Category list

Secure Messaging with Microsoft?® Exchange Server 2003 (Pro-Other) - page 124

Summary

IMAP and POP are valuable alternatives to MAPI and HTTP; there is a wide range of client software available for various platforms, and configuring IMAP and POP to use SSL provides good security with minimal effort on your part.

Additional Reading

Internet RFC 1939 ( http://www.ietf.org/rfc/rfc1939.txt ) defines POP3, and RFC 2060 ( http://www.ietf.org/rfc/rfc2060.txt ) defines the IMAP4rev1 protocol.

Part V: Advanced Topics

Chapter List

Chapter 16: Securing Mobile Exchange Access
Chapter 17: Discovery, Compliance, Archive, and Retrieval
Chapter 18: Security Logging
Chapter 19: Security Auditing
Chapter 20: The Law and Your Exchange Environment

Chapter 16: Securing Mobile Exchange Access

Overview

Mid pleasures and palaces though we may roam, Be it ever so humble , there s no place like home.

”John Howard Payne

Users want to be untethered: they want to be able to go wherever they want, whenever they want, and still have access to their important data. Whether this is actually a good idea is the subject of some debate; I have a good friend who is a project manager for a company that works on nuclear reactors. His work is extremely time-critical, because for every hour that a nuclear reactor is offline for maintenance it costs the owning utility millions of dollars. He wryly refers to his BlackBerry as the homewrecker because it makes it possible for him to check his e-mail at any time, even when he shouldn t. However, it also makes it possible for him to get his work done without being tied to his office, so he can run out to pick up a sick child from school or have lunch with his wife without worrying that he s missing something critical. Whether for good or ill, users have caught on to the possibilities of these devices and are asking for them. Microsoft noticed, and they ve beefed up the mobile support in Microsoft Exchange Server 2003.

Understanding Exchange s Mobility Features

Exchange Server 2003 provides mobile access using several different tools, protocols, and services. Understanding these will help you better identify which security measures make sense for the particular mix of clients you have in your organization.

First, let s dispense with the old-style clients. Microsoft Office Outlook 2003 with RPC-over-HTTPS certainly qualifies as a mobile client, especially when paired with a high-speed wireless connection like those available from Verizon, Sprint, and AT&T. However, because we ve already discussed Outlook security in detail, I won t deal with it further in this chapter. Likewise, Microsoft Outlook Web Access provides a solution for users who have access to a Web browser; although some mobile devices can render Outlook Web Access (OWA) pages, they usually look pretty bad, so I ll omit further discussion of OWA as a mobility tool. Finally, many handheld devices support Internet Message Access Protocol (IMAP) and Post Office Protocol (POP); those protocols are discussed in Chapter 15, Securing POP and IMAP, so we re not going to talk more about them here. Instead, I m going to focus on two classes of devices: cell phones that use Microsoft Outlook Mobile Access and Pocket PC/Windows Mobile devices that use some kind of wireless connection with Exchange ActiveSync.

Outlook Mobile Access

Outlook Mobile Access (OMA) is designed to render selected Exchange store content to handheld and mobile devices. OMA supports devices that use Wireless Access Protocol (WAP) 2.x protocols; this includes support for Hypertext Markup Language (HTML), Extensible HTML (XHTML), and Compact HTML (cHTML) ”the markup language used by i-Mode devices. OMA devices make connections to the front end, which proxies their requests and renders the results into a format that the device can display. The OMA implementation in Exchange Server 2003 is descended from the Microsoft Mobile Information Server product, which provided OMA capability for Microsoft Exchange 2000 Server organizations. Mobile Information Server was never very widely deployed for two reasons: it was a separate product, and there weren t very many devices (in terms of absolute numbers ) that could talk to it. Both of those circumstances have now changed, so OMA is increasingly popular in even small- and medium- sized organizations.

