplicationManagement AllowStore 1 allow 0 prevent ApplicationManagment ApplicationRestrictions VariableData e me depending on customer app needs ApplicationManagement AllowDeveloperUnlock 1 allow O prevent Browser AllowBrowser 1 allow 0 prevent Camera AllowCamera 1 allow 0 prevent Update DeviceUpdateMode 4 allow O prevent Search AllowSearchToUseLocation 1 allow 0 prevent Search SafeSearchPermissions 1 allow O prevent Search AllowStoringlmagesFromVisionSearch 1 allow O prevent AboveLock AllowActionCenterNotifications 1 allow 0 prevent Experience AllowCopyPaste 1 allow O prevent Experience AllowScreenCapture 1 allow O prevent Experience AllowManualMDMUnenrollment undefined O prevent Experience Al
5. Capability mapping thus making it difficult to tell which APIs are covered by capabilities and which are not However high security risk APIs are protected by capabilities Enterprise decision to include APIs not documented as approved for store applications places the obsolescence security and runtime error risk upon the Enterprise to manage Honeywell does not recommend the behavior of using non approved APIs for enterprise application development For the approved list of application APIs to use see the following Microsoft documentation http msdn microsoft com en us library windows apps ff626516 28v vs 105 29 aspx http msdn microsoft com en us library dn7 15922 v winembedded 81 aspx For developing secure applications see the following Microsoft documentation http msdn microsoft com en us library windows apps xaml hh849625 aspx 10 Network Ports Summary Network Port Table Port Used Connection Task Comments 80 HTTP Web Pages 443 HTTPS Secure Web Pages A list of common network port numbers can be found at https en wikipedia org wiki List_of_TCP_and_UDP_port_numbers 10 1 10 2 11 Glossary General Terms and Abbreviations ACL Authentication Authorization Business network Digital signature DMZ Firewall IAS LAN Locking down MAC PEAP Port RADIUS SDL SNMP SSID Subnet An Access Control List ACL is a list of user accounts and groups with
6. Configuration Service Providers allow device settings to be established by the enterprise based upon their policies Configuration Service Providers allow both enterprise and cellular carriers for Cellular enabled devices to manage settings on the WE8H device Honeywell has no recommendations for changes to Carrier based Configuration Service Providers which are primarily used by carriers to configure cellular services Enterprise Mobile Device management is not allowed access to these CSPs Honeywell urges Enterprise to review these CSP settings with their carrier for the best security policy e Bootstrap Configuration Service Provider CellularSettings Configuration Service Provider e BrowserFavorite Configuration Service Provider e Application Configuration Service Provider e W4 Application Configuration Service Provider e W7 Application Configuration Service Provider e CM CellularEntries Configuration Service Provider e CM ProxyEntries Configuration Service Provider e PXLogical Configuration Service Provider NAPDEF Configuration Service Provider e DMAcc Configuration Service Provider e DMS Configuration Service Provider e NAP Configuration Service Provider e Proxy Configuration Service Provider e CMPolicy Configuration Service Provider e SecurityPolicy configuration service provider e User Plane Configuration Service Provider DMClient Configuration Service Provider This configuration service provider specifies Enterprise Sp
7. Honeywell provides no default configuration for this CSP Application Security Signing All applications must be signed Enterprise developed applications are required to be signed by an Enterprise Certificate available through Symantec Unsigned applications cannot be executed on the device During device enrollment this certificate will need to be placed on the WESH device Capabilities Applications are required to declare the capabilities that they use in order to access certain system feature Note that not all applications can access all capabilities ofthe system This is done to prevent applications from introducing security risks that come with system level capabilities The following table shows which capabilities are unlocked by Store Signing Certificates Enterprise Signing Certificates and Device Manufacturer Certificates OEM Application Capabilities Unlockable by Certificates 3rd Party Enterprise 2nd party Capability Store Certificate OEM ID_CAP_APPOINTMENTS ID_CAP_BUILTIN_DEFAULT ID_CAP_CHAMBER_PROFILE_CODE_NITEMP_RW ID_CAP_CONTACTS ID_CAP_EVERYONE ID_CAP_GAMERSERVICES ID_CAP_IDENTITY_DEVICE ID_CAP_IDENTITY_USER ID_CAP_ISV_CAMERA ID_CAP_LOCATION ID_CAP_MAP ID_CAP_MEDIALIB ID_CAP_MEDIALIB_AUDIO ID_CAP_MEDIALIB_PHOTO ID_CAP_MICROPHONE ID_CAP_NETWORKING ID_CAP_NETWORKING_INTERNET_CLIENT ID_CAP_NETWORKING_INTERNET_CLIENT
8. a web server or terminal emulation server How to Use this Guide Note WE8H references in this guide refer to Windows Embedded 8 1 Handheld OS devices If you have specific security concerns e g virus protection or preventing unauthorized access consult the Security Checklist page 2 1 or select from the topics listed below Developing a Security Program page 3 1 Disaster Recovery Planning page 4 1 Security Updates and Service Packs page 5 1 Network Planning and Security page 6 1 Securing Wireless Devices page 7 1 System Monitoring page 8 1 Securing Access to the Windows Embedded 8 Handheld Operating System page 9 1 Network Ports Summary page 10 1 Product Detail Honeywell mobile devices are intended for use in in premise Automatic Data Collection ADC systems and for field ADC applications In premise systems typically exist in establishments such as distribution warehouses or retail stores This type of system often uses terminal emulation servers or web servers to direct the Honeywell mobile device to perform ADC operations e g scanning during picking or placing of items Field applications entail the use of the mobile device for field service applications and route distribution Field service applications may use either Web applications or client applications that require different levels of connectivity to the customer servers System Architecture The diagrams in this section illustrate sample architecture
9. computer or device is 192 168 2 3 with a subnet mask of 255 255 255 0 this subnet mask indicates the first 24 bits of the address represent the network address and the last 8 bits can be used for individual computer or device addresses on that network A switch is a multi port device that moves Ethernet packets at full wire speed within a network A switch may be connected to another switch in a network Switches direct packets to a destination based on their MAC address Each link to the switch has dedicated bandwidth for example 100 Mbps Transmission Control Protocol Internet Protocol Transport Layer Security Wide Area Network Wireless Access Point Wi Fi Protected Access WPA is a security standard adopted by the Wi Fi Alliance consortium for wireless networks www wi fi org Wi Fi Protected Access 2 is the replacement for WPA 11 2 12 Customer Support Where to Get Technical Support To search our knowledge base for a solution or to log in to the Technical Support portal and report a problem go to www hsmcontactsupport com For our latest contact information see www honeywellaidc com locations Your feedback is crucial to the continual improvement of our documentation To provide feedback about this manual please contact Technical Communications directly at ACSHSMTechnicalCommunications honeywell com 12 1 12 2 Honeywell Scanning amp Mobility 9680 Old Bailes Road Fort Mill SC 29707 www hon
