Do You Know Who's Connecting to Your Exchange Servers?

One of my coworkers recently showed me how easy it was to connect to our corporate Microsoft Exchange Server with an iPhone. Basically, all you need to do is enter your email address and password into the mail program, then it finds the server information automatically and syncs your data. I was surprised to learn that no IT support was required, which got me thinking about the potential liability of having unaccounted and unsecured mobile devices connecting to corporate mail servers. So, do you know how many devices are connecting to your Exchange servers?

The reason the iPhone can so easily connect to an Exchange server is because of its implementation of Exchange ActiveSync (EAS) and EAS's Autodiscover feature, which lets it retrieve the setup parameters for the email account you enter. When I recently began using my Motorola Droid, I had to call the company Help desk to get my email set up; however, the  Android 2.2 OS update that's currently making its way to Android phones adds Autodiscover as well as other EAS policies to what it previously offered. This development opens the gate for that many more smartphones connecting to corporate email without IT interaction. Add to that the success of the Apple iPad tablet and the coming of additional devices in that form factor—from Android and others—and you've got a whole new crop of mobile devices looking to connect.

The security risk is obvious—or should be. You've got people (hopefully, employees!) running around with company data on a device that is in no way under company control. If it's a company-provided phone, you can apply EAS policies for management and security, up to and including remote device wipe should the phone be lost or stolen. However, with the more consumer-oriented devices that have become so popular with users, policies such as remote wipe might not be available. As  Paul Robichaux points out in his blog  "Exchange ActiveSync implementation differences," it's up to the handset makers exactly how EAS is implemented on each device, regardless of what sort of core functionality is built in to the OS. And in any case, using EAS controls isn't an option if you're not even aware that the device is connecting to Exchange.

The good news is that Exchange isn't oblivious to these connections, even if IT is—and that means you can find out who and what is connecting, but it does take an effort. First of all, there are any number of third-party products you could use for mobile device monitoring and management. Some products serve more as point solutions for monitoring or reporting, while others offer larger suites of management functions that you can bundle together, including things such as provisioning, Help desk, and expense management. For large organizations with a heavy base of mobile-connected users, it probably makes sense to investigate what these products can do for you.

You can also use Windows PowerShell cmdlets such as Get-ActiveSyncDeviceStatistics through Exchange Management Shell (EMS) to do a little manual investigating on your own. This cmdlet can reveal information about what type of device is connecting to a specific mail account, what OS the device uses, when it last synced, and much more besides; you can find a complete list on Microsoft's website. As Robichaux told me, "The PowerShell cmdlets are a great start (especially compared to what we used to have, i.e., nothing), but they’re not sufficient for lots of needs. You could roll your own data-gathering scripts and generate reports without too much trouble if you were of a mind to."

So, now I'm wondering: Are organizations concerned about unauthorized mobile device connections as a security threat? Are companies aware of the devices that are connecting to their Exchange or other mail servers? What are you doing or using to manage mobile device connectivity in your organization? Leave a comment below to let me know.


Related Reading: 

Discuss this Blog Entry 6

on Jun 7, 2010
uh...forgive me but a properly configured exchange server requires a security certificate from the server to authenticate (SSL)...unless of course the admin is dumb enough to disable that requirement.....by default you cannot just type an email address and password using EAS and get in...
on Jun 4, 2010
I covered this in 2007 on my blog. Here, I show you a script that allows you create a report of Exchange ActiveSync users for Exchange 2003, as well. This is important since there are obviously no Powershell cmdlets available for this version of Exchange.

See http://www.expta.com/2007/12/how-to-tell-which-users-have-activesync.html



on Jun 4, 2010
We use Exchange 2003 and by default the Mobile Services are turned on. We disable them until the use is approved to connect via a mobile device. This should solve your problem of not knowing who is connecting. Mobile Services is under the Exchange Features tab of the user account properties when viewed from the Exchange Server ADUC snap-in.
on Jun 3, 2010
To have control over and know what mobile devices are connecting to our Exchange environment, we ran this Powershell script twice a day:

get-casmailbox -resultsize unlimited | where {$_.hasactivesyncdevicepartnership -eq $false} | set-casmailbox -ActiveSyncEnabled $false.

This script finds all mailboxes that do NOT have mobile devices activated on Exchange and disables Activesync for these mailboxes. We only allow company issued mobile devices to connect to our Exchange environment, and users have to call the Helpdesk to have Activesync enabled for them in order to connect.



on Jun 3, 2010
In Exchange 2010 a new feature called the Block/Allow/Quarantine list designed to allow IT admins to select which devices can, and can not, attach to their Exchange Server using Exchange ActiveSync. IT admins can also put devices that do not have a rule associated with them into a quarantine state and have a status mail sent to both them and the affected user. Admins then can decide which devices to allow, block, or create exceptions for (say, to allow one user like a special executive or IT test user, to connect a particular device without letting those devices be broadly available to connect by any user).
on Jun 10, 2010
Thanks, everyone, for the great feedback and solutions. It looks like there are many of you who are taking steps to lock down mobile device connections. As for mtp's comment about Exchange Server being secured by default—well, I'd hate to think my company had disabled such a security feature, although it's certainly possible. I think the bigger question is if the security measures available with Exchange are sufficient considering the rise in mobile devices and the increasing demand from users to connect their—possibly personal—mobile devices to corporate mail servers.

Please or Register to post comments.

What's Exchange and Outlook Blog?

Exchanging ideas, news, and reviews about Microsoft Exchange and Outlook, and the wider fields of messaging, mobility, and unified communications.

Blog Archive

Sponsored Introduction Continue on to (or wait seconds) ×