Exchange Insider

Learning from successful Exchange Server migrations


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Exchange Server 2007's tools for securing mobile environments

Protect your Exchange Server 2007 organization from mobile device security threats by defining and configuring enterprise-wide Exchange ActiveSync Polices.

Mobile devices extend the limits of traditional workspaces, but they also expose the enterprise to increased risks. Leveraging Exchange Server 2007's mobile security tools can protect your enterprise.

Most North American enterprises favor BlackBerry Enterprise Server (BES) to manage and secure Research In Motion (RIM) device access to Exchange Server. Since the release of Exchange Server 2003 and Exchange ActiveSync (EAS) technology, many organizations support a mix of third-party mobile solutions (BES, Good Link, etc.) with EAS -- or they have entirely converted over to devices that natively support EAS.

A growing number of smartphones on the market can leverage EAS. Some cell phone providers are using other technologies to access corporate email systems for phones that don't support EAS. Organizations don't have to standardize support for one mobile device solution, but they all must understand that allowing mobile devices to access their corporate email systems is a serious security risk.

While support for mobile access wasn't always available in Exchange Server, Microsoft has offered mobile support for Exchange for nearly a decade. In 2001, Microsoft released Mobile Information Server (MIS), which used Outlook Mobile Access to provide real-time Exchange Server access. Users of Outlook Mobile Access could get to email, calendaring, contacts and tasks from a mobile device.

Outlook Mobile Access and the server-side ActiveSync function of MIS were incorporated into Exchange 2003, but MIS has since been phased out. The Outlook Mobile Access (OMA), which functioned like a text-only version of OWA for mobile devices, was phased out in Exchange 2007.

EAS security: Exchange Server 2003 vs. Exchange Server 2007

Server-side ActiveSync was introduced in Exchange Server 2003, but offered only a limited ability to secure devices that connected to the Exchange Server. Exchange 2003 SP2 marked a huge milestone for mobile security with Exchange ActiveSync.

This service pack enabled administrators to create central policies, perform remote wipes of devices, use certificate-based authentication and more. Much of what is available to secure mobile devices in Exchange Server 2007 has evolved from Exchange 2003 SP2.

The release of Exchange 2007, Exchange 2007 SP1 and Exchange 2007 SP2 gives administrators even more control over mobile devices -- equipping them with the tools needed to combat ever-growing risks.

Mobile device policy guidelines

Regardless of which messaging system an organization uses, security experts agree that administrators can no longer ignore the risks that mobile devices present. But administrators can't forbid users from accessing corporate email via a mobile device as part of their security policies. Ultimately, users would find other ways to get their work email on their mobile devices.

It may be more feasible to limit which types of mobile devices can access the enterprise's Exchange Server. Develop a clear policy of acceptable devices, educate users and get them to acknowledge the policy. The following items are critical to incorporate into your organization's usage policies:

  • Password protection
  • Device and storage card encryption
  • Communication encryption
  • Device backup
  • Software restrictions
  • Acceptable use

In addition to these core policy items, define what the users are allowed to keep on their devices. Be very specific and list acceptable applications and prohibited items, such as confidential data files. Instruct users to disable any feature of the device that isn't being used, such as Wi-Fi or Bluetooth.

Although mobile devices aren't necessarily a major target for malicious code, analysts predict that viruses and malware will become more prevalent in smartphones and other mobile devices this year, and will continue to be more of a problem in the future. To be proactive, instruct users to install virus and malware protection on their devices.

Policies also need to include procedures for remotely wiping devices as soon as they are lost or stolen. If confidentiality is extremely critical, you may consider banning mobile devices from certain meetings where someone might try to record or broadcast the proceedings.

Because smartphone vendors have the ultimate say in what their devices will support, be careful -- from a security standpoint -- to only purchase devices for your users that technically comply with your acceptable-use policy. You may have to exclude some of the more popular devices on the market, though. Conversely, you may have to set exceptions for smartphones that cannot be fully provisioned for your security needs.

Define your EAS policy

Microsoft Exchange Server 2007 provides Exchange ActiveSync Policies and Management tools that facilitate the enforcement of defined usage policies. In fact, Exchange 2007 SP1 added an additional 30 configurable options to control the most current technologies available in smartphones. Of course, there are still a few gotchas.

  1. You can only create the policy and associate it with a user's mailbox. It's up to the users to accept the policy on their devices. However, they won't be able to use ActiveSync with Exchange Server 2007 unless they accept the policy.