10. each entry specifying a set of allowed or disallowed actions When applied to a firewall an ACL is a list of device addresses and ports that may or may not pass through the device When a user logs on to a system the authentication process verifies the user is known to the system See also authorization When a user logs on to a system the authorization result dictates what a known user can do within the system See also authentication A collective term for the network and attached systems Using the private key of a digital certificate to encrypt the digital hash digest of an electronic document code file etc Demilitarized zone DMZ is an area with some firewall protection but which is visible to the outside world This is where business network servers for Web sites file transfers and email are located A firewall is a software or hardware barrier that sits between two networks typically between a LAN and the Internet A firewall can be a standalone network appliance part of another network device such as a router or bridge or special software running on a dedicated computer Firewalls can be programmed to block all network traffic from coming through except that which has been configured to be allowed By default a firewall should block all 65 536 ports and open up only the ports you need If you need to browse the Web then it should allow outgoing traffic on port 80 If you would like DNS lookups to work for you
11. for in premise and field system network deployments In both examples a firewall exists to prevent the systems from having direct access to external networks or the rest ofthe Business System Network e g Finance or HR and to prevent those systems from accessing the mobile device system Architecture of an In Premise System The diagram below provides an example of in premise system architecture that includes multiple mobile devices a wireless LAN WLAN a mobile device management MDM server WE8H mobile devices and an application support server e g web server or a terminal emulation server Portable Ring Printer Scanner To Business M Network Bluetooth Bluetooth WE8H WE8H Device Device Wi Fi Dei Firewall MDM Server Application Radius Server Server for example IAS Architecture of a Field Service System The diagram below provides an example of field application system architecture that includes cellular based mobile devices a wireless wide area network WWAN or wireless phone service and web applications clients and MDM serv ers Bluetooth Portable Printer WESH Device Firewall a Cellular Data Service Network MDM Server Application Radius Server Server for example IAS Related Documents To download documentation for your Honeywell products 1 Go to www honeywellaidc com 2 Select Resources gt Download 3 Select your Honeywell product from the
12. port 53 needs to be opened up for outgoing traffic If you want to access your Internet mail server through POP3 open up port 110 for outgoing traffic Firewalls are directional They monitor where the traffic originates for both incoming inbound and outgoing outbound traffic Quite frequently you will not want any unsolicited inbound traffic unless you have specific reasons for example you might have a Web server that you want people to access However in most cases a Web server would probably be located outside your firewall and not on your internal network This is the purpose of a demilitarized zone The following Microsoft reference is a useful source of information about well known TCP IP ports http support microsoft com kb 832017 Internet Authentication Service IAS is the Microsoft implementation of a Remote Authentication Dial in User Service RADIUS server and proxy Local Area Network The procedure whereby a given user is given access to only one or a few specific programs is known as locking down a desktop or computer Media Access Control MAC is the lower level of the Data Link Layer under the IEEE 802 11 1997 standard In Wireless 802 11 MAC stands for Medium Access Control MAC can also be an abbreviation for Message Authentication Codes a cryptographic hash added to a message to enable the detection of tampering Protected Extensible Authentication Protocol PEAP is a protocol proposed for secur
13. 9 1 Secure By Default Poliey sita roda leia 9 2 Configuration Service Providers uni dada 9 2 DMClient Configuration Service Provider 9 2 HotSpot Configuration Service Provider 9 2 FileSystem Configuration Service Provider 9 2 EMAIL2 Configuration Service Provider 9 2 CertificateStore Configuration Service Provider 9 2 ActiveSync Configuration Service Provider 9 3 DeviceLock Configuration Service Provider AAA 9 3 EnterpriseAppManagment Configuration Service Provider 9 3 NodeCache Configuration Service Provider 9 3 Storage Configuration Service Provider rrvrnrrnnvnrnnnvnnvnvnnrnnnvnnrnnnnrnnnnennnnenrnnnnsnnnveenn 9 3 PolicyManager Configuration Service Provider 9 3 RemoteRing Configuration Service Provider 9 5 VPN Configuration Service Provider 9 5 WiFi Configuration Service Provider u un ee 9 5 RemoteLock Configuration Service Provider 9 5 RemoteWipe configuration Service Provider 9 5 EnterpriseAssignedAccess Configuration Service Provider 9 5 ASSIGN ROES ns ta 9 5 Assign Application Lockdown AA 9 5 Assign Settings L ckdOWn u uun ee denn 9 7 Button Be ee ae energie 9 8 Button Remappings 2 8 Keane 9 8 Disable Action Center aa ee keinen 9 8 Disable Menu ltems u een 9 8 Disable Tile Manipulation 2er een 9 8 Disable PersistData PersistProvisioned Data 9 8 EnterpriseEXT Configuration Service Provider 9 8 EnterpriseEXTFileSystem Configuration Service Provider 9 9 Appli
14. Honeywell Windows Embedded 8 Handheld Network and Security Guide Disclaimer Honeywell International Inc HII reserves the right to make changes in specifications and other information contained in this document without prior notice and the reader should in all cases consult HII to determine whether any such changes have been made The information in this publication does not represent a commitment on the part of HIl HII shall not be liable for technical or editorial errors or omissions contained herein nor for any damages whether direct special incidental or consequential resulting from the furnishing performance or use of this material HII disclaims all responsibility for the selection and use of software and or hardware to achieve intended results To the extent permitted by applicable law Honeywell disclaims all warranties whether written or oral including any implied warranties of merchantability and fitness for a particular purpose This document contains proprietary information that is protected by copyright All rights are reserved No part of this document may be photocopied reproduced or translated into another language without the prior written consent of HII Web Address www honeywellaidc com Trademarks Android is a trademark of Google Inc Microsoft is either a registered trademark or registered trademark of Microsoft Corporation in the United States and or other countries The Bluetooth trademark
15. Microsoft Sounds Allow Allow Disallow Microsoft RotationLock Allow Allow Disallow Microsoft Speech Allow Allow Disallow Microsoft Themes Allow Allow Disallow Microsoft StorageSettings Allow Allow Disallow Microsoft ProfileUpdate Allow Allow Disallow Microsoft USB Allow Allow Disallow Application Lockdown Recommendations Continued Settings Application Default Administrator Associate Microsoft VPN Allow Allow Disallow Microsoft Wifi Allow Allow Disallow Microsoft CompanyAccount Allow Allow Disallow Microsoft AssistUX Allow Allow Disallow Microsoft IE Allow Allow Disallow Microsoft Maps Allow Allow Disallow Microsoft Messaging Allow Allow Disallow Microsoft OfficeMobile Allow Allow Disallow Microsoft Contacts Allow Allow Disallow Microsoft Phone Allow Allow Disallow Microsoft Photos Allow Allow Disallow Microsoft Search Allow Allow Disallow Microsoft Marketplace Allow Disallow Disallow Microsoft Wallet Allow Disallow Disallow Button Lockdown Honeywell recommends the search button be disabled for the associate role Honeywell recommends the camera button be disabled for application solutions that do no require camera functionality Honeywell does not recommend disabling Home or Back buttons unless your enterprise applications provide all navigational needs Button Remapping Honeywell recommends that no buttons be remapped unless the application solutions require
