Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2683
  • Last Modified:

ActiveSync Without OWA

We have a client that wants to use a Droid phone without the security risk of opening up OWA.  They have a 2003 Exchange server.  Can anyone tell me how to accomplish this?  Is it possible to open some ports for Active Sync without opening ports 80 and 443 to the exchange server?  OR, is there a component within the IIS website that we can disable/rename/alter so that the OWA site is not available while leaving ActiveSync working?
0
charlesjohnson
Asked:
charlesjohnson
  • 3
  • 3
  • 3
2 Solutions
 
Alan HardistyCo-OwnerCommented:
OWA uses HTTPS - Activesync uses HTTPS (TCP Port 443).

If you want Activesync without opening TCP Port 443 or 80), then you will need 3rd party software.
0
 
Glen KnightCommented:
Why is there a security risk? HTTPS is secure, or at least all the online banks seem to think so!
0
 
charlesjohnsonAuthor Commented:
Apparently a network auditor that works for the NSA doesn't think so.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
Glen KnightCommented:
They have actually said it's insecure or that it's a potential "flaw"?

Sadly with these types of audits they always see access to your network from the outside as a "security flaw".

I would answer that by saying, its only as secure or insecure as your users make it.  If they all have passwords that are "Password1" and they are set to never expire with no lockouts then yes that is pretty insecure.  

Or of they write their passwords on a post-it note stuck under their keyboard, or in the back of their diary then yes it's insecure.

But in all honesty, however you open your network to allow the use of mobile devices it's going to be insecure.  And seeing as OWA and ActiveSync both use port 443 this is likely to be a "flaw" if your users don't password protect their devices.

I would definitely rather have my 443 port secured with a valid 3rd party 2048bit SSL certificate.  Have a look at: http://en.m.wikipedia.org/wiki/RSA

Not only that, billions of companies, including banks use this type of encryption, if it's good enough for them....

What does your company do? Or is that top secret?
0
 
Alan HardistyCo-OwnerCommented:
I have never had a server that I manage that has port 443 open to the Internet compromised as a result of the port being opened to allow HTTPS through and neither would Demazter and all the servers he looks after, so whilst your security audit has raised it as a flaw, it is not one that the vast majority of the world worries about, so I would doubt that you would need to worry about it either, unless you are doing something of National Importance!!
0
 
charlesjohnsonAuthor Commented:
I completely agree with the comments above concerning the supposed security vulnerabilities of OWA.  Our company has set up hundreds of networks without ever having a problem with OWA and that's why I'm a bit out of my element trying to find a way to break OWA while maintaining ActiveSync.  For those of you familiar with security audits, you know that no matter how secure your network, they will always dig until they find something.  
Of course, in the consulting world, if the client is willing to pay for it, we're willing to try to make it happen.  I don't know of a way to do this and have found nothing so far indicating that it is possible.  EE has many sharp engineers so I thought it was worth a shot.  Thanks for your input!!
0
 
charlesjohnsonAuthor Commented:
Just to confirm, we implement a strong password policy, use a 3rd party encryted certificate and only allow acces on port 443.  We work with banks, hospitals, city and county governments but this is the first time I've ever heard an auditor mention OWA as a risk.  I have spoken with other respected professionals who all echo the sentiments listed above.
If I can find a solution, I'll be sure to post it here.  Thanks again.
0
 
Glen KnightCommented:
The only option you have is to disable Outlook Web Access for all your users, but this is done individually on the users.

Not sure what effect this would have on the mobile devices though.
0
 
Alan HardistyCo-OwnerCommented:
Disabling OWA should have zero impact on the users.

Just disable the Outlook Web Access feature on the 'Exchange Features' Tab in Active Directory Users and Computers (one by one).
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 3
  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now