Accessing Exchange mailboxes via ActiveSync is now part of everyday life, but the risks associated with mobile access should not be ignored. Users often do not even protect their smartphone with a PIN, and if the smartphone is stolen or lost, anyone can read the business emails or do worse things.
In the standard Exchange configuration, each user is allowed to connect 100 ActiveSync devices (in Exchange 2010 it was 10) to their mailbox, which for some users means that the wife's iPad, the daughter's cell phone, the neighbor's tablet and 50 old devices that have long since been sold on eBay also access the mailbox. However, there are a few simple methods to ensure at least a little more security:
Set the number of permitted Active Sync devices per mailbox
The number of ActiveSync devices per mailbox can be limited via throttling policy. To display the ActiveSync settings of the default throttling policy, the command below can be entered.
Get-ThrottlingPolicy default* | fl eas*
To limit the number of ActiveSync devices to 5 devices per mailbox, the following command can be used, whereby 5 is of course a variable value:
Set-ThrottlingPolicy default* -EasMaxDevices 5
By limiting the maximum number of ActiveSync devices, we can already prevent some "uncontrolled growth", but we still have no control over whether there is a "neighbor's tablet" among the devices, so each ActiveSync device should be explicitly approved.
Active Sync devices must be approved/authorized
To prevent users from entering their access data on any devices so that a few emails can be checked quickly, an administrator should confirm every new Active Sync device. This option can be easily configured in ECP, but is also not standard. In ECP, the "Mobile" item must be selected in the menu and the "Edit" button can be used to specify which admin can approve ActiveSync devices
In the "Settings for Exchange ActiveSync access" dialog, you can now select "Set to quarantine" and enter an admin who allows ActiveSync devices
If a user now tries to connect a new device to Exchange, he can set up the account successfully, but then only receives one mail synchronized:
The selected admin also receives an email notifying them to approve or block a new device. However, a little caution is required, if this function is subsequently set up, all devices that have already successfully established an ActiveSync connection will be quarantined and the corresponding users will receive the quarantine mail. If you want to activate the quarantine function retrospectively, you can find it here a script in which all previous ActiveSync devices are approved. However, the mail regarding the quarantine is still sent.
So now the number of devices is already limited and an administrator controls whether the user is allowed to connect a new device, now it is still necessary to create a little security on the device
Policies for ActiveSync devices
"Guidelines for mobile devices" allow certain security functions to be preset on the device, but the default setting here is also very good-natured:
Everyone must decide for themselves which settings make sense, but in my opinion a PIN should always be required. To require a PIN, a new policy can be created or the "default" policy can be adapted
To prescribe a simple PIN consisting of 4 digits, this guideline can be used
The policy shown above is adopted as the default policy; devices that do not support this policy cannot be synchronized. The password may be "simple", i.e. only consist of numbers and must be at least 4 characters long. A lot more can be configured here via the EMS, but not all devices support such rules
Get-MobileDeviceMailboxPolicy
resp.
Set-MobileDeviceMailboxPolicy frankysweb -AllowIrDA $false
You can find out which settings are supported by which devices here: http://en.wikipedia.org/wiki/Comparison_of_Exchange_ActiveSync_clients
These simple rules provide improved security for ActiveSync devices, ActiveSync is activated by default for every mailbox, so every administrator should consider whether to restrict access. In the next article you will find a small script which maintains a whitelist for ActiveSync users.
Hi,
wenn ich auf einem Exchange 2010 (aktueller Patchstand) die Quarantäne nachträglich einführe und die Device per Script vorher in die Whitelist schreiben lasse, bekommen die Leute wie beim Exch2013 eine Mail oder reagiert das System anders? :)
MFG
Sebastian