16. Please make a selection list and then click the red arrow Security Checklist This chapter identifies common security threats that may affect networks containing Windows Embedded 8 Handheld WE8H devices You can mitigate the potential security risk to your site by following the steps listed under each threat Infection by Viruses and Other Malicious Software Agents This threat encompasses malicious software agents for example viruses spyware Trojans and worms The intrusion of malicious software agents can result in e performance degradation loss of system availability and the capture modification or deletion of data Mitigation Steps Mitigation Steps Allow only digitally signed software from trusted All software is required to be digitally signed Drivers and Services sources to run cannot be installed by end user due to system construction Use a firewall at the interface between other networks and WESH devices Unauthorized External Access This threat includes intrusion into the Honeywell WE8H system from the business network or other external networks including the Internet Unauthorized external access can result in loss of system availability the capture modification or deletion of data and e reputation damage if the external access security breach becomes public knowledge Mitigation Steps Mitigation Steps Implement file system encryption For information
17. S is to scan incoming network packets and look for unusual traffic or for specific malformed packets known to be associated with attacks If anomalies are found NIDS take action such as raising alerts or even disconnecting the computer from the network The latter is a dangerous option that causes denial of service while preventing damage from occurring to the system for example by closing network ports Most firewalls switches and routers have reporting facilities whereby they can report various levels of events varying from debugging to emergency failure These reports can be viewed via secure shell SSH collected by a central logging server or sent via email to an administrator For example the Cisco PIX firewall and Catalyst 4500 switches can be configured to send selected levels of events to a central syslog server where further analysis can occur and significant events can be detected Securing Access to the Windows Embedded 8 Handheld Operating System WESH provides the following platform security features The list is not exhaustive but meant to provide a high level overview of the system capabilities e UEFI enforcement of Secure Boot and Trustworthy Hardware e Secure Boot prevents root kits and only signed code execution e Trusted Platform Module TPM standards based crypto processor e Data Execution Prevention DEP Standards Address Space Layout Randomization ASLR e Device Encryption based on BitLocker Drive Encry
18. _DEPLOYMENT ID_CAP_INTERNET_EXPLORER_FAVORITES ID_CAP_INTERNET_EXPLORER_SEARCH_PROVIDER_KEYS_HK CU ID_CAP_INTEROPSERVICES ID_CAP_KIDZONE_CUSTOMIZATION ID_CAP_MAP_WRITE ID_CAP_MEDIALIB_PHOTO_FULL ID_CAP_MO_CLOUDMESSAGING ID_CAP_NATIVE_NETWORK_REPLACEMENT ID_CAP_NETWORKING_ADMIN ID_CAP_NETWORKING_VPN_PROVIDER ID_CAP_NETWORKING_VPN_SERVICES ID_CAP_NVREADWRITE 9 10 Application Capabilities Unlockable by Certificates Continued 3rd Party Enterprise 2nd party Capability Store Certificate OEM ID_CAP_OEM_ADC l ID_CAP_OEM_CUSTOM ID_CAP_OEM_DEPLOYMENT ID_CAP_OEMPUBLICDIRECTORY ID_CAP_PEOPLE_EXTENSION ID_CAP_PEOPLE_EXTENSION_IM ID_CAP_PEOPLE_EXTENSION_MOBILE ID_CAP_PERSONAL_INFORMATION_IMPORT ID_CAP_PHONE_ADMIN ID_CAP_RUNTIME_CONFIG ID CAP SHARED USER CERTIFICATES ID CAP SHELL OEM ADMIN ID CAP SCREEN RECORDER BKG ID CAP SMS ID CAP SMS COMPANION ID CAP SMS INTERCEPT AGENT ID CAP SMS INTERCEPT RECIPIENT ID CAP SYNC EXTENSION ID CAP VOICEMAIL ID CAP WALLET SECUREELEMENT l l l l l l l l l l ID_CAP_SHELL_DEVICE_LOCK_UI_API l l l l l l l l l l l ID_CAP_WIFI_BASIC ID_CAP_ENTERPRISE_SHARED_DATA ID_CAP_SHARED_USER_CERTIFICATES l API Restrictions Microsoft provides restrictions on which API
19. _SERVER ID_CAP_NETWORKING_PRIVATE_NETWORK_CLIENT_SERVER ID_CAP_PHONEDIALER ID_CAP_PUSH_NOTIFICATION ID_CAP_PROXIMITY ID_CAP_REMOVABLE_STORAGE ID_CAP_RINGTONE_ADD ID_CAP_SCREEN_RECORDER l l l ID_CAP_MEDIALIB_PLAYBACK l l l l l l l ID_CAP_SENSORS Application Capabilities Unlockable by Certificates Continued 3rd Party Enterprise 2nd party capability Store Certificate OEM ID_CAP_SPEECH_RECOGNITION ID_CAP_VOIP ID_CAP_WALLET_PAYMENTINSTRUMENTS l ID_CAP_WALLET ID_CAP_WEBBROWSERCOMPONENT ID_CAP_CALLMESSAGING_FILTER ID_CAP_BLUETOOTH_ADMIN ID_CAP_CAMERA ID_CAP_CELL_API_COMMON ID_CAP_CELL_API_LOCATION ID_CAP_CELL_API_OEM_PASSTHROUGH ID_CAP_CELL_API_UICC ID_CAP_CELL_API_UICC_LOWLEVEL ID_CAP_CELL_WNF ID_CAP_CELL_OEM_UICC_DATASTORE ID_CAP_CSP_FOUNDATION ID_CAP_CSP_MAIL ID_CAP_CSP_OEM ID_CAP_CSP_W4_APPLICATION ID_CAP_CSP_WIFI_HOTSPOT ID_CAP_DATAPLANUSAGE_ADMIN ID_CAP_DEVICE_MANAGEMENT ID_CAP_DEVICE_MANAGEMENT_ADMIN ID_CAP_DEVICE_MANAGEMENT_BOOTSTRAP ID_CAP_DEVICE_MANAGEMENT_SECURITY_POLICIES ID_CAP_DU_MIGRATOR_STATUS_OEM ID_CAP_OEMPUBLICDIRECTORY ID_CAP_PLATFORM_EXTENSIBILITY ID_CAP_INTERNAL
20. application e If the application must allow NFC it should only be enabled as needed and the user must have a means to confirm the transfer is expected If the application transfers data between two WESH devices using NFC then the application should enable encryption of the data e Disallow the Wallet application using Device Management System Monitoring The security recommendations outlined in this guide help reduce security risks but do not guarantee that an attacker may not be able to circumvent the safeguards put into place to protect network systems and devices including the Windows Embedded 8 Handheld WE8H mobile device Early detection of an attack and or system breach is essential to preventing further damage The earlier a system intrusion is detected and the more evidence that is captured the less damage is likely to occur and the greater the chances of identifying the intruder Providing a means to detect and document system exploits is vital The most relevant tool for this purpose at this time is the Field Medic Application at http www windowsphone com en us store app field medic 73c58570 d5a7 46f8 b1b2 2a90024fc29c Intrusion Detection Network Intrusion Detection Systems NIDS can take many forms NIDS can be a dedicated server on the same network branch freeware software available under GNU or similar licenses often UNIX based or commercial products aimed specifically at Windows systems The purpose of NID