OMA provides access to your Exchange Inbox, Calendar, Contacts, and Tasks folders; you can look up entries in the Global Address List (GAL), and you can flag messages or mark them as unread. However, the data you see isn t persistently stored on your handheld; for example, on the SonyEricsson T68i (which features a built-in calendar and contact application that can synchronize with Outlook), if you create a new appointment using OMA it won t be added to the phone s calendar. That means that you only have access to your Exchange data when you re online with your Exchange servers. I usually describe OMA as OWA for handhelds, because that does a good job of summarizing how it works.

OMA normally uses Secure Sockets Layer (SSL) to protect its Hypertext Transfer Protocol (HTTP) sessions from end to end. For devices that are using WAP, the wireless carrier might allow the use of the Wireless Transport Layer Security (WTLS) protocol, which is based on the Internet-standard Transport Layer Security (TLS) protocol we ve talked about before. WTLS is used between the device and the WAP gateway; HTTPS is used from the WAP gateway to the OMA server. Neither the user nor the Exchange administrator has any control. Of course, this requires the WAP gateway provider to trust the certificate used by your server; if you re using an internally issued certificate, you ll probably need to get a certificate issued by a trusted certificate authority (CA) like Verisign or Thawte.

Tip

If you re using RSA s SecurID system, you ll be happy to know that OMA works with it; this is because OMA can be used with the Internet Information Services (IIS) and Internet Security and Acceleration (ISA) filters required for SecurID compatibility. However, you must be using devices that are certified as compatible by both Microsoft and RSA Security.

Exchange Server ActiveSync

Exchange Server ActiveSync (EAS) actually synchronizes your Exchange data to a mobile device. This functionality obviously depends on having a mobile device that runs some version of Outlook, so it s only available for Microsoft Windows “ powered devices like the Pocket PC 2002 (and later) line, the Pocket PC Phone editions (both the Pocket PC 2002 Phone Edition and the Windows Mobile 2003 Powered Pocket PC Phone Edition), and the Windows- powered Smartphones available from Motorola, Sierra, Samsung, and other manufacturers.

EAS can perform both on-demand and scheduled synchronizations, and it allows access to all the folders in your mailbox ”a handy feature. EAS allows access to message attachments, and it allows the server to send periodic always up to date (AUTD) notifications to the device so that the device can initiate a synchronization ”this is a simple way to simulate the push approach that Research in Motion (RIM) uses with its BlackBerry devices. AUTD notifications are actually Short Message Service messages originated by the Exchange server and gatewayed by the wireless carrier; you can configure Exchange to send these notifications at whatever interval makes the most sense for your users. Beware, though: most carriers charge for Short Message Service traffic, so be sure to factor it into your deployment planning if you want to use AUTD.

By default, EAS uses 128-bit SSL to protect all of its communications.

Other Mobility Services

Of course, Microsoft isn t the only company to have figured out that users want mobile access to their Exchange data; in fact, they re not even the first company to figure it out. That honor should probably go to RIM. Accordingly, it s worth mentioning a couple of other mobility services that you might find running in your Exchange environment.

First is RIM s BlackBerry software, which comes in two types. The individual desktop version acts as a redirector that runs in conjunction with Outlook; the BlackBerry Enterprise Server (BES) runs on an Exchange server and redirects mail for multiple users. In either case, mail from the selected mailboxes is encrypted by the BlackBerry redirector, then sent over the Internet to RIM s service center. From there, it s encrypted for the specific device owned by the recipient and transmitted over his or her radio network. If the device is in range of a transmitter, and it s turned on, it receives the message. The other noteworthy product is Good Technology s GoodLink product, which does more or less the same thing as RIM s BES software with a different set of supported handhelds and service providers.

The security implications of these products are pretty obvious:

An attacker who can interfere with the user s desktop machine can prevent new mail from reaching the user, because the desktop redirector has to be running for mail to be transmitted.
All mail has to transit both the Internet and the service provider s network. This might or might not be of concern, depending on how secure you think those networks are and how much you trust the providers.
Any product that can proxy mail for multiple users will of necessity have a service account, or something like it, that has access to multiple mailboxes. If an attacker can compromise this account, he or she can masquerade as any of the users to which that account has permissions. Accordingly, this account should be protected with an extrastrong password, and its use should be carefully monitored through auditing.