2012年6月26日火曜日

smartphone-policies

 

policies

smartphone policies are stored in the registry in HKLM\Security\Policies\Policies. the low numbered policies are named registry keys, stored in HKLM\Security\Policies\Shell.

ossvcs.dll ordinal 116, is the function used to query a policy status
ossvcs.dll ordinal 117, is the function used to query change a policy status

you can modify policies by using the 'rapiconfig.exe' tool. 
or, easier, by using my prapi.exe tool.

  • create a config file containing the parameters you want to set:
    <wap-provisioningdoc>    <characteristic type="SecurityPolicy">      <parm name="4097" value="1"/>      <parm name="4101" value="64"/>      <parm name="4102" value="1"/>      <parm name="4119" value="196"/>    </characteristic>  </wap-provisioningdoc>  
  • execute it with: rapiconfig /p yourfile.xml
to find out what your current settings are:
  • create a config file containing the parameters you want to query:
    <wap-provisioningdoc>    <characteristic type="SecurityPolicy">      <parm-query name="4097"/>      <parm-query name="4101"/>      <parm-query name="4102"/>      <parm-query name="4119"/>    </characteristic>  </wap-provisioningdoc>  
  • execute it with: rapiconfig /p yourfile.xml
  • read the result from RapiConfigOut.xml

policy id's

1 Policies\Shell NoRunDlg
2 AutoRun Policy The AutoRun security policy setting determines whether applications stored on a MultiMedia Card (MMC) are allowed to auto-run when inserted into the device.
0 Applications on a Compact Flash card are allowed to auto-run. ( default )
1 Applications on a Compact Flash card are restricted from auto-running.
3 Policies\Shell DisallowRun
4 Policies\Shell RestrictRun
5 Policies\Shell NoDownload
6 Policies\Shell PasswordPeriod
7 Policies\Shell NoPasswdPeriod
8 Policies\Shell NoWeakPassword
9 Policies\Shell NoRapiRegMod
10 Policies\Shell NoExternalExes
4097
0x1001
RAPI Policy The Remote API (RAPI) policy restricts the access of remote applications that are using RAPI to implement ActiveSync operations on mobile devices.
0 ActiveSync service is shut down. RAPI calls are rejected.
1 Full access to ActiveSync is provided. RAPI calls are allowed to process without restrictions.
2 Access to ActiveSync is restricted to the SECROLE_USER_AUTH (User Authenticated) role. RAPI calls are checked against this role mask before they are granted. ( default )
4101
0x1005
Unsigned CABS Policy The Unsigned CABS policy determines whether unsigned .cab files can be installed on the device. On the Windows Mobile-based Smartphone, this policy also determines whether applications stored on a MultiMedia Card (MMC) are allowed to auto-run when inserted into the device. Accepted unsigned .cab files are installed with the role mask specified by the policy value.

If a signed .cab file does not have a matching root certificate in the Software Publisher Certificate(SPC) store, the file is unsigned. For information about certificate stores, see Application Security on Mobile Devices.

Specified as a role mask Accepted unsigned .cab files are installed with the role mask specified by this policy.
SECROLE_USER_AUTH Unsigned .cab files cannot be installed. (default)
4102
0x1006
Unsigned Applications Policy The Unsigned Applications policy determines whether unsigned applications are allowed to run on a Windows Mobile-based Smartphone. If a signed application does not have a matching root certificate in the Privileged Execution Trust Authorities or the Unprivileged Execution Trust Authoritiescertificate store, the application is unsigned. For information about certificate stores, see Application Security on Mobile Devices.
0 Unsigned applications are not allowed to run on the device. Any value other than 1 is treated as 0.
1 Unsigned applications are allowed to run on the device. ( default )
4103
0x1007
Unsigned Themes Policy The Unsigned Themes policy determines whether unsigned theme files (.cab files that update the Home screen) can be installed on the device and with which role mask they are installed. Specified as a role mask

Default valueSECROLE_USER_UNAUTH

4104 Trusted Provisioning Server Policy The Trusted Provisioning Server (TPS) policy setting determines whether mobile operators can be assigned the TPS role.
0 Disable assigning TPS role
1 Enable assigning TPS role ( default ) -
4105
0x1009
Message Authentication Policy The Message Authentication policy setting defines the maximum number of times the user is allowed to try authenticating a Wireless Application Protocol (WAP) PIN-signed message. Maximum number of allowed retries to authenticate. 1-256

Default value 3

4106
0x100a
unknown
4107
0x100b
WAP Signed Message Policy The WAP Signed Message policy setting determines whether a WAP signed message is accepted based on whether the role assigned to the message matches any of the roles specified in the policy setting. Specified as a role mask

Default valueSECROLE_PPG_AUTH + SECROLE_PPG_TRUSTED + SECROLE_OPERATOR_TPS + SECROLE_OPERATOR

4108
0x100c
Service Loading Policy The Service Loading (SL) policy setting determines whether SL messages are accepted. An SL message downloads new services or provisioning XML to the Windows Mobile-based Smartphone. An SI message is a type of over-the-air (OTA) message. Specified as a role mask

