ActiveSync Without OWA

We have a client that wants to use a Droid phone without the security risk of opening up OWA.  They have a 2003 Exchange server.  Can anyone tell me how to accomplish this?  Is it possible to open some ports for Active Sync without opening ports 80 and 443 to the exchange server?  OR, is there a component within the IIS website that we can disable/rename/alter so that the OWA site is not available while leaving ActiveSync working?
LVL 1
charlesjohnsonAsked:
Who is Participating?
 
Glen KnightConnect With a Mentor Commented:
The only option you have is to disable Outlook Web Access for all your users, but this is done individually on the users.

Not sure what effect this would have on the mobile devices though.
0
 
Alan HardistyCo-OwnerCommented:
OWA uses HTTPS - Activesync uses HTTPS (TCP Port 443).

If you want Activesync without opening TCP Port 443 or 80), then you will need 3rd party software.
0
 
Glen KnightCommented:
Why is there a security risk? HTTPS is secure, or at least all the online banks seem to think so!
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
charlesjohnsonAuthor Commented:
Apparently a network auditor that works for the NSA doesn't think so.
0
 
Glen KnightCommented:
They have actually said it's insecure or that it's a potential "flaw"?

Sadly with these types of audits they always see access to your network from the outside as a "security flaw".

I would answer that by saying, its only as secure or insecure as your users make it.  If they all have passwords that are "Password1" and they are set to never expire with no lockouts then yes that is pretty insecure.  

Or of they write their passwords on a post-it note stuck under their keyboard, or in the back of their diary then yes it's insecure.

But in all honesty, however you open your network to allow the use of mobile devices it's going to be insecure.  And seeing as OWA and ActiveSync both use port 443 this is likely to be a "flaw" if your users don't password protect their devices.

I would definitely rather have my 443 port secured with a valid 3rd party 2048bit SSL certificate.  Have a look at: http://en.m.wikipedia.org/wiki/RSA

Not only that, billions of companies, including banks use this type of encryption, if it's good enough for them....

What does your company do? Or is that top secret?
0
 
Alan HardistyCo-OwnerCommented:
I have never had a server that I manage that has port 443 open to the Internet compromised as a result of the port being opened to allow HTTPS through and neither would Demazter and all the servers he looks after, so whilst your security audit has raised it as a flaw, it is not one that the vast majority of the world worries about, so I would doubt that you would need to worry about it either, unless you are doing something of National Importance!!
0
 
charlesjohnsonAuthor Commented:
I completely agree with the comments above concerning the supposed security vulnerabilities of OWA.  Our company has set up hundreds of networks without ever having a problem with OWA and that's why I'm a bit out of my element trying to find a way to break OWA while maintaining ActiveSync.  For those of you familiar with security audits, you know that no matter how secure your network, they will always dig until they find something.  
Of course, in the consulting world, if the client is willing to pay for it, we're willing to try to make it happen.  I don't know of a way to do this and have found nothing so far indicating that it is possible.  EE has many sharp engineers so I thought it was worth a shot.  Thanks for your input!!
0
 
charlesjohnsonAuthor Commented:
Just to confirm, we implement a strong password policy, use a 3rd party encryted certificate and only allow acces on port 443.  We work with banks, hospitals, city and county governments but this is the first time I've ever heard an auditor mention OWA as a risk.  I have spoken with other respected professionals who all echo the sentiments listed above.
If I can find a solution, I'll be sure to post it here.  Thanks again.
0
 
Alan HardistyConnect With a Mentor Co-OwnerCommented:
Disabling OWA should have zero impact on the users.

Just disable the Outlook Web Access feature on the 'Exchange Features' Tab in Active Directory Users and Computers (one by one).
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.