  3. Many of the new options in the ActiveSync policies require that you have the Enterprise Client Access License (CAL) for mobile users. This could create unforeseen costs if you don't currently have Enterprise CALs. A complete list of features, including those that require the Enterprise CAL can be found in Microsoft's article on Exchange ActiveSync Mailbox Policies.

  5. By default, ActiveSync is enabled for all users with a mailbox within your organization. If you don't currently have a usage policy, create one as soon as possible.

How to configure your usage policy

Client Access Server role and SSL requirements
By default, the Exchange ActiveSync virtual directory on the Client Access Server (CAS) role requires SSL encryption using a self-signed certificate. Consider replacing the self-signed certificate on the CAS with one from a third-party public certificate authority that the mobile device already trusts. This way, you do not have to import additional certificates onto your mobile devices.

I'm a strong believer that the default Exchange ActiveSync Mailbox Policy should be the strictest of all the policies that you configure. You can always make expectations to rules by creating additional policies and removing restrictions from them.

You can configure an Exchange ActiveSync Mailbox Policy with either Exchange Management Console (EMC) or Exchange Management Shell (EMS). The Default policy can be found in the Organization Configuration work center of the EMC under Client Access Server.

It's important to familiarize yourself with the default policy as well as any critical options that are part of your usage policy. There are five configuration tabs that you must know, the first of which is the General tab (Figure 1).

the Default ActiveSync policy General tab
Figure 1. Default ActiveSync policy General tab.

Under the General tab, the first area of concern is the Allow non-provisionable devices option. You can't set a policy for non-provisionable devices. There are a number of older devices that cannot handle a strict policy because they aren't provisionable. These are not the type of devices you want to support in your usage policy. If you must support them, make them an exception and create a different policy for them. If you are uncertain about allowing Windows SharePoint Services (WSS) Uniform Naming Convention (UNC) access, it may be best to disable it for now and enable it later.

The next tab is the Password tab (Figure 2). The biggest concern with this tab is that the Require password option is disabled by default. It is selected in Figure 2 to show the default settings that are populated when this option is enabled in an Exchange ActiveSync Mailbox Policy.

the default ActiveSync Policy tab
Figure 2. Default ActiveSync Policy Password tab.

When setting your password options, you'll want to find a balance between strictness and usability. For example, you should probably disable the Allow simple password (1234, 4321, etc...) tab, but set the number of failed attempts allowed at five.

Security experts strongly recommend that you require encryption on the device as well as the storage card, so be sure to enable these options. The default setting for how long the device will remain logged on after being left unattended is 15 minutes. This is a little long; consider shortening that to five minutes.

The next tab is the Sync Settings tab (Figure 3). If you are not encrypting data on your device and storage card, it's best to disable the Allow attachments to be downloaded to the device option. It's a bad idea to allow synchronization when roaming, especially if you're traveling out of the country because you can unknowingly run up a high fee for downloading data while roaming.

Figure 3. Default ActiveSync policy Sync Settings tab.

The next tab is the Device tab. The Exchange ActiveSync Mailbox Policy requires you to have the Exchange Server Enterprise CAL installed to enable or disable any device features available in this tab. Since almost all of these device features have security ramifications, you should seriously consider using the Exchange Server Enterprise CAL for added control.

The last tab is the Advanced tab (Figure 4). Just like the Device tab, all features on the Advanced tab require that you have the Enterprise CAL. Two major benefits of obtaining the Enterprise CAL are found on this tab: The ability to prevent unsigned applications and the ability block and/or allow specific applications. I would even venture to say that these settings make the Enterprise CAL a necessity for anyone serious about mobile device security.

Default ActiveSync policy Advanced tab
Figure 4. Default ActiveSync policy Advanced tab.

With secure connections enforced and a strong default Exchange ActiveSync Mailbox Policy that enforces your usage policy, you're on your way to having a fully secure mobile environment.


Richard Luckett
Richard Luckett is President of SYSTMS of NY, Inc., a Microsoft Gold Partner providing professional services, managed services and training solutions. He is an MCSE, MCITP and MCTS with security and messaging specializations, and an MCT with nine years of Exchange training experience. Richard is an Exchange MVP award recipient, co-author of Administering Exchange 2000 Server and Exchange Server 2007: The Complete Reference, course director and author of seven Microsoft Exchange courses, and resident email security expert for Contact him at

Article 2 of 3

Dig Deeper on Enterprise mobile security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.