21. assword Do not use the default password e Configure 802 1x authentication For detailed configuration information refer to the setup instructions from the WAP supplier Secure WE8H WLAN Configuration Microsoft provides a WiFi configuration service provider for initial 802 11 network provisioning This configuration service provider uses the WLAN_profile Schema for configuration http msdn microsoft com en us library windows desktop ms707341 28v vs 85 29 aspx Honeywell recommends the following when configuring WE8H mobile devices for WLANs e Honeywell supports and approves these security methods e WPA2 EAP TTLS e WPA2 EAP TLS e WPA2 PEAP MSCHAP e WPA2 PSK e Configure the proper SSID e Configure 802 1x authentication e Configure PEAP authentication e Configure the 802 1x supplicant client to prompt for the password needed by EAP PEAP MSCHAP EAP TTLS MSCHAP f EAP TLS or EAP PEAP TLS are in use a client certificate must be available on the WE8H device Bluetooth Wireless Technology Security All WE8H mobile devices are equipped for short range wireless communication using Bluetooth wireless technology For secure Bluetooth communications follow these security recommendations and precautions e When available use Bluetooth 2 1 Secure Simple Pairing Honeywell recommends that you do not use the just works mode e Use Device Management to disable Bluetooth if not required by application solutions e U
22. cation SOC Die 9 9 SIONING EE SE EE E ERE G 9 9 LIESE geegent 9 9 API Restrieti nsau urn mare einen aan een 9 11 Chapter 10 Network Ports Summary Network Port Table es aaa 10 1 Chapter 11 Glossary General Terms and Abbreviations AAA 11 1 Chapter 12 Customer Support Where to Get Technical Support esse ee 12 1 vi Introduction This guide defines the security processes both implemented and recommended by Honeywell for all mobile computers running Windows Embedded 8 1 Handheld WE8H Operating Systems Intended Audience The target audience for this guide is the Windows Embedded Handheld 8 1 customer organization that identifies and manages the risks associated with the use of information processing equipment This includes but is not limited to Information Technology IT Third party organizations delivering and installing turnkey systems should also follow the guidelines in this guide The intent of this guide is to drive the discussion between the organization using Windows Embedded 8 1 Handheld OS and the organization responsible for managing information technology risks A high degree of technical knowledge and familiarity in the following areas is assumed Windows Embedded 8 1 Handheld e Networking systems and concepts e Wireless systems e Security issues and concepts In particular the following systems need to be understood and properly setup Radius Server Application Server such as
23. ckups Failure mode analysis can be used to assess the robustness of your network architecture Identifying and Evaluating Privacy Issues Consider the potential for unauthorized access to personal data stored within your system Any information considered sensitive should be protected and all access methods should be reviewed to ensure correct authorization is required Creating a Mitigation Plan Create policies and procedures to protect your assets from threats The policies and procedures should cover your networks computer hardware and software and WE8H equipment You should also perform risk assessments to evaluate the potential impact of threats A full inventory of your assets helps identify threats and vulnerabilities These tasks assist you in deciding whether to ignore mitigate or transfer the risk Implementing Change Management The original asset evaluation and associated risk assessment and mitigation plans should specify the security requirements for all networked components To ensure that all modifications to networking capabilities continue to meet those security requirements a formal change management procedure is vital A risk assessment should be performed on any change made to the WESH software and its infrastructure that could affect security including configuration changes the addition of network components and the installation of software Changes to policies and procedures might also be required Plannin
24. d at honeywellaidc com Honeywell DiagnosticInfo Power Tool The DiagnosticInfo Power Tool provides important system information including firmware versions application versions system parameters and service pack versions as well as network and radio information for your WE8H device To View System Information From the Home screen swipe left and touch DiagnosticInfo You may need to scroll up or down to see the icon You cannot edit information in Diagnosticinfo This information is gathered from the mobile device and changes only when the device configuration has changed See the device user manual for more information on viewing system information See Related Documents on page 1 3 Network Planning and Security Connecting to the Business Network The Windows Embedded 8 Handheld WE8H device network and other networks such as the Internet or business network should be separated by a firewall See System Architecture on page 1 2 The nature of network traffic on a WE8H device network differs from other networks e The business network may have different access controls to other networks and services Ir business network may have different change control procedures for network equipment configuration and software changes e Security and performance problems on the business network should not be allowed to affect the WE8H device network and vice versa Ideally there should be no direct communication between the WESH devic
25. e network and the business network However practical considerations often mean a connection is required between these networks The WE8H device network may require data from the servers in the business network or business applications may need access to data from the WE8H device network A connection between the networks represents a significant security risk therefore careful consideration should be given to the system architecture design Due to the security risk it is strongly recommended that only a single connection is allowed and that the connection is through a firewall If multiple connections are required a common practice is to create Data demilitarized zones DMZ where data servers that serve two different security domains are located A DMZ is an area with some firewall protection but is still visible to the outside world Business network servers for Web sites file transfers and email are located in a DMZ More sensitive private services for example internal company databases and intranets are protected by additional firewalls and have all incoming access from the Internet blocked You can also create an effective DMZ with just one firewall by setting up access control lists ACLs that let a subset of services be visible from the Internet Third Party Applications The WE8H Ecosystem provides many applications All Ecosystem applications for WE8H are required to be signed by the Microsoft Store and pass certification testing requ
26. ecific mobile device management settings that identifies the device in the enterprise domain allows for security migration for certificate renewal and server triggered un enrollment Honeywell provides no default configuration for this CSP HotSpot Configuration Service Provider This configuration service provider configures and enables internet sharing on the device Honeywell does not recommend Enterprise to enable internet sharing where security is a concern By default Internet Connection Sharing is disabled and there is no settings screen to allow configuration If enabled a setting screen will be available but sharing will be turned off until the user enables it FileSystem Configuration Service Provider This configuration service provider queries adds modifies and deletes files and directories It also allows file attributes on the phone to be modified Honeywell provides no default configuration for this CSP Honeywell recommends Enterprise Customers use the EnterpriseEXTFileSystem instead of this provider EMAIL2 Configuration Service Provider This CSP is used to configure SMTP email accounts Honeywell does not provide a default recommendation for this service provider Enterprise customers use this CSP to configure any SMTP email accounts CertificateStore Configuration Service Provider This configuration service provider is used to add certificates to the device Honeywell does not provide a default recommendation for this service p
