Security Best Practices for Windows Mobile Devices
- Set the RAPI policy to restricted mode whenever other security policies restrict access to the device.
Microsoft highly recommends that you set the RAPI Policy to restricted mode whenever other security policies restrict access to the device. For more information about the RAPI policy, see Security Policy Settings** and RAPI Restricted Mode Security**.
Prompt the user before running normal applications.
Microsoft highly recommended that you keep the User Prompt mode on for unsigned application for all Windows Mobile devices.
The Unsigned Prompt Policy (4122) indicates whether a user is prompted to accept or reject unsigned .cab, theme, .dll and .exe files. By default, this value is 0, which means that the user will be prompted. For more information, see Security Policy Settings.
Assign unsigned themes with a security role of User Unauthenticated
Microsoft highly recommends that you keep the Unsigned Theme policy the SECROLE_USER_UNAUTH security role. This is the default setting.
The Unsigned Themes security policy indicates whether theme files, which are used for processing homescreens, can be installed on the device. If a signed theme file does not have a matching root certificate in the Software Publisher Certificate (SPC) store, the file is unsigned.
Accepted unsigned theme files are installed with the role mask specified by the policy value.
By default, the value of the Unsigned Theme policy is SECROLE_USER_UNAUTH.
For more information about the Unsigned Themes security policy, see Security Policy Settings.
Do not put SECROLE_USER_UNAUTH security role in Service Loading (SL) Message Policy.
The Service Loading (SL) Message Policy indicates whether SL messages are accepted. An SL message downloads new services, applications, or provisioning XML silently to the Windows Mobile device. The associated security roles can accept SL messages as a role mask. The default value is SECROLE_PPG_TRUSTED.
Microsoft highly recommends that you do not include the User Unauthenticated role (SECROLE_USER_UNAUTH) in this policy.
For more information about the Service Loading (SL) Message Policy, see Security Policy Settings.
For more information about SI and SL security issues, see SI and SL Security.