?
Solved

Controlling device access to Exchange server

Posted on 2014-09-23
7
Medium Priority
?
151 Views
Last Modified: 2014-09-29
Hello, we are running Exchange 2010 that is accessed by Outlook on Win7 and a variety of handheld devices (Active Sync). All these clients can be setup just by using username/password, which means that if I have someone's credentials I can setup a connection to the server and access their email. The question is: Is there a way to add an additional level of security so that only "approved" devices will be able to access the server? What are my options? Thanks. -Christos
0
Comment
Question by:criskrit
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 4

Expert Comment

by:adez12
ID: 40340602
Sounds like you're looking for a MDM (Mobile Device Management) solution.  Namely: Maas360, MobileIron, or the  free MDM from Cisco called Meraki.
0
 
LVL 1

Accepted Solution

by:
Travis Martinez earned 2000 total points
ID: 40340817
Enable a Device for Exchange ActiveSync

Restricting mobile handsets based on Device ID:

http://technet.microsoft.com/en-us/library/bb266947%28v=exchg.141%29.aspx
0
 
LVL 12

Expert Comment

by:Steven Wells
ID: 40341206
I use a combination for MDM and alloweddeviceids to prevent unauthorised devices.
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 

Author Comment

by:criskrit
ID: 40341983
Hello and thanks for the answers. Just to clarify, I am not looking for network device management, I assume clients (laptops, smartphones) connect from anywhere on the planet through their home internet, a coffee shop WiFi, or their mobile provider. This is strictly between Exchange & the client. So yes, something like Device ID would be a good approach. Also has anyone heard of certificate-based authorization? ie Exchange accepting a device only if a manually-installed certificate is present. Many thanks!
0
 
LVL 12

Expert Comment

by:Steven Wells
ID: 40342606
A certificate option wouldn't work very well as the device can be configured to use untrusted Certs.
0
 
LVL 1

Expert Comment

by:Travis Martinez
ID: 40343183
You're correct but a 3rd part integrated system like BrotherSoft or Nitro Desk could.

Get out your checkbook though.  Anytime you see the "key management" it'll be the gift that annually keeps saying "you scratch my back and I'll tell you when to stop"...  

I guess the follow on question back is; what are you either trying to attain/accomplish or restrict/deny?

If the specific device target the employ has is of concern then this might help:  anything is possible, absolutely without a doubt it us...  however, highly unlikely thus the associated design costs, runrate, and support buckets - all tallied up equals, don't sweat it and continue with the standards of environment patch, release levels, reference architectures and the security umbrellas provided with each.

Remember, locks on your house are to keep those of us honest - remaining honest.  If an individual is capable and of the mindset to get in; the lock isn't going to stop them.

Similar with nework penitration and compromise.  Most all crimes are those of ease and opportunity.  With open source tools freely available and purpose built POSIX images with simple front ends.  The caliber of "attackers" is actually pretty low and to be fair insulting.

Anyone with $100 to buy a "Pineapple" doesn't have to know anything about Linux, networking,  how a Wireless signal works, none of it.  Follow the flash cards and set the dioseitches and viola - you're a "hacker".

Change defaults to one off and 99% will disappear having no clue what to do next.

Someone who's truly skilled and of the mindset and for whatever reason you've fallen inside their focus...  you can't defend against that type of person.  There's too many variables and attack surfaces.  Its a matter of time. I don't care who you, you're gonna get got.

My experience though is they're not scoundrels and more than likely; there's a real reason and nor just destruction or thievery.

If the other way and you want control of the asset.  Force provide it to your base and between you and the carrier you can harden however you'd like.  But. $$$$
0
 

Author Comment

by:criskrit
ID: 40350479
Okay guys, thanks. :-)
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
Hey fellow admins! This time, I have a little fairy tale for you. As many tales do, it starts boring and then gets pretty gory. I hope you like it. TL;DR: It is about an important security matter, you should read it if you run or administer Windows …
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question