Solved

Controlling device access to Exchange server

Posted on 2014-09-23
7
147 Views
Last Modified: 2014-09-29
Hello, we are running Exchange 2010 that is accessed by Outlook on Win7 and a variety of handheld devices (Active Sync). All these clients can be setup just by using username/password, which means that if I have someone's credentials I can setup a connection to the server and access their email. The question is: Is there a way to add an additional level of security so that only "approved" devices will be able to access the server? What are my options? Thanks. -Christos
0
Comment
Question by:criskrit
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 4

Expert Comment

by:adez12
ID: 40340602
Sounds like you're looking for a MDM (Mobile Device Management) solution.  Namely: Maas360, MobileIron, or the  free MDM from Cisco called Meraki.
0
 
LVL 1

Accepted Solution

by:
Travis Martinez earned 500 total points
ID: 40340817
Enable a Device for Exchange ActiveSync

Restricting mobile handsets based on Device ID:

http://technet.microsoft.com/en-us/library/bb266947%28v=exchg.141%29.aspx
0
 
LVL 12

Expert Comment

by:Steven Wells
ID: 40341206
I use a combination for MDM and alloweddeviceids to prevent unauthorised devices.
0
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

 

Author Comment

by:criskrit
ID: 40341983
Hello and thanks for the answers. Just to clarify, I am not looking for network device management, I assume clients (laptops, smartphones) connect from anywhere on the planet through their home internet, a coffee shop WiFi, or their mobile provider. This is strictly between Exchange & the client. So yes, something like Device ID would be a good approach. Also has anyone heard of certificate-based authorization? ie Exchange accepting a device only if a manually-installed certificate is present. Many thanks!
0
 
LVL 12

Expert Comment

by:Steven Wells
ID: 40342606
A certificate option wouldn't work very well as the device can be configured to use untrusted Certs.
0
 
LVL 1

Expert Comment

by:Travis Martinez
ID: 40343183
You're correct but a 3rd part integrated system like BrotherSoft or Nitro Desk could.

Get out your checkbook though.  Anytime you see the "key management" it'll be the gift that annually keeps saying "you scratch my back and I'll tell you when to stop"...  

I guess the follow on question back is; what are you either trying to attain/accomplish or restrict/deny?

If the specific device target the employ has is of concern then this might help:  anything is possible, absolutely without a doubt it us...  however, highly unlikely thus the associated design costs, runrate, and support buckets - all tallied up equals, don't sweat it and continue with the standards of environment patch, release levels, reference architectures and the security umbrellas provided with each.

Remember, locks on your house are to keep those of us honest - remaining honest.  If an individual is capable and of the mindset to get in; the lock isn't going to stop them.

Similar with nework penitration and compromise.  Most all crimes are those of ease and opportunity.  With open source tools freely available and purpose built POSIX images with simple front ends.  The caliber of "attackers" is actually pretty low and to be fair insulting.

Anyone with $100 to buy a "Pineapple" doesn't have to know anything about Linux, networking,  how a Wireless signal works, none of it.  Follow the flash cards and set the dioseitches and viola - you're a "hacker".

Change defaults to one off and 99% will disappear having no clue what to do next.

Someone who's truly skilled and of the mindset and for whatever reason you've fallen inside their focus...  you can't defend against that type of person.  There's too many variables and attack surfaces.  Its a matter of time. I don't care who you, you're gonna get got.

My experience though is they're not scoundrels and more than likely; there's a real reason and nor just destruction or thievery.

If the other way and you want control of the asset.  Force provide it to your base and between you and the carrier you can harden however you'd like.  But. $$$$
0
 

Author Comment

by:criskrit
ID: 40350479
Okay guys, thanks. :-)
0

Featured Post

Free Webinar: AWS Backup & DR

Join our upcoming webinar with experts from AWS, CloudBerry Lab, and the Town of Edgartown IT to discuss best practices for simplifying online backup management and cutting costs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As cyber crime continues to grow in both numbers and sophistication, a troubling trend of optimization has emerged over the last year.
Ransomware continues to grow in reach and sophistication, putting data everywhere at risk. Learn how to avoid being caught in its sinister clutches with these 11 key tips.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question