Application Security Policy Settings "Defined"

[-MyHTC-]

Windows Mobile powered devices are shipped with default security settings.
The security model enables Mobile Operators to make post-production changes to security settings.
This can place significant restrictions on software which has not been signed and approved.
However you can change the default settings.

Take control of applications on your phone.

"All listed settings are decimal"

1. Connect the phone through ActiveSync.

2. Run your favorite remote registry editor "CeRegEditor (Download)" "Mobile Registry Editor (Download)" on your PC.

3. Navigate to HKEY_LOCAL_MACHINE\Security\Policies\Policies


RAPI Policy:
This setting restricts the access of remote applications that are using Remote API (RAPI) to implement ActiveSync operations

HKEY_LOCAL_MACHINE\Security\Policies\Policies
DWord = 00001001 Data = Use the following-->

0 = Indicates that the ActiveSync service is shut down. RAPI calls are rejected.
1 = Indicates full access to ActiveSync is provided. RAPI calls are allowed to process without restrictions.
2 = Indicates that access to ActiveSync is restricted to the SECROLE_USER_AUTH (User Authenticated) role. RAPI calls are checked against this role mask before they are granted.


Unsigned cabs role:
If this policy is set to 0, then unsigned CABs won't install. The typical role is UserAuth which means the CABs will install but they have a similar set of privileges as code running at the Normal level. If this policy is set to Manager, then the unsigned CABs have all privileges.

None: Is equivalent to having none of the role mask bits set, and means that no unsigned .cab files can be installed.
OEM: Equipment manufacturer role.
Operator: Settings can be changed by the mobile operator.
Operator-TPS: Settings can be changed by a Wireless Application Protocol (WAP) Trusted Provisioning Server (TPS).
Manager: Provides permissions to change all of the settings on the device.
UserAuth: Settings can be changed by an authenticated user.
UserUnAuth: Settings can be changed by anyone.

A specified role mask indicates accepted unsigned .cab files are installed with the role mask specified.

HKEY_LOCAL_MACHINE\Security\Policies\Policies
DWord = 00001005 Data = Use the following-->

0 = None
2 = OEM
4 = Operator
6 = OEM, Operator
8 = Manager
10 = OEM, Manager
12 = Operator, Manager
14 = OEM, Operator, Manager
16 = UserAuth
18 = OEM, UserAuth
20 = Operator, UserAuth
22 = OEM, Operator, UserAuth
24 = Manager, UserAuth
26 = OEM, Manager, UserAuth
28 = Operator, Manager, UserAuth
30 = OEM, Operator, Manager, UserAuth
64 = UserUnAuth
66 = OEM, UserUnAuth
68 = Operator, UserUnAuth
70 = OEM, Operator, UserUnAuth
72 = Manager, UserUnAuth
74 = OEM, Manager, UserUnAuth
76 = Operator, Manager, UserUnAuth
78 = OEM, Operator, Manager, UserUnAuth
80 = UserAuth, UserUnAuth
82 = OEM, UserAuth, UserUnAuth
84 = Operator, UserAuth, UserUnAuth
86 = OEM, Operator, UserAuth, UserUnAuth
88 = Manager, UserAuth, UserUnAuth
90 = OEM, Manager, UserAuth, UserUnAuth
92 = Operator, Manager, UserAuth, UserUnAuth
94 = OEM, Operator, Manager, UserAuth, UserUnAuth
128 = Operator-TPS
130 = OEM, Operator-TPS
132 = Operator, Operator-TPS
134 = OEM, Operator, Operator-TPS
136 = Manager, Operator-TPS
138 = OEM, Manager, Operator-TPS
140 = Operator, Manager, Operator-TPS
142 = OEM, Operator, Manager, Operator-TPS
144 = UserAuth, Operator-TPS
146 = OEM, UserAuth, Operator-TPS
148 = Operator, UserAuth, Operator-TPS
150 = OEM, Operator, UserAuth, Operator-TPS
152 = Manager, UserAuth, Operator-TPS
154 = OEM, Manager, UserAuth, Operator-TPS
156 = Operator, Manager, UserAuth, Operator-TPS
158 = OEM, Operator, Manager, UserAuth, Operator-TPS
192 = UserUnAuth, Operator-TPS
194 = OEM, UserUnAuth, Operator-TPS
196 = Operator, UserUnAuth, Operator-TPS
198 = OEM, Operator, UserUnAuth, Operator-TPS
200 = Manager, UserUnAuth, Operator-TPS
202 = OEM, Manager, UserUnAuth, Operator-TPS
204 = Operator, Manager, UserUnAuth, Operator-TPS
206 = OEM, Operator, Manager, UserUnAuth, Operator-TPS
208 = UserAuth, UserUnAuth, Operator-TPS
210 = OEM, UserAuth, UserUnAuth, Operator-TPS
212 = Operator, UserAuth, UserUnAuth, Operator-TPS
214 = OEM, Operator, UserAuth, UserUnAuth, Operator-TPS
216 = Manager, UserAuth, UserUnAuth, Operator-TPS
218 = OEM, Manager, UserAuth, UserUnAuth, Operator-TPS
220 = Operator, Manager, UserAuth, UserUnAuth, Operator-TPS
222 = OEM, Operator, Manager, UserAuth, UserUnAuth, Operator-TPS


Unsigned Applications Policy:
This setting indicates whether unsigned applications are allowed to run on the device. Any value other than 1 is treated as 0.

