Important: |
---|
This is retired content. This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
Object Exchange Protocol (OBEX) has the following potential security risk:
- OBEX supports plug-in services from third-party vendors. If
these extensions do not use proper security and authentication
procedures, they could compromise the security of a device or local
network.
OBEX is a session layer protocol that allows devices to exchange data in a simple and spontaneous manner. The protocol can be supported over a variety of transports. In Windows Embedded CE, the supported transports are over IrDA and Bluetooth transmission technologies. OBEX provides security support by incorporating an authentication mechanism that uses a challenge and response scheme. Any connection attempts that do not pass the authentication procedure are disallowed.
Best Practices
Turn on authentication in OBEX by default
Although authentication is an option for OBEX, Microsoft recommends that you turn authentication on by default to allow only authorized individuals to make connections and exchange data with the server.
Turn on Bluetooth encryption when running OBEX over Bluetooth
Sensitive information can be encrypted prior to being sent over the network. This prevents unauthorized users from viewing data in transmitted packets.
Use Bluetooth authentication as appropriate when transferring sensitive data
The server can ask for authentication in response to a connection request. Once a connection is established, authentication can be challenged for various requests. Both Kerberos and Secure Sockets Layer (SSL) authentication mechanisms are supported.
Default Registry Settings
You should be aware of the registry settings that impact security. If a value has security implications you will find a Security Notein the registry settings documentation.
For OBEX registry information, see OBEX Registry Settings.
Ports
No specific ports are used for OBEX.