27. ely transporting authentication data including passwords over 802 11 wireless networks A port is a logical endpoint on a network computer or device used for communications There are approximately 65 536 ports on which any one IP address can communicate Some are dedicated to specific well known services some are used by application services and some will be dynamically allocated to clients as they connect to remote services A service listens on a known port for client connections if the connection is accepted the client will address messages to that port and the server will send responses to the dynamically allocated client port Remote Authentication Dial In User Service RADIUS is a protocol that enables centralized authentication authorization and accounting for dial up virtual private network and wireless access Security Development Lifecycle SDL is a software development process that helps developers to build more secure software and to address security requirements while reducing development cost Simple Network Management Protocol SNMP is a protocol used to manage devices on IP networks Service set identifier SSID is a unique identifier for a wireless network A group of hosts that form a subdivision of a network 11 1 Subnet mask Switch TCP IP TLS WAN WAP WPA WPA2 A subnet mask identifies which bits of an IP address are reserved for the network address For example ifthe IP address of a particular
28. eywellaidc com ALLSKU E8H ENUS ZY Rev A 5 15
29. for Information Security Management http www iso org Open Web Application Security Project OWASP Note The OWASP tracks the top weaknesses of applications and provides valuable information about developing secure software http www owasp org Disaster Recovery Planning This chapter describes the processes and tools recommended by Honeywell for the backup and restoration of Windows Embedded 8 Handheld WE8H devices to standard operation if disaster recovery is required due to data loss such as deletion or corruption and or application inaccessibility or corruption The following actions are recommended as part of your disaster recovery plan e Perform routine backups of WE8H mobile devices and any data located on external storage such as a micro Secure Digital SD card installed in the terminal e Save the backup files to a secondary location eg off site server not on the WE8H mobile device or the microSD card installed in the device Note If the microSD card is encrypted a secondary backup is not possible Note Perform routine disaster recovery testing For backup and restore procedures for WE8H devices see http www windowsphone com en lE how to wp8 settings and personalization back up my stuff Disaster Recovery Testing Disaster recovery plans should be tested at least once a year to confirm the current steps are valid and working as expected Security Updates and Service Packs
30. g e Equipment Plant equipment including network equipment such as routers switches firewalls and ancillary items used to build the system Computer equipment such as servers cameras and streamers e Network configuration information such as routing tables and access control lists e Information stored on computing equipment such as databases and other intellectual property e Intangible assets such as bandwidth and speed Identifying and Evaluating Threats You need to consider the potential within your system for unauthorized access to resources or information through the use of a network and the unauthorized manipulation and alteration of information on a network Potential threats to be considered include People including malicious users inside or outside the company and uninformed employees e Inanimate threats natural disasters such as fire or flood malicious code such as a virus or denial of service Identifying and Evaluating Vulnerabilities Potential vulnerabilities that should be addressed in your security strategy include The absence of security policies and procedures e Inadequate physical security e Gateways from the Internet to the corporation e Gateways between the business local area network LAN and WE8H network Improper management of modems e Out of date virus software e Out of date security patches or inadequate security configuration e Inadequate or infrequent ba
31. g Ongoing Maintenance Constant vigilance of your security program should involve e regular monitoring of your system e regular audits of your network security configuration e regular security team meetings where keeping up to date with the latest threats and technologies for dealing with security issues are discussed e ongoing risk assessments as new devices are placed on the network e the creation of an Incident Response Team Additional Security Resources Type URL Windows Phone Security http technet microsoft com en us library dn756284 aspx Platform Security http technet microsoft com en us library dn756283 aspx Access Control and Device Management http technet microsoft com en us library dn756285 aspx Developing Secure Applications http msdn microsoft com en us library windows apps xaml hh849625 aspx Security for devices running Windows http msdn microsoft com en us library dn499742 aspx Embedded 8 1 Handheld Administrator Guide for Windows http msdn microsoft com en us library dn499757 aspx Embedded 8 1 Handheld Configuring Devices http msdn microsoft com en us library dn499730 aspx Best Practices for configuring Devices http msdn microsoft com en us library dn499744 aspx Provisioning the Device on Startup http msdn microsoft com en us library dn499751 aspx Locking Down a Device http msdn microsoft com en us library dn798313 aspx Prepare devices for application ht
32. irements Unsigned applications are not allowed to be installed and executed on WESH devices Always verify the following with the vendor e Secure Development Lifecycle SDL practices were used when writing the software e The proper means and security controls to mitigate any threats to the WE8H system are provided In addition evaluate additional risks to the WE8H system with regard to the following e The service level agreement SLA with the vendor e The change in the attack surface as a result of the software Additional services used by the software that may consume needed resources If these precautions cannot be implemented then extra care must be taken in isolating and using the software Additional settings might be needed in firewalls point to point virtual private networks VPNs or similar network features depending on the additional risks in the third party software Note Third party software must be signed by a trusted authority before installation Securing Wireless Devices Wireless Local Area Network WLAN and Access Point AP Security All Windows Embedded 8 Handheld WE8H mobile devices are equipped with an 802 1 1a b g n wireless local area network WLAN radio The radio is interoperable with other 802 1 1a b g n Wi Fi compliant products including access points APs workstations via PC card adapters and other wireless portable devices When the WESH device connects through a wireless access poin