HKEY_LOCAL_MACHINE\Security\Policies\Policies
DWord = 00001006 Data = Use the following-->

0 = Indicates that unsigned applications are not allowed to run on the device.
1 = Indicates that unsigned applications are allowed to run on the device.


Grant Manager Policy:
This policy contains a list of roles that are elevated to manager. If this role contains "UserAuth" then every action taken by the user has full administative access.

None: Indicates that only the manager is granted the Manager role.
OEM: Equipment manufacturer role.
Operator: Setting can be changed by the mobile operator.
Operator-TPS: Settings can be changed by a Wireless Application Protocol (WAP) Trusted Provisioning Server (TPS).
Manager: Settings can be changed by the manager or administrator.
UserAuth: Settings can be changed by an authenticated user.
UserUnAuth: Settings can be changed by anyone.

A specified role mask indicates system administrative privileges are given to the role mask specified.

HKEY_LOCAL_MACHINE\Security\Policies\Policies
DWord = 00001017 Data = Use the following-->

0 = None
2 = OEM
4 = Operator
6 = OEM, Operator
8 = Manager
10 = OEM, Manager
12 = Operator, Manager
14 = OEM, Operator, Manager
16 = UserAuth
18 = OEM, UserAuth
20 = Operator, UserAuth
22 = OEM, Operator, UserAuth
24 = Manager, UserAuth
26 = OEM, Manager, UserAuth
28 = Operator, Manager, UserAuth
30 = OEM, Operator, Manager, UserAuth
64 = UserUnAuth
66 = OEM, UserUnAuth
68 = Operator, UserUnAuth
70 = OEM, Operator, UserUnAuth
72 = Manager, UserUnAuth
74 = OEM, Manager, UserUnAuth
76 = Operator, Manager, UserUnAuth
78 = OEM, Operator, Manager, UserUnAuth
80 = UserAuth, UserUnAuth
82 = OEM, UserAuth, UserUnAuth
84 = Operator, UserAuth, UserUnAuth
86 = OEM, Operator, UserAuth, UserUnAuth
88 = Manager, UserAuth, UserUnAuth
90 = OEM, Manager, UserAuth, UserUnAuth
92 = Operator, Manager, UserAuth, UserUnAuth
94 = OEM, Operator, Manager, UserAuth, UserUnAuth
128 = Operator-TPS
130 = OEM, Operator-TPS
132 = Operator, Operator-TPS
134 = OEM, Operator, Operator-TPS
136 = Manager, Operator-TPS
138 = OEM, Manager, Operator-TPS
140 = Operator, Manager, Operator-TPS
142 = OEM, Operator, Manager, Operator-TPS
144 = UserAuth, Operator-TPS
146 = OEM, UserAuth, Operator-TPS
148 = Operator, UserAuth, Operator-TPS
150 = OEM, Operator, UserAuth, Operator-TPS
152 = Manager, UserAuth, Operator-TPS
154 = OEM, Manager, UserAuth, Operator-TPS
156 = Operator, Manager, UserAuth, Operator-TPS
158 = OEM, Operator, Manager, UserAuth, Operator-TPS
192 = UserUnAuth, Operator-TPS
194 = OEM, UserUnAuth, Operator-TPS
196 = Operator, UserUnAuth, Operator-TPS
198 = OEM, Operator, UserUnAuth, Operator-TPS
200 = Manager, UserUnAuth, Operator-TPS
202 = OEM, Manager, UserUnAuth, Operator-TPS
204 = Operator, Manager, UserUnAuth, Operator-TPS
206 = OEM, Operator, Manager, UserUnAuth, Operator-TPS
208 = UserAuth, UserUnAuth, Operator-TPS
210 = OEM, UserAuth, UserUnAuth, Operator-TPS
212 = Operator, UserAuth, UserUnAuth, Operator-TPS
214 = OEM, Operator, UserAuth, UserUnAuth, Operator-TPS
216 = Manager, UserAuth, UserUnAuth, Operator-TPS
218 = OEM, Manager, UserAuth, UserUnAuth, Operator-TPS
220 = Operator, Manager, UserAuth, UserUnAuth, Operator-TPS
222 = OEM, Operator, Manager, UserAuth, UserUnAuth, Operator-TPS


Unsigned Prompt Policy:
This policy indicates whether the user is prompted to accept or reject unsigned .cab, theme, .dll and .exe files.

