Securing Mobile Devices | Secure Messaging with MicrosoftВ® Exchange Server 2003 (Pro-Other)

Now we get to the interesting part of this chapter: how do you protect your network when you have all these mobile devices running around, each with some amount of critical or sensitive data on it? The precise answer depends on which devices you re using, but more generally , there are some principles that you can follow to help protect your corporate assets.

First of all, consider the breadth of data that can be exposed by the use of these devices. Devices that can only use OMA are relatively safe, because OMA never instructs the device to cache message data or attachments. Note that I didn t say completely safe, because the local browser might still cache things. At the other extreme, devices that can read and save attachments are potentially more dangerous, because they can retain sensitive attachments if the user has downloaded them to the device. One way to mitigate this risk is to create a separate front-end server just for OMA and EAS users, then use the DisableAttachments and AcceptedAttachmentFrontEnds keys described in Chapter 14, Securing Outlook Web Access, to prevent attachment access from that specific front end. (Of course, it would be a good idea to disable OMA and EAS on your other front ends to prevent sneaky users from connecting to them instead!)

Second, on general principle, it s a good idea to restrict service access to people who actually need it. You can use the script on the previous page to control who can use OMA and EAS, and you should; there s no good reason to leave it enabled for users who don t need it. Although this sample script enables OMA and EAS for all users, it s simple to adapt it to disable these services for all users. It s also simple to build a companion script that enables specified groups of users; that way, you can manage OMA and EAS access on a group -by -group basis.

Finally, it s important to understand the impact that credential caching has on security. Users don t want to have to type their credentials in each time they use OMA or EAS, so they typically allow their credentials to be cached. This opens two potential vulnerabilities. First, an attacker who recovers a device might be able to simply pick it up and use it because the credentials are cached. Second, a resourceful attacker might be able to extract the stored credentials from a device and use them to get a direct network logon (perhaps through your virtual private network or remote access service); this is a more serious threat than merely allowing an outsider access to someone s e-mail.

What to Do Before You Lose a Device

It s a truism that the smaller and more expensive a gadget is, the more likely it is to be lost, stolen, or broken. This applies to the current crop of Pocket PC and Smartphone devices. You should count on losing some percentage of these devices each year, due to ordinary forgetfulness or carelessness of your users. It s a good idea to take a few protective measures ahead of time.

First, encourage your users to use the locking features of their devices. Most current phones and personal digital assistant (PDA) devices can be set to require a power- on personal identification number (PIN) that is activated when the device is turned on; for extra security, many devices allow you to set a separate PIN that s required to unlock the device after a specified period of inactivity. Microsoft Windows Mobile 2003 devices can use an alphanumeric password, and that s what you should coax users into using whenever possible.

Second, some devices (like the Good G100 and various RIM BlackBerry models) can be remotely deactivated. Make sure you know which of your fielded devices can be deactivated, and how to do it, so that you re protected in the event that you need to quickly deactivate a lost or stolen device.

What to Do When You Lose a Device

If you encourage your users to treat their PDAs or phones like corporate credit cards ”and to protect them in the same way ”you ll probably hit the right balance between paranoia and caution. There are three things you should do immediately when you lose a device:

Change the user s network account passwords. This is required because a device that s using Exchange ActiveSync will have that user s Active Directory password, so an attacker (at a minimum) can pose as the user whose device was lost.
If the lost device is also a mobile phone, notify the cellular carrier to deactivate it. This helps make it harder for attackers to surreptitiously use the device either to attack you or to use it as a network access tool to attack someone else. Of course, on phones based on Global System for Mobile Communication (GSM), the attacker might be able to plug in another subscriber identity module (SIM) and use the phone, albeit with a different phone number, to attack your network.

If the user who lost the device was involved in anything particularly sensitive ”say, mergers or acquisitions ”grill him or her to find out what specific kinds of sensitive data might have been on the phone, then pull in the appropriate people in your public relations or legal departments (or whomever else is appropriate). Assume that anything confidential on the device will be disclosed, and plan accordingly .

Note

One possible way to clean up after a device is lost is to delete the user s calendar, mail, and contact data (after exporting it to a PST file, of course), then force an AUTD synchronization. If the device is still active, at the next synchronization the data will be removed. The drawback to this method is that you don t get any confirmation that the device copy of the data was actually erased.