Solved

ActiveSync Without OWA

Posted on 2011-03-11
9
2,288 Views
Last Modified: 2012-05-11
We have a client that wants to use a Droid phone without the security risk of opening up OWA.  They have a 2003 Exchange server.  Can anyone tell me how to accomplish this?  Is it possible to open some ports for Active Sync without opening ports 80 and 443 to the exchange server?  OR, is there a component within the IIS website that we can disable/rename/alter so that the OWA site is not available while leaving ActiveSync working?
0
Comment
Question by:charlesjohnson
  • 3
  • 3
  • 3
9 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35110824
OWA uses HTTPS - Activesync uses HTTPS (TCP Port 443).

If you want Activesync without opening TCP Port 443 or 80), then you will need 3rd party software.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35110868
Why is there a security risk? HTTPS is secure, or at least all the online banks seem to think so!
0
 
LVL 1

Author Comment

by:charlesjohnson
ID: 35111276
Apparently a network auditor that works for the NSA doesn't think so.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35111350
They have actually said it's insecure or that it's a potential "flaw"?

Sadly with these types of audits they always see access to your network from the outside as a "security flaw".

I would answer that by saying, its only as secure or insecure as your users make it.  If they all have passwords that are "Password1" and they are set to never expire with no lockouts then yes that is pretty insecure.  

Or of they write their passwords on a post-it note stuck under their keyboard, or in the back of their diary then yes it's insecure.

But in all honesty, however you open your network to allow the use of mobile devices it's going to be insecure.  And seeing as OWA and ActiveSync both use port 443 this is likely to be a "flaw" if your users don't password protect their devices.

I would definitely rather have my 443 port secured with a valid 3rd party 2048bit SSL certificate.  Have a look at: http://en.m.wikipedia.org/wiki/RSA

Not only that, billions of companies, including banks use this type of encryption, if it's good enough for them....

What does your company do? Or is that top secret?
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35111462
I have never had a server that I manage that has port 443 open to the Internet compromised as a result of the port being opened to allow HTTPS through and neither would Demazter and all the servers he looks after, so whilst your security audit has raised it as a flaw, it is not one that the vast majority of the world worries about, so I would doubt that you would need to worry about it either, unless you are doing something of National Importance!!
0
 
LVL 1

Author Comment

by:charlesjohnson
ID: 35151542
I completely agree with the comments above concerning the supposed security vulnerabilities of OWA.  Our company has set up hundreds of networks without ever having a problem with OWA and that's why I'm a bit out of my element trying to find a way to break OWA while maintaining ActiveSync.  For those of you familiar with security audits, you know that no matter how secure your network, they will always dig until they find something.  
Of course, in the consulting world, if the client is willing to pay for it, we're willing to try to make it happen.  I don't know of a way to do this and have found nothing so far indicating that it is possible.  EE has many sharp engineers so I thought it was worth a shot.  Thanks for your input!!
0
 
LVL 1

Author Comment

by:charlesjohnson
ID: 35151706
Just to confirm, we implement a strong password policy, use a 3rd party encryted certificate and only allow acces on port 443.  We work with banks, hospitals, city and county governments but this is the first time I've ever heard an auditor mention OWA as a risk.  I have spoken with other respected professionals who all echo the sentiments listed above.
If I can find a solution, I'll be sure to post it here.  Thanks again.
0
 
LVL 74

Accepted Solution

by:
Glen Knight earned 250 total points
ID: 35151742
The only option you have is to disable Outlook Web Access for all your users, but this is done individually on the users.

Not sure what effect this would have on the mobile devices though.
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 250 total points
ID: 35151922
Disabling OWA should have zero impact on the users.

Just disable the Outlook Web Access feature on the 'Exchange Features' Tab in Active Directory Users and Computers (one by one).
0

Featured Post

Integrate social media with email signatures

Is your company active on social media? Do you also use email signatures? Including social media icons in your email signature is a great way to get fans for free. Let all your email users know you’re on social media quickly and easily, in a single click.

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now