33. lowVoiceRecording 1 allow 0 prevent Experience AllowSaveAsOfficeFiles 1 allow 1 allow Experience AllowCortana 1 allow 1 allow Experience AllowSyncMySettings see warnings D i System AllowUserToResetPhone 1 allow 1 allow EnterpriseAssignedAccess concerns with service or deep links Cannot be undone Setting this bit is left to the customer The default XML for secure lockdown does not set this bit List each application separately This setting blocks the application from running if the user attempts to launch the application The Enterprise could use this in conjunction with WEHLockdown Allow List to fully lock down the device For instance if you do not want users to browse the internet at all you would not include IE in the WEHLockdown allow list However if users receive a URL they are able to click on that URL to launch IE since we do not prevent that through WEHLockdown This setting allows you to block the launching of IE in this case RemoteRing Configuration Service Provider Honeywell provides no default configuration for this CSP This configuration provider can be used to trigger an audible ring from a device to aid in finding a misplaced device VPN Configuration Service Provider Honeywell provides no default configuration for this CSP but recommends customers use this CSP to establish VPN connections for devices connected to public networks WiFi Configuration Service Provider Thi
34. nd Evaluating Re E 3 1 Identifying and Evaluating Vulnerabilities A 3 1 Identifying and Evaluating Privacy Issues uumuum44444444H nn nn nnnnnnnnnnnnnnnnnnnnnnnannennnnn nn ENEE 3 2 Creating Mitigation Plan en 3 2 Implementing Change Management ENNEN 3 2 Planning Ongoing Maintenance 3 2 Additional Security Resources a 3 2 Chapter 4 Disaster Recovery Planning Disaster Recovery Testing es ee ee 4 1 Chapter 5 Security Updates and Service Packs Additional Resources un a een 5 1 Honeywell Diagnosticinfo Power Tool serrerunnsnevenensnvenernennennensnnevnsnnrnsnenenensenesnennsnnensrnnnnenee 5 1 TO View System Information visitara 5 1 Chapter 6 Network Planning and Security Connecting to the Business Network kk 6 1 Third Pary Applicalens no eek 6 1 iii Chapter 7 Securing Wireless Devices Wireless Local Area Network WLAN and Access Point AP Security 7 1 Secure Wireless AP Configuration EEN 7 1 Secure WE8H WLAN Configuration AANEREN 7 1 Bluetooth Wireless Technology Security 22uuusssnnennennnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nn 7 2 Wireless Wide Area Network WWAN Gecuty 7 2 Wireless Near Field Communication NFC Security uusssssssnssnnssnnnnnnnnnnnnnnnnnnnnnnennnnnnn 7 2 Chapter 8 System Monitoring Intrusion Detection eier kastet GE 8 1 Chapter 9 Securing Access to the Windows Embedded 8 Handheld Operating System Internal Firewall a
35. ption e AppContainter Sandboxing blocks unauthorized access to system apps and data e Smart Screen Filter provides anti phishing protection Remote Data Removal for Enterprise data e Virtual Smart Cards for Two Factor Authorization 2FA Information Rights Management protected email and documents based on Windows Rights Management Services RMS standards e Secure MDM Enrollment e Security Policy management Removable Storage SD Card encryption e Assigned Access to applications and system function based on user roles S MIME support e TLS 1 0 or greater support e Wi Fi support for EAP TLS and EAP TTLS certificate based authentication Integrated VPN support for IKEv2 and IPsec connections e Vendor downloadable support for SSL VPN connections e Auto triggered VPN Connections Remote Lock Remote Wipe e Remote PIN user password Reset Trusted System and Application Software unsigned software is not allowed to execute Application Allow Listing e Application Deny listing e Access Control Lists prevent unauthorized access to secured objects e Feature enablement and disablement for Bluetooth NFC Wi Fi Camera Location Based Services Storage Card voice recording updates e User Passwords For more detailed information on each of these items see e Microsoft WE8H OS specific information http msdn microsoft com en us library dn499742 aspx e Windows Phone 8 1 Security information http technet mic
36. rosoft com en us library dn643717 aspx Many of the above features are capable of being managed by Mobile Device Management Software System provisioning is used to enable and provide the level of enterprise security needed by your WESH users The most complete documentation for the Windows Phone 8 1 MDM Protocol for the WESH platform is at http msdn microsoft com en us library dn499787 aspx Enterprise customers are encouraged to review and understand all this documentation for proper implementation of security features Internal Firewall By default the internal firewall of WE8H does not allow incoming network connections including incoming connections that originate from code on the device used for loopback Honeywell does not recommend the use of incoming connections for applications the enterprise does not control For applications that desire to enable incoming connections see http msdn microsoft com en us library windows apps xaml dn640582 aspxitconfiguring_the_ firewall Secure By Default Policy Honeywell provides the following recommendations on security settings for a secure by default system in the following sections Honeywell provides a provisioning XML to enable this scenario for our customers Customers can then migrate from the Honeywell defined security settings to their enterprise needs through their own MDM policy choices and customization of the provisioning XML file Configuration Service Providers
37. rovider Enterprise customers use this CSP to add certificates to the system 9 2 ActiveSync Configuration Service Provider Honeywell does not provide a default recommendation for this service provider Enterprise customers should use this CSP to establish and secure their Exchange ActiveSync connections DeviceLock Configuration Service Provider This configuration service provider is used to configure device lock related policies Honeywell provides the recommendation to set these values using the PolicyManager Configuration Service Provider EnterpriseAppManagment Configuration Service Provider This configuration service provider is used to install update and manage Enterprise Applications and Tokens Honeywell does not provide a default recommendation for this service provider NodeCache Configuration Service Provider This configuration service provider manages the cache for the system configuration nodes used by enterprise device management servers Honeywell does not provide a default recommendation for this service provider Storage Configuration Service Provider Honeywell recommends that storage cards are disabled for system solutions that do not require them PolicyManager Configuration Service Provider Honeywell has the following recommendations for the Policy Manager CSP The PolicyManager configuration service provider listed below are suggested in order to provide the highest level of security for the system Unle
38. rvices camera Mobile Device Management MDM software Developing a Security Program Forming a Security Team Executive sponsorship and the creation of a formal team structure is a recommendation for the security program The remaining tasks in the development of a security program are critical to the success of the program When forming a security team you should e Define executive sponsors It will be easier to ensure the success of security procedures if you have the backing of senior management Establish a core cross functional security team consisting of representatives from Building or facility management for example individuals responsible for running and maintaining Honeywell Windows Embedded 8 Handheld WE8H devices and infrastructure Business applications for example individuals responsible for applications interfaced to the Honeywell WE8H system such as Human Resources Physical Security etc IT systems administration IT network administration IT security Identifying Assets to be Secured The term assets implies anything of value to the company Assets may include equipment intellectual property e g historical data and algorithms and infrastructure e g network bandwidth and computing power When identifying assets at risk you should consider e People including your employees and the broader community to which they and your enterprise belon