Default valueSECROLE_PPG_TRUSTED

4109
0x100d
Service Indication Policy The Service Indication (SI) policy setting determines whether SI messages are accepted. An SI message is sent to the Windows Mobile-based Smartphone to notify users of new services, service updates, and provisioning services. An SI message is a type of over-the-air (OTA) message. Specified as a role mask

Default valueSECROLE_PPG_AUTH + SECROLE_PPG_TRUSTED

4110
0x100e
Unauthenticated Messages Policy The Unauthenticated Messages policy setting determines whether to accept unsigned WAP messages processed by the default security provider in the Security Module (Push Router), based on their origin. Specified as a role mask

Default valueSECROLE_USER_UNAUTH

4111
0x100f
OTA Provisioning Policy The over-the-air (OTA) Provisioning policy setting determines which provisioning messages are accepted by the Configuration Host, based on the roles assigned to the messages. This policy limits the provisioning messages that come from the Push Router. Specified as a role mask

Default valueSECROLE_OPERATOR + SECROLE_OPERATOR_TPS + SECROLE_PPG_TRUSTED + SECROLE_PPG_AUTH + SECROLE_TRUSTED_PPG + SECROLE_USER_AUTH

4112 unknown
4113
0x1011
WSP Push Policy The WSP Push policy setting determines whether Wireless Session Protocol (WSP) notifications from the WAP stack are routed.
0 Routing of WSP notifications is not allowed.
1 Routing of WSP notifications is allowed. ( default )
4114
0x1012
unknown
4115
0x1013
unknown 1
4116
0x1014
unknown
4117
0x1015
unknown
4118
0x1016
unknown
4119 Grant Manager Policy Configuration Manager enforces the Grant Manager policy. This policy maps a specified role mask to the SECROLE_MANAGER role, to grant system administrative privileges that are given to the SECROLE_MANAGER role to other security roles without modifying metabase role assignments.

When this policy is set to the SECROLE_NONE role mask, only the manager is granted the Manager role.

Specified as a role mask

Default valueSECROLE_USER_AUTH

4120 Grant User Authenticated Policy Configuration Manager enforces the Grant User Authenticated policy. This policy maps a role to the SECROLE_USER_AUTH role to grant privileges that are given to the SECROLE_USER_AUTH role without modifying metabase role assignments. Specified as a role mask

Default valueSECROLE_USER_AUTH

4121
0x1019
Trusted WAP Policy The Trusted WAP Proxy security policy specifies the level of permissions required to create, modify, or delete a trusted proxy. WAP proxies are configured by means of the PXLOGICAL characteristic element in a WAP provisioning XML document. A WAP proxy is trusted when the TRUST parm is specified in the PXLOGICAL characteristic element. Specified as a role mask

Default valueSECROLE_OPERATOR + SECROLE_OPERATOR_TPS + SECROLE_MANAGER

4122
0x101a
Unsigned Prompt Policy The Unsigned Prompt policy determines whether a user is prompted to accept or reject an unsigned .cab file or theme with unsigned .dll files for a Windows Mobile-based Smartphone.
1 Disable user prompt.
0 Enable user prompt. Any value other than 1 is treated as 0. ( default )
4123
0x101b
PrivilegedApps Policy The PrivilegedApps policy setting specifies which security model is implemented on the device.
0 Two-tier security model is enabled. Any value other than 1 is treated as 0. ( default )
1 One-tier security model is enabled.
4124
0x101c
SL Security Policy This setting allows the operator to override https to use http or wsps to use wsp. The following list shows the possible values:
  • 0 use https or wsps.
  • 1use http or wsp.
The required role to modify this policy is SECROLE_MANAGER.
4125
0x101d
Signed Mail Policy This policy is used in S/MIME. It indicates whether the Inbox application will send all messages signed. If message are sent signed, this policy identifies which algorithm to use. The following list shows the possible values:
  • 0 indicates that messages are signed with the default algorithm (SHA-1.
  • 1indicates that messages are not signed.
  • 2 indicates that messages are signed by using SHA-1 algorithm.
  • 3 indicates that messages are signed using MD5 algorithm.
The Required role to modify this policy is SECROLE_MANAGER.
4126
0x101e
Encrypted Mail Policy This policy is used in S/MIME. It indicates whether the Inbox application sends all messages encrypted. If messages are encrypted, it identifies the algorithm to use. The following list shows the possible values:
  • 0 indicates that messages are encrypted using a default encryption. Default encryption is RC2..
  • 1indicates that messages are not encrypted.
  • 2 indicates that messages are encrypted using 3DES.
  • 3 indicates that messages are encrypted using DES.
  • 4 indicates that messages are encrypted using RC2_128.
  • 5 indicates that messages are encrypted using RC2_64.
  • 6 indicates that messages are encrypted using RC2_40.
The Required role to modify this policy is SECROLE_MANAGER.
4127
0x101f
Software Certificates Policy This setting determines whether software certificates can be used to sign outgoing messages. You can use this security policy with a tool that you create to allow people to import certificates. The following list shows the possible values:
  • 0 indicates that software certificates cannot be used to sign messages.
  • 1indicates that software certificates can be used to sign messages.
4128
0x1020
unknown
4129
0x1021
DRM Security Policy This setting specifies which DRM rights messages are accepted by the DRM engine based on the role assigned to the message.

