Do You Know Who's Connecting to Your Exchange Servers?
B. K. Winstead
Thu, 06/03/2010 - 10:21am
One of my coworkers recently showed me how easy it was to connect to our corporate Microsoft Exchange Server with an iPhone. Basically, all you need to do is enter your email address and password into the mail program, then it finds the server information automatically and syncs your data. I was surprised to learn that no IT support was required, which got me thinking about the potential liability of having unaccounted and unsecured mobile devices connecting to corporate mail servers. So, do you know how many devices are connecting to your Exchange servers?
The reason the iPhone can so easily connect to an Exchange server is because of its implementation of Exchange ActiveSync (EAS) and EAS's Autodiscover feature, which lets it retrieve the setup parameters for the email account you enter. When
I recently began using my Motorola Droid, I had to call the company Help desk to get my email set up; however, the
Android 2.2 OS update that's currently making its way to Android phones adds Autodiscover as well as other EAS policies to what it previously offered. This development opens the gate for that many more smartphones connecting to corporate email without IT interaction. Add to that the success of the Apple iPad tablet and the coming of additional devices in that form factor—from Android and others—and you've got a whole new crop of mobile devices looking to connect.
The security risk is obvious—or should be. You've got people (hopefully, employees!) running around with company data on a device that is in no way under company control. If it's a company-provided phone, you can apply EAS policies for management and security, up to and including remote device wipe should the phone be lost or stolen. However, with the more consumer-oriented devices that have become so popular with users, policies such as remote wipe might not be available. As
Paul Robichaux points out in his blog
"Exchange ActiveSync implementation differences," it's up to the handset makers exactly how EAS is implemented on each device, regardless of what sort of core functionality is built in to the OS. And in any case, using EAS controls isn't an option if you're not even aware that the device is connecting to Exchange.
The good news is that Exchange isn't oblivious to these connections, even if IT is—and that means you can find out who and what is connecting, but it does take an effort. First of all, there are any number of third-party products you could use for mobile device monitoring and management. Some products serve more as point solutions for monitoring or reporting, while others offer larger suites of management functions that you can bundle together, including things such as provisioning, Help desk, and expense management. For large organizations with a heavy base of mobile-connected users, it probably makes sense to investigate what these products can do for you.
You can also use Windows PowerShell cmdlets such as Get-ActiveSyncDeviceStatistics through Exchange Management Shell (EMS) to do a little manual investigating on your own. This cmdlet can reveal information about what type of device is connecting to a specific mail account, what OS the device uses, when it last synced, and much more besides; you can find a complete list on
Microsoft's website. As Robichaux told me, "The PowerShell cmdlets are a great start (especially compared to what we used to have, i.e., nothing), but they’re not sufficient for lots of needs. You could roll your own data-gathering scripts and generate reports without too much trouble if you were of a mind to."
So, now I'm wondering: Are organizations concerned about unauthorized mobile device connections as a security threat? Are companies aware of the devices that are connecting to their Exchange or other mail servers? What are you doing or using to manage mobile device connectivity in your organization? Leave a comment below to let me know.