Solved

ActiveSync Without OWA

Posted on 2011-03-11
9
2,364 Views
Last Modified: 2012-05-11
We have a client that wants to use a Droid phone without the security risk of opening up OWA.  They have a 2003 Exchange server.  Can anyone tell me how to accomplish this?  Is it possible to open some ports for Active Sync without opening ports 80 and 443 to the exchange server?  OR, is there a component within the IIS website that we can disable/rename/alter so that the OWA site is not available while leaving ActiveSync working?
0
Comment
Question by:charlesjohnson
  • 3
  • 3
  • 3
9 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35110824
OWA uses HTTPS - Activesync uses HTTPS (TCP Port 443).

If you want Activesync without opening TCP Port 443 or 80), then you will need 3rd party software.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35110868
Why is there a security risk? HTTPS is secure, or at least all the online banks seem to think so!
0
 
LVL 1

Author Comment

by:charlesjohnson
ID: 35111276
Apparently a network auditor that works for the NSA doesn't think so.
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 
LVL 74

Expert Comment

by:Glen Knight
ID: 35111350
They have actually said it's insecure or that it's a potential "flaw"?

Sadly with these types of audits they always see access to your network from the outside as a "security flaw".

I would answer that by saying, its only as secure or insecure as your users make it.  If they all have passwords that are "Password1" and they are set to never expire with no lockouts then yes that is pretty insecure.  

Or of they write their passwords on a post-it note stuck under their keyboard, or in the back of their diary then yes it's insecure.

But in all honesty, however you open your network to allow the use of mobile devices it's going to be insecure.  And seeing as OWA and ActiveSync both use port 443 this is likely to be a "flaw" if your users don't password protect their devices.

I would definitely rather have my 443 port secured with a valid 3rd party 2048bit SSL certificate.  Have a look at: http://en.m.wikipedia.org/wiki/RSA

Not only that, billions of companies, including banks use this type of encryption, if it's good enough for them....

What does your company do? Or is that top secret?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35111462
I have never had a server that I manage that has port 443 open to the Internet compromised as a result of the port being opened to allow HTTPS through and neither would Demazter and all the servers he looks after, so whilst your security audit has raised it as a flaw, it is not one that the vast majority of the world worries about, so I would doubt that you would need to worry about it either, unless you are doing something of National Importance!!
0
 
LVL 1

Author Comment

by:charlesjohnson
ID: 35151542
I completely agree with the comments above concerning the supposed security vulnerabilities of OWA.  Our company has set up hundreds of networks without ever having a problem with OWA and that's why I'm a bit out of my element trying to find a way to break OWA while maintaining ActiveSync.  For those of you familiar with security audits, you know that no matter how secure your network, they will always dig until they find something.  
Of course, in the consulting world, if the client is willing to pay for it, we're willing to try to make it happen.  I don't know of a way to do this and have found nothing so far indicating that it is possible.  EE has many sharp engineers so I thought it was worth a shot.  Thanks for your input!!
0
 
LVL 1

Author Comment

by:charlesjohnson
ID: 35151706
Just to confirm, we implement a strong password policy, use a 3rd party encryted certificate and only allow acces on port 443.  We work with banks, hospitals, city and county governments but this is the first time I've ever heard an auditor mention OWA as a risk.  I have spoken with other respected professionals who all echo the sentiments listed above.
If I can find a solution, I'll be sure to post it here.  Thanks again.
0
 
LVL 74

Accepted Solution

by:
Glen Knight earned 250 total points
ID: 35151742
The only option you have is to disable Outlook Web Access for all your users, but this is done individually on the users.

Not sure what effect this would have on the mobile devices though.
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 250 total points
ID: 35151922
Disabling OWA should have zero impact on the users.

Just disable the Outlook Web Access feature on the 'Exchange Features' Tab in Active Directory Users and Computers (one by one).
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
This article explains how to install and use the NTBackup utility that comes with Windows Server.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question