39. s applications can use as part of their certification process to ensure that APIs that could reduce system security are not used by applications Another reason for the restriction is certain APIs may be planned for obsolescence and Microsoft does not want applications to require maintenance when APIs are removed Honeywell recommends that enterprise customers follow Microsoft API recommendations Store applications are restricted to the APIs that they can use for application development During the certification process if APIs are used that are restricted the application will not be allowed on the Store Honeywell applications may be restricted to the APIs that they can use for application development if they are planned to be built into the device image as part of the operating system or if they are to be commercially available through the store In either of these cases if restricted APIs are used the application will not be certified and signed Enterprise applications can either be store signed or self signed When self signed there is no processes by which APIs will restrict the ability of a developer to sign and deploy an application This means that all Win32 APIs are available to the Enterprise Application However use of Win32 APIs is still restricted by application capabilities Any API that is a part of a capability to which Enterprise Applications are not entitled will create an access violation at runtime Microsoft does not provide an API to
40. s are owned by Bluetooth SIG Inc U S A and licensed to Honeywell microSD and microSDHC are trademarks or registered trademarks of SD 3C LLC in the United States and or other countries MITRE is a registered trademark of The MITRE Corporation Cisco and Catalyst are trademarks or registered trademarks of Cisco and or its affiliates in the U S and other countries UNIX is a registered trademark of The Open Group Wi Fi is a registered trademark of Wi Fi Alliance OpenSSL is a registered trademark of The OpenSSL Software Foundation Inc Other product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are the property of their respective owners 2014 2015 Honeywell International Inc All rights reserved Table of Contents Chapter 1 Introduction Intended Re Ee 1 1 How 10 USE INE Guide ae e 1 1 UE 1 2 Architecture of an In Premise Gvsiem ANEN 1 2 Architecture of a Field Service System nennen 1 3 Related DocumenB sanieren 1 3 Chapter 2 Security Checklist Infection by Viruses and Other Malicious Software Agents nenn 2 1 es ie E E 2 1 Unauthorized External Access ee nee 2 1 Mitigation A ee ee 2 1 Unauthorized Internal Access unsnsssssssnnannnnnnnnnnnnnannnnnnnnnnnnnnnnnnnnennnnnnnnnnannnnnennn nenn 2 2 Mitigation Steps EE EE Re 2 2 Chapter 3 Developing a Security Program Sole NE 3 1 Identifying Assets to be Secured ENNEN 3 1 Identifying a
41. s configuration service provider adds or deletes Wi Fi networks on the device Honeywell provides no default configuration for this CSP but recommends Enterprise establish allowed WiFi connections using this CSP RemoteLock Configuration Service Provider Use the RemoteLock CSP to lock a device that has a PIN or use it to reset a PIN on a device that does or does not have a PIN Honeywell does not provide a default configuration and Enterprise customers are urged to provide this capability RemoteWipe configuration Service Provider Honeywell does not provide a default configuration for this CSP Enterprise customers use the RemoteWipe CSP to remove enterprise data from a device that has been lost or stolen Remote wipe may or may not remove enterprise provisioning data which depends on provisioning data in the value of the PersistData PersistProvisionedData Policy in the EnterpriseAssignedAccess Configuration Service Provider EnterpriseAssignedAccess Configuration Service Provider The EnterpriseAssignedAccess configuration service provider allows IT administrators to provision a WE8H device with a single locked down user experience Kiosk behavior or provide a user role based lock down approach for device usage Administrators can configure the system in the following ways on a per user account basis e Action Center Enable Disable Disable as Enable notifications can allow deep links into OS e Allowed installed applications through allow lis
42. se Device Managment to remove Bluetooth settings from the user roles e Use a strong personal identification number PIN or Password e f possible pair devices ONLY when in a physically secure area Wireless Wide Area Network WWAN Security Many devices provide WWAN capabilities For secure WWAN communications follow these security recommendations and precautions e Use Secure Hypertext Transfer Protocol HTTPS with TLS 1 0 or greater with Web applications with a locked down browser that allows access to only specified uniform resource locators URLs Make sure that the client is configured to validate the server certificate and uses sufficiently secure cipher suites e Use a secure Virtual Private Network VPN for remote access to the WWAN e Use TLS 1 2 between client applications and servers Make sure the client is configured to validate the server certificate and uses secure crypto suites Wireless Near Field Communication NFC Security Specific security precautions are recommended to mitigate the potential security risk associated with exchanging data using wireless Near Field Communication NFC between NFC enabled WESH devices and an NFC tags or other NFC enabled devices NFC security is based on the short range characteristic of the RF solution Honeywell recommends the following security recommendations and precautions listed below e Using Device Management disable NFC on the WESH device unless it is critical to the
43. see PolicyManager Configuration Service Provider on page 9 3 Use Secure Hypertext Transfer Protocol HTTPS with TLS 1 0 or http msdn microsoft com en us library greater or your virtual private network VPN when using Web windows apps xaml servers across untrusted networks hh849625 aspx require_https_connections Use a firewall at the interface between your other networks and mobile devices Secure wireless devices Mitigation Steps Set the minimum level of privilege for all external accounts and enforce a strong password policy This is especially true for Mobile Device Management MDM systems Mobile Device Management MDM software Honeywell recommends that you avoid the use of non secure protocols such as File Transfer Protocol FTP or Telnet The construction of the operating system OS does not allow an application to disable ports that another application may require To disable a port you can remove the application that uses that port If the application cannot be removed set the security for that application to one tier prompt and then disable prompting to effectively prevent users from running the application For more information see Securing Access to the Windows Embedded 8 Handheld Operating System on page 9 1 Alternatively you can use a locked down menu program such as Launcher for Windows or Enterprise Launcher to prevent users from accessing specific applications
