ActiveSync virtual directory permissions should be restricted

[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at https://go.microsoft.com/fwlink/?linkid=34707.]  

Topic Last Modified: 2010-04-01

The Microsoft Exchange Best Practices Analyzer parses the permissions that are set on the Microsoft-Server-ActiveSync virtual directory to determine whether the appropriate permissions are assigned.

The Analyzer does not expect permissions to be set on the Microsoft-Server-ActiveSync virtual directory. The tool generates a best practices message if it determines that any of the following check boxes are selected on the Virtual Directory tab of the Microsoft-Server-ActiveSync Properties dialog box:

  • Script source access

  • Read

  • Write

Microsoft Exchange ActiveSync allows for the synchronization of mailbox information with mobile devices. To do this, Exchange uses the Microsoft-Server-ActiveSync virtual directory in Internet Information Services (IIS). As a best practice, permissions on this virtual directory should be restricted. By default, the following check boxes are not selected on the Virtual Directory tab of the Microsoft-Server-ActiveSync Properties dialog box:

  • Script source access

  • Read

  • Write

  • Directory browsing

These permissions are not required on the virtual directory. To address this issue, modify the permission entries on the Microsoft-Server-ActiveSync virtual directory to restrict the permissions.

To modify permissions on the Microsoft-Server-ActiveSync virtual directory in IIS 6.0

  1. Start the Internet Information Services (IIS) Manager tool.

  2. Expand Web Sites, expand Default Web Site, right-click Microsoft-Server-ActiveSync, and then click Properties.

  3. Click the Virtual Directory tab, and then click to clear the following check boxes:

    • Script source access

    • Read

    • Write

    • Directory browsing

  4. Click OK.

  5. Start a command prompt, and then run the iisreset command to apply the changes.