ActiveSync Security

A version of this page is also available for

Windows Embedded CE 6.0 R3

4/8/2010

ActiveSync enables users to synchronize data, such as personal information, contacts, calendar, user files, and other data, between a Windows® phone and a desktop computer. You can synchronize the device to the desktop either through a local connection to the computer or through a remote location over serial, USB, infrared, modem, and Ethernet LAN connections. For more information about the ActiveSync architecture and functionality, see Data Synchronization With ActiveSync.

In general, you should be aware that ActiveSync poses a potential security risk to both the device and the desktop computer because it can run over a network. If the Windows phone is run over a public network, such as the Internet, and the security of the device is compromised, it could expose the device or the local network to the public network.

Once a local connection and a standard partnership are established between the device and the desktop computer by using ActiveSync, desktop passthrough is enabled by default. This can potentially expose the device to standard network threats. Note that desktop passthrough is enabled even when the desktop is locked or password, or PIN protected.

By default, local synchronization is enabled when you install ActiveSync on your device. This means that after the standard partnership is established between the device and desktop, the device is listening for data from the desktop. This poses security risks such as spoofing or denial of service attacks from the desktop by any application running on the desktop.

When a standard partnership is established between the device and the desktop, there is an open and unencrypted communication channel between the device and desktop when data is being synchronized. This data is potentially open to sniffing by untrusted applications.

A standard partnership between the device and the desktop also opens up the possibility of denial of service attacks from the desktop that could lead to the device becoming unresponsive. At this time, you can recover from this situation by disconnecting the device from the desktop.

Best Practices for OEMs

Advise users of security risks on use of network connections for information exchange

This is particularly relevant in an enterprise context because corporate networks are vulnerable to sniffing over the wireless network.

Best Practices for End Users

Avoid network-based synchronization

Network-based synchronization, especially in wireless networks, poses security risks, such as sniffing.

Always use a password to lock your Windows Embedded CE-based device

Locking your Windows phone with a password prevents the risk of unauthorized access to device contents both directly and over ActiveSync.

Default Registry Settings

You should be aware of the registry settings that impact security. If a value has security implications you will find a Security Note in the registry settings documentation.

See Also

Other Resources

ActiveSync