Default valueSECROLE_PPG_AUTH + SECROLE_PPG_TRUSTED

4130
0x1022
unknown
4131
0x1023
Password Required Policy This policy indicates whether a password must be configured on the device. The following list shows the possible values:
  • 0indicates that a password is required.
  • A value other than 0 indicates that a password is not required.
The Required role to modify this policy is SECROLE_MANAGER or SECROLE_ENTERPRISE.
4132
0x1024
unknown
4133
0x1025
Desktop Unlock This policy indicates how the desktop must handle authentication when the device is locked. The following list shows the possible values:
  • 0 indicates that the user must authenticate on the device if it is locked upon connect.
  • 1indicates the user can authenticate by using a PIN on desktop.
The Required role to modify this policy is SECROLE_MANAGER or SECROLE_ENTERPRISE.

security roles

SECROLE_NONE 0 This role specifies that a message not be signed with a role.
SECROLE_OEM 2 Original equipment manufacturer (OEM) role.

By default, this role does not provide permissions to configure settings using over-the-air (OTA) messages..

SECROLE_OPERATOR 4 Mobile Operator role.

This role is assigned to OTA messages that are signed by the mobile operator's network PIN (IMSI in Global System for Mobile Communications [GSM]). OTA messages include wireless application protocol (WAP) push messages, Service Loading (SL), and Service Indication (SI) messages. The permissions associated with this role are determined by the settings that the mobile operator requires access to if the operator is not the manager of the phone. The mobile operator can determine whether this role and the SECROLE_OPERATOR_TPS role require the same permissions.

SECROLE_MANAGER 8 Manager role.

This role holds the highest level of authority and is assigned to the user-authenticated message by default. This role provides permissions to change all of the settings on the device.

SECROLE_USER_AUTH 16 User Authenticated role.

This role is assigned to the following types of messages:

  • User PIN-signed WAP push messages
  • Messages received through the Remote API (RAPI) by default

The permissions associated with this role are determined by the settings that the user requires access to if the user is not the manager of the device.

SECROLE_ENTERPRISE 32 Enterprise IT Administrator role. 
wm5 aku2.0 and later
SECROLE_USER_UNAUTH 64 User Unauthenticated role.

This role is assigned to unsigned WAP push messages, and to unsigned .cab files. This role provides permissions to install a Home screen or ring tones.

SECROLE_OPERATOR_TPS 128 Trusted Provisioning Server role.

This role is assigned to WAP messages that come from a Push Initiator that is authenticated (SECROLE_PPG_AUTH) by a trusted Push Proxy Gateway (SECROLE_TRUSTED_PPG), and where the Uniform Resource Identifier (URI) of the Push Initiator corresponds to the URI of the Trusted Provisioning Server (TPS) on the device. The mobile operator can determine whether this role and the SECROLE_OPERATOR role require the same permissions.

SECROLE_KNOWN_PPG 256 Known Push Proxy Gateway role.

Messages assigned this role indicate that the device knows the Push Proxy Gateway.

SECROLE_TRUSTED_PPG 512 Device Trusted Push Proxy Gateway role.

Messages assigned this role indicate that the Push Proxy Gateway is known and trusted by the device. The address of the Push Proxy Gateway is compared with the trusted Push Proxy Gateway address stored on the device.

SECROLE_PPG_AUTH 1024 Push Initiator Authenticated role.

Messages assigned this role indicate that the Push Initiator is authenticated by the Push Proxy Gateway. This role implies that the device trusts the Push Proxy Gateway (SECROLE_TRUSTED_PPG).

SECROLE_PPG_TRUSTED 2048 Trusted Push Proxy Gateway role.

Messages assigned this role indicate that the content sent by the Push Initiator is trusted by the Push Proxy Gateway. This role implies that the device trusts the Push Proxy Gateway (SECROLE_TRUSTED_PPG).

usage of policy restrictions

the policy restrictions are most likely checked with these functions from ossvcs.dll:
  • ordinal 116 or 29 : get policy value
  • ordinal 117 or 91 : set policy value
    file ossvcs api policy value
    cabinstl.dll Ordinal 116 0x101a
    ceshell.dll Ordinal 29 0xA
    cfghost.exe Ordinal 116 0x100f
    coresecproviders.dll Ordinal 116 0x1008, 0x100b, 0x1009
    rapisrv.exe Ordinal 116 0x1001
    repllog.exe Ordinal 116 0x1001
    siclnt.exe Ordinal 116 0x100d, 0x100c
    syscsps.dll Ordinal 116 Ordinal 117 0x1019
    telshell.exe Ordinal 116 Ordinal 29 3, 0xA, 2, 0x101a, 0x101b
    wceload.exe Ordinal 116 0x1005, 0x1007, 0x101a
    wdppush.dll Ordinal 116 0x1010
    wsp.dll Ordinal 116 0x1011

    links

  • policies
  • security roles
  • Configuration Service Provider Reference for Windows Mobile Devices 
  • 0 件のコメント:

    コメントを投稿