From what I can see of WinCE it was designed with mobility/portability in
mind (obviously), and security falls very far behind on these devices.
That's not to say that they can not be used in a secure fashion, but I find
configuring them for these types of requirements/environments might prove a
little difficult on occasion. For one, I've yet to find a decent SSH client
for WinCE. I've seen one, but to the best of my knowlege it still only
supports SSH1. I'm going to make an assumption and say you are probably
going to run Terminal Service client or possibly Citrix, at least on the
WYSE, and possibly some sort of mobile e-mail and such for the handhelds.
We've been looking into remote access for our users here, to mail and such,
and have been looking into quite a few VPN's. Cisco does offer a WinCE
client I'm fairly certain, but I don't recall if any of the others (Shiva,
etc..) do, although I'd be willing to bet that they do offer these types of
clients, which in my opinion would be a minimum requirement for any sort of
remote connectivity from a handheld. Especially if those clients will be
connecting over any sort of wireless medium. Unless I've been a complete
idiot (which is completely possible), I haven't been able to connect to any
Terminal Servers using the PocketPC Terminal Service client. All the
Terminal Servers in my environment are running with the High encryption
mode, so I'm assuming that the PocketPC TS client doesn't support 128-bit
encryption. I'm not certain if that is the case with Windows CE in general,
or just the PocketPC client that was released recently. Overall, the only
type of exploit I could imagine in that type of attack would be a
man-in-the-middle type of attack. If anyone else has any other ideas, I'd
be interested as well.

--MikeD

-----Original Message-----
From: Bryan Smith [mailto:bsmithci.atlantic-beach.fl.us]
Sent: February 15, 2002 12:25 PM
To: focus-mssecurityfocus.com
Subject: Windows CE

I review these pages on at least a weekly basis.
Unfortunately (or maybe fortunately) I do not find
many items concerning Windows CE. Is this
because it is not highly scrutinized like other MSFT
products or is it that there is actually one secure
MSFT product? I have some WYSE win
terminals and a few handheld pc's on CE that are
connected to the system daily. The pressure to
increase the use of these is mounting greatly but
I have not been able to determine the security risks
involved if any and am concerned about this.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]