Managing Exchange ActiveSync Security
Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3
Exchange ActiveSync enables users to synchronize mobile devices with Microsoft Exchange Server 2007. This gives users access to a wide variety of Exchange data, including e-mail messages, calendar and contact data, tasks, and Unified Messaging data such as fax messages and voice mail messages.
To view fax messages on a mobile device, users may have to install additional third-party software.
There are several security concerns that you must consider when you deploy Exchange ActiveSync. This topic provides an overview of security options for the deployment of Exchange ActiveSync.
Exchange ActiveSync Server Security
There are several security-related tasks that you can perform on a server that is running Exchange ActiveSync. One of the most important tasks is to configure an authentication method. Exchange ActiveSync runs on an Exchange 2007 server that has the Client Access server role installed. This server role is installed with a default self-signed digital certificate. Although the self-signed certificate is supported for Exchange ActiveSync, it is not the most secure method of authentication. For additional security, consider deploying a trusted certificate from a third-party commercial certification authority (CA) or a trusted Windows public key infrastructure (PKI) certification authority. For more information about how to configure a trusted digital certificate, see How to Configure SSL for Exchange ActiveSync.
Selecting an Authentication Method for Exchange ActiveSync
In addition to deploying a trusted digital certificate, you should consider the various authentication methods that are available for Exchange ActiveSync. By default, when the Client Access server role is installed, Exchange ActiveSync is configured to use Basic authentication with Secure Sockets Layer (SSL). To provide increased security, consider changing your authentication method to Digest authentication or Integrated Windows authentication.
Users with mailboxes on an Exchange 2003 server who try to use Exchange ActiveSync through an Exchange 2007 Client Access server will receive an error and be unable to synchronize unless Integrated Windows authentication is enabled on the Microsoft-Server-ActiveSync virtual directory on the Exchange 2003 server. This allows the Exchange 2007 Client Access server and the Exchange 2003 back end server to communicate using Kerberos authentication.
Using ISA Server with Exchange ActiveSync
Microsoft Internet Security and Acceleration (ISA) Server 2006 and Exchange 2007 have been designed to provide increased security for client access to Microsoft Exchange when you use Exchange ActiveSync.
ISA Server 2006 enables you to configure authentication methods for Exchange ActiveSync when you run the New Exchange Publishing Rule wizard. For more information about how to use ISA Server 2006 with Exchange ActiveSync, see Configuring ISA Server 2006 for Exchange Client Access.
In addition to enhancing the security of the Exchange ActiveSync server, you should also consider enhancing the security of your users' mobile devices. There are several methods that you can use to enhance the security of mobile devices.
Exchange ActiveSync Mailbox Policies
Exchange ActiveSync for Exchange 2007 enables you to create Exchange ActiveSync mailbox policies to apply a common set of security settings to a collection of users. Some of these settings include the following:
Requiring a password.
Specifying the minimum password length.
Requiring numbers or special characters in the password.
Designating how long a device can be inactive before the user is required to reenter their password.
Specifying that the device be wiped if an incorrect password is entered more than a specific number of times.
For more information about Exchange ActiveSync mailbox policies, see Managing Exchange ActiveSync with Policies.
Remote Device Wipe
Mobile devices can store sensitive corporate data and provide access to many corporate resources. If a device is lost or stolen, that data can be compromised. Remote device wipe is a feature that enables the Exchange server to set a mobile device to delete all data the next time that the device connects to the Exchange server. A remote device wipe effectively removes all synchronized information and personal settings from a mobile device. This can be useful when a device is lost, stolen, or otherwise compromised.
After a remote device wipe has occurred, data recovery will be very difficult. However, no data removal process leaves a device as free from residual data as it is when it is new. Recovery of data from a device may still be possible by using sophisticated tools.
For more information about remote device wipe, see Understanding Remote Device Wipe.