Security Considerations on the Exchange Server
6/2/2010
Exchange Server provides enterprise-grade e-mail, calendaring, and related services. It also includes support for over-the-air synchronization of e-mail, calendar, contact, task, and security policy data through Exchange ActiveSync. Exchange ActiveSync works with the Windows Mobile operating system helping you avoid the added cost of middleware or service fees. Exchange ActiveSync also offers a highly scalable platform for mobility, allowing you to enjoy the productivity benefits of mobile messaging.
Exchange Server and Exchange ActiveSync
Exchange ActiveSync is built on the HTTPS and WBXML standards; it is a component in Exchange Server 2003 and Exchange Server 2007, and is enabled out of the box on all user mailboxes without any additional software or servers. Because Exchange ActiveSync uses standard transport protocols, you don’t need to buy special data plans from your mobile operators; you can use standard data plans for global mobile access.
If your organization currently exposes Outlook Web Access (OWA), you already have the infrastructure in place to support a mobile deployment using high-grade, 128-bit SSL encryption. Because Exchange ActiveSync is implemented as an application that runs on Internet Information Services (IIS), it is designed to be secured using the same certificates you’re already using for OWA, which saves you time and money.
Exchange Server 2003 SP2 and Windows Mobile powered devices that run Windows Mobile 5.0 with MSFP or later enable the use of Direct Push Technology. Using Direct Push Technology, it is possible for mobile clients to retain an open connection over an encrypted channel to the Exchange server. As data is updated on the Exchange server, it can be sent directly to the device. Direct Push Technology provides a push e-mail experience, without the need for third-party server, software, or networks. When you install Exchange Server 2003 SP2 or higher on an Exchange server, Direct Push Technology is automatically enabled.
The Direct Push Technology algorithm dynamically adjusts its connection time to maximize battery life and minimize bandwidth usage. Administrators can adjust the timeout on their firewalls to help influence the adjustment process according to the type of devices in use and the volume of arriving messages.
For more information about the Direct Push Technology, see Mobile Operator Guide to Messaging and Security Feature Pack for Windows Mobile 5.0-Based Devices available at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=109223.
Internet Information Services
Internet Information Services is the Web and application server component of Microsoft’s infrastructure system. IIS 6.0, the version included with Windows Server 2003, is a mature and very widely deployed Web server that incorporates a number of enhanced security features. For example, the HTTP service listener is integrated into the Windows kernel so that it cannot be compromised by user-mode extensions and applications. In addition, IIS works in conjunction with the Windows TCP/IP stack to help protect applications it hosts against several kinds of TCP denial-of-service attacks. Exchange ActiveSync is actually implemented on top of IIS and used to gain access to Exchange Server data items. As a result of building Exchange ActiveSync on top of this widely deployed, proven web server Exchange ActiveSync makes use of the platform security features to help protect against network-borne attacks.
Device Management Using Exchange Server
With Exchange Server, an IT Professional has built-in device management capabilities to control the use of mobile devices so that they adhere to the organization's security policies. This native device management support helps create lower costs because you do not need to manage separate servers.
Exchange ActiveSync Administration Tools
In Exchange 2003 SP2, the Exchange ActiveSync Mobile Administrative Web tool was provided as a download, enabling administrators and Help Desk personnel to monitor and control Windows Mobile powered devices, such as performing a remote wipe on any devices reported as lost or stolen.
With Exchange Server 2007, mobile device management is integrated into the Exchange Server Management Console and the self-service capabilities exposed via Outlook Web Access. Exchange Server 2007 also has built in support for Microsoft Powershell, to administer Exchange from the command line. The IT Professional can administer mobile powered devices in Exchange ActiveSync with the Exchange Management Shell.
Security Policies on Windows Mobile Powered Devices Managed by Exchange Server
Some built-in security features on Windows Mobile powered devices can be controlled from Exchange Server, helping you to establish enforced security policies from the server. These policies are set on the Exchange server and delivered to the client through Exchange ActiveSync. The security settings on the device are established when the user receives and accepts the policy information from the server.
