Wednesday, 21 July 2010 15:24

Exchange 2010 Active Sync Security Features

Written by

By default when you install the Exchange 2010 CAS server, it enables the Microsoft Exchange Active Sync. The active sync feature lets us to synchronize our emails(Exchange 2010 mailbox) into a mobile phone. Exchange ActiveSync can synchronize e-mail messages, calendar items, contacts, tasks, and notes.

Here in this post I have tried to share you more about the security features of Exchange Active Sync.

Exchange Active Sync security:

We can configure Exchange Active Sync to use SSL encryption for the communication between the Exchange server and the mobile device. The certification can be either self-signed or a third party certificate. You can use the certificate along with the other security features such as device password to turn the device into a smartcard. The private key and the certificate for the client authentication are saved in the device memory. Any unauthorized access to the device will purge all the user data along with the private key and certificate information.

Device Security Features:

Apart from the communication encryption feature, Exchange Active Sync also offers the below device security features.

Remote wipe If a mobile phone is lost, stolen, or otherwise compromised, you can issue a remote wipe command from the Exchange Server computer or from any Web browser by using Outlook Web App. This command erases all data from the mobile phone.

You can use one of the below method for Remote Wipe,

 Use EMC

  1. Open EMC and navigate to Recipient Configuration->Mailbox
  2. Select the user that you wanted to wipe the device
  3. Right click on the user mailbox and click on Manage Mobile Device
  4. Select the mobile device that you want to wipe
  5. On action section click on Clear, click on Clear again to finish the activity.

 Use ECP/OWA

  1. Login to the OWA/ECP
  2. Click on Option(if you have logged in to OWA)
  3. In the Left pane select the Phone Option
  4. Click the Mobile Phone Tab and select the device you want to Wipe out.
  5. Click on Wipe Device and click on OK
  6. Click on Remove Device

 Use EMS(Management Shell)

Open Management Shell and use the cmdlet Get-ActiveSyncDeviceStatistics to retrieve the     device identity

Cmdlet:- Get-ActiveSyncDeviceStatistics - Mailbox Praveen | fl Identity

The above command will give us the identity of the device, use the cmdlet to wipe the           identified device.

Cmdlet:- Clear-ActiveSyncDevice -Identity WM_Praveen

 

Device password policies Exchange ActiveSync lets you configure several options for device passwords. These options include the following:

Minimum password length (characters) The default length is 4 characters, but as many as     18   can be included.

Require alphanumeric password You can enforce the usage of a character or symbol in the   password in addition to numbers. Basically the password strength.

Inactivity time (seconds) This option determines how long the mobile phone must be             inactive before the user is prompted for a password to unlock the mobile phone.

Wipe device after failed (attempts) This option specifies how many failed attempts before     the device wipe out.

How to configure Exchange Active Sync Policies

We can use the EMC or the management shell to configure the Exchange Active Sync policies.

Use EMC

Open EMC and navigate to Organization Configuration>Client Access

EMC-EAS

Select the Default Policy(You can create a new policy and add users) and click on Action menu and open the properties.

EAS-password

Set the necessary settings as per your requirement.

Use Exchange Management Shell

We can use the cmdlet Set-ActiveSyncMailboxPolicy to configure the Exchange Active Sync policies.

Below shows one such cmdlet.

Set-ActiveSyncMailboxPolicy -Identity Default -DevicePasswordEnabled $true -DevicePasswordExpiration 12 -DevicePasswordHistory 10 -MaxDevicePasswordFailedAttempts 7 -MaxInactivityTimeDeviceLock 00:10:00 -MinDevicePasswordLength 4 -PasswordRecoveryEnabled $true

Now we can verify the setting by running the cmdlet Get-ActiveSyncMailboxPolicy

EAS-cmdoutput

As you can see there are some very useful settings when compared to the Exchange 2003 like Enable password recovery to enable password recovery for the mobile phone. Users can use Outlook Web App to look up their recovery password and unlock their mobile phone. Administrators can use the EMC to look up a user's recovery password.

Ref - Managing Exchange Active Sync

-Praveen

theme by reviewshub