44. separate buttons for application launch Disable Action Center Honeywell recommends disabling Action Center for associate roles in order to prevent associate access to system internals Disable Menu Items Honeywell recommends disabling Menu Items for associate roles in order to prevent associate access to system internals Disable Tile Manipulation Honeywell recommends that tile manipulation be disabled for both administrator and associate roles Disable PersistData PersistProvisioned Data Honeywell recommends that data is not persisted on the WE8H device when the device is wiped for the most secure setting However the Persist Data settings can be used to restore a device that has been wiped EnterpriseEXT Configuration Service Provider This service provider allows IT administrators to use an MDM service to setup a device and enroll it automatically with the MDM server restart devices and manage device updates or other management tasks Honeywell provides no default configuration for this CSP Honeywell recommends that the enterprise customer provide the settings for this CSP based upon their MDM and Update server requirements before the system is deployed to end users Honeywell does not recommend that the enterprise disable EnterpriseValidation settings EnterpriseEXTFileSystem Configuration Service Provider This configuration service provider allows Enterprise customers to add delete get or change files in the file system
45. ss otherwise noted each of these policies can be changed via MDM at any time based on enterprise needs PolicyManager CSP Recommendations Recommended Node System Default Secure Setting DeviceLock AllowldleReturnWithoutPassword 1 Allow 0 Prevent DeviceLock DevicePasswordEnabled 1 not required 0 Required DeviceLock AllowSimpleDevicePassword 1 Allow 0 Prevent DeviceLock MinDevicePasswordLength 4 8 DeviceLock AlphanumericDevicePasswordRequired 2 User Choice 0 Required DeviceLock DevicePasswordExpiration 0 days non 90 days expiring DeviceLock DevicePasswordHistory 0 no history 10 DeviceLock MaxDevicePasswordFailedAttempts 0 never wipe 6 DeviceLock MaxlnactivityTimeDeviceLock 0 minutes no 3 minutes timeout DeviceLock MinDevicePasswordComplexCharacters 1 2 WiFi AllowWifi 1 allow 1 WLAN only Devices 0 WWAN WLAN devices Disable WiFi AllowInternetSharing 1 allow O prevent WiFi AllowAutoConnecttoWifiSenseHotspots 1 allow O prevent WiFi AllowWifiOfffLoading 1 allow O prevent WiFi AllowWifiHotSpotReporting 1 allow O prevent WiFi AllowManualWifiConfiguration 1 allow O prevent PolicyManager CSP Recommendations Continued Recommended Node System Default Secure Setting Connectivity AllowNFC 1 allow O
46. t WAP to an organization s server on a wired network specific security precautions are required to mitigate the significant security risk the WLAN wireless access point WAP connection represents for the servers and devices on the wired network Non WESH wireless devices such as laptops and printers should either be on a separate WLAN with different security profiles or the WAP should at a minimum support multiple service set identifiers SSIDs Devices on one WLAN should not be able to use the WLAN to connect to devices on another of the organization s WANS Isolation of different networks helps protect the WESH system and the organization s other networks and devices from unauthorized access Secure Wireless AP Configuration Honeywell recommends the following when configuring a wireless AP e Configure a unique SSID Do not use the default SSID e Disable SSID broadcast e Configure authentication for EAP authentication to the network Honeywell supports and approves these security methods e Wi Fi Protected Access II Extensible Authentication Protocol Tunneled Transport Layer Security WPA2 EAP TTLS e WPA2 EAP Transport Layer Security TLS e WPA2 Protected Extensible Authentication Protocol Microsoft Challenge Handshake Authentication Protocol PEAP MSCHAP e WPA2 Pre shared Key PSK e Configure the Remote Authentication Dial In User Service RADIUS server address e Configure for WPA2 Enterprise e Change the WAP RADIUS p
47. ting Applications icon size pinned to the start menu and icon location in menu e System Button Disablement e Button Mapping for application launch e Enable Disable Application Menus on Tap and hold e CSP Runner Enable Disable enable allows CSPs to be executed on the device when there is no MDM provider e Enable disable System and Application Settings e Enable disable of Tile manipulation Start Screen Size only configurable for default Role Assign Roles Honeywell recommends either a Kiosk mode lockdown or a lockdown based on Administrator and Associate roles Assign Application Lockdown Honeywell recommends the following application access based on roles for various users Application Access Recommendations Application GUID Default Admin Associate Alarms 5B04B775 356B 4AA0 AAF8 6491FFEA560A x X Battery Saver C551F76F 3368 42BB 92DF 7BFBB9265636 x X Bing Finance 1E0440F1 7ABF 4B9A 863D 177970EEFB5E X Bing Food CC512389 0456 430F 876B 704B17317DE2 X Bing Health CBB8C3BD 99E8 4176 AD8C 95EC6A3641C2 x Bing News 9C3E8CAD 6702 4842 8F61 B8B33CC9CAF1 x Application Access Recommendations Continued Application GUID Default Admin Associate Bing Sports OF4C8C7E 7114 4E1E A84C 50664DB13B17 X Bing Travel 19CD0687 980B 4838 8880 5F68ABA1671E x Bing Weather 63C2A117 8604 44E7 8CEF DF10BE3A57C8
48. tp msdn microsoft com en us library dn798310 aspx Deployment Features in Windows Embedded 8 1 http msdn microsoft com en us library dn499748 aspx Handheld Manage Devices http msdn microsoft com en us library dn499752 aspx Type URL Windows Phone 8 1 mobile device management MDM protocol documentation http msdn microsoft com en us library dn499787 aspx WESH Develop Applications http msdn microsoft com en us library dn715923 28v winembedded 81 29 aspx WESH application programming interface API Reference http msdn microsoft com en us library dn715928 28v winembedded 81 29 aspx Windows Phone API Reference http msdn microsoft com en us library windows apps ff626516 28v vs 105 29 aspx Security Development Lifecycle http www microsoft com security sdl default aspx Wireless local area network WLAN profile Schema http msdn microsoft com en us library windows desktop ms707341 28v vs 85 29 aspx Information Security Standards European Network and Information Security Exchange http www enisa europa eu British Standards Institution Information Security http www bsi global com International Organization for Standardization ISO http www iso org Information Technology Security Techniques ISO 15408 Evaluation Criteria for IT Security Parts 1 3 http www iso org ISO 27002 Code of Practice
49. x Calculator 5B04B775 356B 4AA0 AAF8 6491FFEA5603 X X X Calendar 36F9FA1C FDAD 4CF0 99EC C03771ED741A x x x Camera 5B04B775 356B 4AA0 AAF8 6491FFEA5631 X X X Cortana 5B04B775 356B 4AA0 AAF8 6491 FFEA568C x X X Data Sense 5B04B775 356B 4AA0 AAF8 6491FFEA5646 X X Email 5B04B775 356B 4AA0 AAF8 6491FFEA5614 X X X Facebook 0C340A67 3288 4C76 9375 0F2FEFBA0412 x Games 50A6AEFO 4F35 434B 9308 CB3251303AE4 x Internet 5B04B775 356B 4AA0 AAF8 6491FFEA5660 X X X Explorer Maps 5B04B775 356B 4AA0 AAF8 6491FFEA5686 X X X Messaging 5B04B775 356B 4AA0 AAF8 6491FFEA5610 X X X Music D2B6A184 DA39 4C9A 9E0A 8B589BO3DECO x Office Hub 5B04B775 356B 4AA0 AAF8 6491FFEA561E x OneDrive AD543082 80EC 45BB AA02 FFE7F4182BA8 X One Note 5B04B775 356B 4AA0 AAF8 6491FFEA561B X Mobile People 5B04B775 356B 4AA0 AAF8 6491FFEA5615 X Phone 5B04B775 356B 4AA0 AAF8 6491FFEA5611 X X X Photos 5B04B775 356B 4AA0 AAF8 6491FFEA5632 X X X Podcast C3215724 B279 4206 8C3E 61D1A9D63ED3 x Settings 5B04B775 356B 4AA0 AAF8 6491FFEA5601 x X Storage Sense 5B04B775 356B 4AA0 AAF8 6491FFEA564D x x Store 5B04B775 356B 4AA0 AAF8 6491FFEA5633 X X Video 6AFFE59E 0467 4701 851F 7AC026E21665 X X X Wallet 5B04B775 356B 4AA0 AAF8 6491FFEA5683 X Assign Settings Lockdown Honeywell recommends the following settings application lock down based on user role Application Lockdown Recommendations
Download Pdf Manuals
Related Search