The following security settings on Windows Mobile powered devices can be managed through Exchange Server:
| Exchange Security Policies or Mailbox Policies | Exchange Server 2003 SP2 | Exchange Server 2007 |
|---|---|---|
Require a password to access the device and configure it |
X |
X |
Set a minimum password length |
X |
X |
Require an alphanumeric password |
X |
X |
Specify how many minutes of inactivity before the device locks |
X |
X |
Wipe the device remotely |
X |
X |
Wipe the storage card remotely |
X |
|
Allow access to non-provisionable (pre-MSFP) devices |
X |
X |
Set the policy refresh interval |
X |
X |
Allow or disallow attachments to be downloaded |
x |
|
Set maximum attachment size |
X |
|
Enable encryption on the removable storage card |
X |
|
Set password expiration date |
X |
|
Enable password recovery |
X |
|
Prevent patterned PIN (1111 or 1234) on device |
X |
|
Specify how many failed password attempts before device wipe |
X |
X |
Specify how many failed password attempts before storage card wipe |
X |
|
Allow or disallow access to files on Universal Naming Convention shares |
X |
|
Allow or disallow access to files on Sharepoint Services sites |
X |
For more information about security policies and security roles, see Security Policies in Security Considerations on the Device.
In Exchange Server 2007, the system administrator can define and name multiple sets of security policies and apply them to individual users or to different user groups in Active Directory.
When a mobile device security policy is defined on the server, it is automatically sent to each device the next time the user of the device starts synchronization. On the initial receipt of the policies, the user can choose to accept or decline the policy, although if they don't accept, they will not be able to synchronize with the system. Once the policies are accepted, the only way to disable them is to do a hard reset on the device. During a hard reset, changes made to the registry or object store will not persist.
Another feature allows the administrator to specify that users with older devices without security policy capacity may still connect to the network. This enables administrators to allow connections from older devices until those devices can be replaced, while still providing policy controls for devices that fully implement Exchange ActiveSync.
If you have Manager role permissions on your corporate mobile devices, you can also change device policies by using over-the-air provisioning. See Adding Certificates to Windows Mobile Powered Devices in Security Model for Windows Mobile 5.0 and Windows Mobile 6.
Setting Device Security Policies or Mailbox Policies from Exchange Server
The capabilities and tools for managing Exchange ActiveSync devices have evolved from Exchange Server 2003 SP2 to Exchange Server 2007. Either product provides control necessary for critical security policies on client devices. In the following discussion, the two server releases are presented separately.
Device Security Policies in Exchange Server 2003 SP2
The system administrator can use the Exchange System Management Console to set password length and strength, and to control the inactivity period and number of failed password attempts before a device is wiped.
Note
The term password, as used in this discussion, refers to the password or PIN a user enters to unlock his or her mobile device. It is not the same as a network user password or a SIM pin.
The following illustration from the Exchange System Manager interface in Exchange Server 2003 SP2 shows the Device Security Settings. When you choose Enforce password on device, the rest of the options become available.
.gif)
The security policies that can be controlled with Exchange ActiveSync in Exchange Server 2003 SP2 include the following:
| Option | Description |
|---|---|
Minimum password length (characters) |
Specifies the required length of the user's device password. The default is 4 characters. Range is 4 to 18 characters. |
Require both numbers and letters |
Password must contain both numbers and letters (strong alphanumeric password). The default is numbers only. |
Inactivity time (minutes) |
Specifies how many minutes of inactivity are allowed before the device locks, requiring the user to log on again. Not enforced unless selected. If selected, default is 5 minutes. |
Wipe device after failed (attempts) |
The device memory will be wiped after multiple failed logon attempts. Not enforced unless selected. If selected, default is 8 attempts. |
Refresh settings on the device (hours) |
Specifies the time interval for the security policies to be pushed to the device. Not refreshed unless selected. If selected, default is every 24 hours. |
Allow access to devices that do not fully support password settings. |
Allows devices that do not support the security policies (non-MSFP devices) to synchronize with Exchange Server. Not selected by default. If not selected, these devices will receive a 403 error message when they attempt to synchronize with Exchange Server. |
Device Security Policies in Exchange Server 2007
When you install the Client Access server role in an Exchange Server 2007 organization, Exchange ActiveSync is enabled by default. You can configure Exchange ActiveSync for a user or a group of users with the Exchange Management Console or the Exchange Management Shell; both methods provide wizards to simplify the process.
The following illustration from the Exchange Server 2007 ActiveSync Mailbox Policy wizard shows the mailbox policy options that can be configured and assigned to individuals or groups of mailbox users.
