Understanding Security for Exchange ActiveSync

Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.


Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3

Topic Last Modified: 2007-04-18

Microsoft Exchange ActiveSync enables users to synchronize mobile devices with Microsoft Exchange Server 2007. This gives users access to a wide variety of Exchange data. This data includes e-mail messages, calendar and contact data, tasks, and Unified Messaging data such as fax messages and voice mail messages.

To view fax messages on a mobile device, users may have to install additional third-party software.

There are several security concerns that you must consider when you deploy Exchange ActiveSync. This topic provides an overview of security options for the deployment of Exchange ActiveSync.

There are several security-related tasks that you can perform on a server that is running Exchange ActiveSync. One of the most important tasks is to configure an authentication method. Exchange ActiveSync runs on an Exchange 2007 computer that has the Client Access server role installed. This server role is installed with a default self-signed digital certificate. Although the self-signed certificate is supported for Exchange ActiveSync, it is not the most secure method of authentication. For additional security, consider deploying a trusted certificate from a third-party commercial certification authority (CA) or a trusted Windows public key infrastructure (PKI) certification authority. For more information about how to configure a trusted digital certificate, see How to Configure SSL for Exchange ActiveSync.

In addition to deploying a trusted digital certificate, you should consider the various authentication methods that are available for Exchange ActiveSync. By default, when the Client Access server role is installed, Exchange ActiveSync is configured to use Basic authentication with Secure Sockets Layer (SSL). To provide increased security, consider changing your authentication method to Digest authentication or Integrated Windows authentication.

Microsoft Internet Security and Acceleration (ISA) Server 2006 and Exchange 2007 have been designed to provide increased security for client access to Microsoft Exchange when you use Exchange ActiveSync.

ISA Server 2006 enables you to configure authentication methods for Exchange ActiveSync when you run the New Exchange Publishing Rule Wizard. For more information about how to use ISA Server 2006 with Exchange ActiveSync, see Using ISA Server 2006 with Exchange 2007.

In addition to enhancing the security of the Exchange ActiveSync server, you should also consider enhancing the security of your users' mobile devices. There are several methods that you can use to enhance the security of mobile devices.

Exchange ActiveSync for Exchange 2007 enables you to create Exchange ActiveSync mailbox policies to apply a common set of security settings to a collection of users. Some of these settings include the following:

  • Requiring a password

  • Specifying the minimum password length

  • Requiring numbers or special characters in the password

  • Designating how long a device can be inactive before the user is required to reenter their password

  • Specifying that the device be wiped if an incorrect password is entered more than a specific number of times

For more information about Exchange ActiveSync mailbox policies, see Managing Exchange ActiveSync with Policies.

Mobile devices can store sensitive data that belongs to your organization and provide access to many of your organization's resources. If a device is lost or stolen, that data can be compromised. Remote device wipe is a feature that enables the Exchange server to set a mobile device to delete all data the next time that the device connects to the Exchange server. A remote device wipe effectively removes all synchronized information and personal settings from a mobile device. This can be useful when a device is lost, stolen, or otherwise compromised.

After a remote device wipe has occurred, data recovery will be very difficult. However, no data removal process leaves a device as free from residual data as it is when it is new. Recovery of data from a device may still be possible by using sophisticated tools.

For more information about remote device wipe, see Understanding Remote Device Wipe.

For more information about security for Exchange ActiveSync, see Overview of Exchange ActiveSync.