HKEY_LOCAL_MACHINE\Security\Policies\Policies
DWord = 0000101a Data = Use the following-->

0 = Indicates user will be prompted.
1 = Indicates user will not be prompted.


Privileged Apps Policy:
The Privileged Apps policy setting specifies which security model is implemented on the device. Any value other than 1 is treated as 0.

HKEY_LOCAL_MACHINE\Security\Policies\Policies
DWord = 0000101b Data = Use the following-->

0 = Two Tier: Applications run normal and cannot access the protected registry keys or protected system APIs.
1 = One Tier: Applications run privileged and can access all registry keys and all system APIs.


Password Required Policy:
This policy indicates whether a password must be configured on the device.

HKEY_LOCAL_MACHINE\Security\Policies\Policies
DWord = 00001023 Data = Use the following-->

0 = Indicates that a password is required.
1 = Indicates that a password is not required. "Any value other than 0 will indicate no password required".


Desktop Unlock Policy:
This policy indicates how the desktop must handle authentication when the device is locked.

HKEY_LOCAL_MACHINE\Security\Policies\Policies
DWord = 00001025 Data = Use the following-->

0 = Indicates that the user must authenticate on the device if it is locked upon connect.
1 = Indicates the user can authenticate by using a PIN on the desktop.

If you find any errors please let me know.
I will update the list as more policies are discovered

[-MyHTC-]

-----------(Undefined)----------

"I dont know all possible settings for the following Policies yet"

UNAUTHENTICATED role is used for processing Homescreens
[HKEY_LOCAL_MACHINE\Security\Policies\Policies]
"00001007"=dword:40

TPS Policy
[HKEY_LOCAL_MACHINE\Security\Policies\Policies]
"00001008"=dword:1

Message Authentication Retry Number Policy
[HKEY_LOCAL_MACHINE\Security\Policies\Policies]
"00001009"=dword:3

WAP Signed Message Policy
(default: SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED | SECROLE_OPERATOR_TPS)
[HKEY_LOCAL_MACHINE\Security\Policies\Policies]
"0000100b"=dword:c80

SL Message Policy
(default: SECROLE_PPG_TRUSTED)
[HKEY_LOCAL_MACHINE\Security\Policies\Policies]
"0000100c"=dword:800

SI Message Policy
(default: SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED)
[HKEY_LOCAL_MACHINE\Security\Policies\Policies]
"0000100d"=dword:c00

Unauthenticated Message Policy
[HKEY_LOCAL_MACHINE\Security\Policies\Policies]
"0000100e"=dword:40

OTA Provisioning Policy
(default: OPERATOR_TPS | SECROLE_PPG_TRUSTED | SECROLE_PPG_AUTH | SECROLE_TRUSTED_PPG | USER_AUTH)
[HKEY_LOCAL_MACHINE\Security\Policies\Policies]
"0000100f"=dword:e90

WSP Push Policy
[HKEY_LOCAL_MACHINE\Security\Policies\Policies]
"00001011"=dword:1

Grant User Auth Policy
(default: USER_AUTH)
[HKEY_LOCAL_MACHINE\Security\Policies\Policies]
"00001018"=dword:10

Trust WAP Proxy Policy
(default: OPERATOR | OPERATOR_TPS | MANAGER)
[HKEY_LOCAL_MACHINE\Security\Policies\Policies]
"00001019"=dword:8c

DRM Security Policy
(default SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED)
[HKEY_LOCAL_MACHINE\Security\Policies\Policies]
"00001021"=dword:c00

[cicciocant]

it's a wonderful post. Very thanks

[jsp_m]

or you can use Security Configuration Manager

[tylr]

Quote:

Originally Posted by jsp_m or you can use Security Configuration Manager

Where is this app?

[jsp_m]

http://forum.xda-developers.com/show...98&postcount=2

great app

[danielkrxdadev]

I accidentally changed 00001001 to the value "2"

so am i just screwed now?

Can't change it back, access denied of course.

[danielkrxdadev]

yeah i don't know what happened but i disconnected ran EnableRAPI and reconnected it was changed back to 1. whew!

[onestoploser]

Quote:

Originally Posted by jsp_m http://forum.xda-developers.com/show...98&postcount=2 great app

The page is no more. Got another link?

[Hikey]

Quote:

Originally Posted by onestoploser The page is no more. Got another link?

http://download.microsoft.com/downlo...1c5e/Setup.msi