It is becoming common practice for users to establish VPN connections to corporate networks using mobile, handheld devices. Although the VPN connection itself is usually encrypted using PPTP or IPSec, the devices themselves present a major security problem.
The reason mobile devices present such a problem is that they are completely outside administrative control (unless you invest in third-party software). Windows doesn't have any group policy settings that target mobile devices, so a user could very easily copy sensitive data off the corporate network and store it in an unencrypted format on his mobile device.
There are third-party products available that can help you to secure mobile devices, but what a lot of people don't realize is that Microsoft Exchange Server can also be used for this purpose. In fact, Microsoft's primary goal in releasing Service Pack 2 for Exchange Server 2003 was to make mobile devices more secure. These security enhancements were further refined in Exchange Server 2007.
The actual implementation of mobile device security differs between Exchange 2003 SP2 and Exchange 2007. This difference is due in part to the fact that Exchange 2007 uses a set of management tools different from those of Exchange 2003. The other reason for the difference is that Exchange 2007 allows you to apply mobile device security policies on a per-mailbox basis. Exchange 2003 allowed you to create only a single mobile device policy, which had to be applied globally. Given that there are such significant differences between the two versions of Exchange Server, I will focus the remainder of my discussion on Exchange 2007.
Creating a mobile device security policy
To create a mobile device security policy in Exchange 2007, open the Exchange Management Console and navigate through the console tree to "Organization Configuration | Client Access." Upon selecting the Client Access container, the Details pane will display any existing policies that apply to mobile devices. Incidentally, in Exchange Server 2007, these policies are called Exchange ActiveSync Mailbox Policies. Now, just click the New Exchange ActiveSync Mailbox Policy link found in the Actions pane.
At this point, the management console will launch the New Exchange ActiveSync Mailbox Policy wizard, as shown in Figure A. As you can see in the figure, you can set a number of parameters within the policy.
Exchange Server 2007 allows you to create ActiveSync Mailbox Policies.
- The first thing you have to do is enter a name for the policy that you are creating. In most cases, it is best to enter a name that is descriptive of the policy's purpose.
- Below the Mailbox Policy Name field are some check boxes that you can use to enable or disable various policy elements. The first of these check boxes allows you to decide whether or not you want to allow use of non-provisionable devices. What this means is that the security policy you are creating is not compatible with some older mobile devices. That being the case, if security is really important to you, then it is best to leave this check box blank so that Exchange will not allow these types of devices to be used. Remember, though, that leaving the check box deselected does not constitute a global ban on older mobile devices. The ban will apply only to those users to whom the policy has been assigned.
- The next check box is pretty self explanatory. It allows you to control whether or not mobile users are allowed to download email attachments to their devices. Whether you should allow attachments to be downloaded really just depends on the nature of your business and whether or not you are using Exchange for email. Blocking email attachments saves wireless bandwidth and reduces the risks of a viral infection but is not appropriate for all types of business.
- The last section allows you to require a password and then set the parameters for the required password. For example, you can set the password length and complexity requirements. You can also control the length of time a mobile device can be idle before the device locks itself and requires the user to re-enter the password for continued use.
- Click the "New" button and the ActiveSync Mailbox Policy will be created. When the creation process completes, click the "Finish" button to close the wizard.
- To assign an Exchange ActiveSync Mailbox Policy to a user, open the Exchange Management Console and navigate through the console tree to "Recipient Configuration | Mailbox." When you do, the Details pane will display a list of all of the users in the entire Exchange organization. Right-click on the user to whom you want to assign the policy, and select the Properties command from the resulting shortcut menu. You will now see the user's properties sheet. Next, select the properties sheet's Mailbox Features tab.
- Select Exchange ActiveSync from the list of mailbox features and click the Properties button. The console will display the Exchange ActiveSync Properties dialog box. Now, simply select the Apply an Exchange ActiveSync Mailbox Policy check box. Next, click the "Browse" button and select the policy that you would like to apply. Click "OK" to complete the process.
Remotely wiping a device
One last mobile security feature that I want to talk about is the ability to remotely wipe all of the data from a device. This is an extremely important security feature that should be used if a mobile device is ever lost or stolen.
Imagine, for example, that one of your mobile users is traveling on business and has his pocket picked on the street. The mobile device is now in the hands of a thief. The problem with this (aside from the obvious) is that you do not know the thief's intentions. He may simply want to blank the device and then go and pawn it. On the other hand, there is always the chance that he was hired by a competitor to spy on your company. If that is the case, the thief couldn't care less about the device itself. The real value is in the data that the device contains.
By creating an Exchange ActiveSync Mailbox Policy, you have made the device resistant to tampering, but it would still be a bad idea to assume that the thief isn't interested in your data or that he isn't sophisticated enough to crack the device's password. It is better to go ahead and blank the device.
One of the interesting things about Exchange Server 2007 is that users don't even have to bother reporting the device stolen. They can actually wipe the data from the device themselves through Outlook Web Access (OWA).
To do so, the user must open Internet Explorer and navigate to HTTPS://your_exchange_server/OWA. The Exchange Server 2007 version of OWA looks something like what is shown in Figure B. Notice that there is an "Options" button in the upper right corner of the figure. If a user clicks the Options button, he will be taken to a screen that allows him to configure every aspect of the OWA experience virtually. As you can see in Figure C, the Options screen contains a Mobile Devices link. Selecting this link reveals a series of options related to mobile devices, including an option for wiping the data from the device.
OWA's Options button allows you to customize the OWA experience.
Users can manage their own mobile devices directly through OWA.
About the author:
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, CNET, ZDNet, TechTarget, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at www.brienposey.com.