.gif)
Mailbox policies that can be controlled with Exchange ActiveSync with Exchange Server 2007 include the following options:
| Option | Description |
|---|---|
Allow non-provisionable devices |
Allows older devices (those that do not support the Autodiscover service) to connect to Exchange 2007 by using Exchange ActiveSync. |
Allow simple password |
Enables or disables the ability to use a simple password such as a 4-digit PIN. Simple patterns (1234, 1111) are always blocked. |
Require alphanumeric password |
Requires a strong alphanumeric password containing numeric and non-numeric characters. |
Allow attachments to be downloaded to device |
Enables attachments to be downloaded to the mobile device. |
Require encryption on storage card |
Applies to Windows Mobile 6: Enables encryption on the removable storage card. |
Remotely wipe storage card |
Applies to Windows Mobile 6: Wipes the storage card, unless it is write-protected. |
Require password |
Enables the device password |
Password expiration (days) |
Applies to Windows Mobile 6: Enables the administrator to configure a length of time after which a device password must be changed. |
Policy refresh interval |
Defines how frequently the device updates the Exchange ActiveSync policy from the server. |
Maximum attachment size |
Applies to Windows Mobile 6: Specifies the maximum size of attachments that are automatically downloaded to the device. |
Maximum failed password attempts |
Specifies how many times an incorrect password can be entered before the device performs a wipe of all data including storage card. |
Time without user input before password must be re-entered (in minutes) |
Specifies the maximum length of time a device can go without user input before it locks. The user can specify a shorter time. |
Minimum password length |
Specifies the minimum password length. |
Enable password recovery |
Applies to Windows Mobile 6: Enables the device password to be recovered from the server. |
UNC file access |
Applies to Windows Mobile 6: Enables access to files stored on Universal Naming Convention (UNC) shares. |
WSS file access |
Applies to Windows Mobile 6: Enables access to files stored on Microsoft Windows Sharepoint Services sites. |
In addition to the security and mailbox policies described above for both versions of Exchange Server, you can specify individual users who you want to exempt from the settings you have configured. This exceptions list is useful if you have specific, trusted users who do not require device security settings. However, when using this feature bear in mind that executives or other key employees who might request exemptions most likely have highly valuable data on their devices and should not necessarily be exempted from security policies.
When coupled with the Windows Mobile remote device wipe mechanism, these security policies help provide an effective means of preventing an attacker from recovering data from a device. In addition, these security policies do not have the performance or battery life overhead of solutions that encrypt all data on the device as it is created or moved.
Local and Remote Device Wipe
When a mobile device is lost or stolen, the potential security risk can be significant. Mobile devices often contain sensitive business data, including personally identifiable information of employees and customers, sensitive e-mail messages, and other items. Exchange ActiveSync helps address this risk by providing two levels of device wipe capability for Windows Mobile 5.0 powered devices with MSFP or later.
Wiping the device locally or remotely has the effect of performing a factory or “hard” reset; all programs, data, and user-specific settings are removed from the device. The Windows Mobile device wipe implementation wipes all data, settings, and private key material on the device by overwriting the device memory with a fixed bit pattern, greatly increasing the difficulty of recovering data from a wiped device.
Note
Device wipe in Windows Mobile 6 includes wiping the removable storage card.
Local device wipes are triggered on a device with device lock enforced if a user incorrectly enters a PIN more than a specified number of times (the policy default is 8 times, but the administrator can adjust this value). After every two missed attempts, the device displays a confirmation prompt that requires the user to type a confirmation string (usually “A1B2C3”) to continue. This prevents the device from being wiped by accidental key presses. Once the PIN retry limit is reached, the device immediately wipes itself, erasing all local data.
Remote wipes occur when the administrator issues an explicit wipe command through the Exchange ActiveSync management interface. With OWA 2007 and Exchange Server 2007, the device user can also initiate a wipe command if they have lost their device. Remote wipe operations are separate from local wipes, and a device can be wiped remotely even if Exchange ActiveSync security policies are not in force. The wipe command is pushed as an out-of-band command, so that the device receives it on its next synchronization. The device sends an acknowledgement message when it receives the wipe command, alerting the administrator that the wipe has occurred. The device user cannot opt out of the remote wipe.
Exchange ActiveSync Security Policies for Exchange Server 2003 SP2
For more information on the process of using and configuring Exchange ActiveSync security policies from the Exchange Server, please see the Step-by-Step Guide to Deploying Windows Mobile-based Devices with Microsoft Exchange Server 2003 SP2, available from https://go.microsoft.com/fwlink/?LinkId=54738.
Exchange ActiveSync Security Policies for Exchange Server 2007
For more information on the process of using and configuring Exchange ActiveSync security policies from the Client Server Access role of Exchange Server 2007, see Managing Client Access available from this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=109225.
See Also
Concepts
Security Considerations for Windows Mobile Messaging in the Enterprise