Mobile devices can so easily fall into the wrong hands. I know—I've lost my share of Windows Mobile-based smart-phones and Pocket PC Phone Edition devices. When such a device falls into the wrong hands, so can a lot of corporate information—even the device owner's domain credentials, since most users choose to have the Microsoft ActiveSync client remember their username and password. But help is available in the form of Exchange Server 2003 Service Pack 2 (SP2) and the Messaging and Security Feature Pack (MSFP) for Windows Mobile 5.0.
SP2 and MSFP address some of the fundamental security needs of corporations that use mobile devices by giving you the ability to lock down your far-flung fleet of mobile devices and perform remote wipes. I'll show you how to set up SP2 and configure MSFP on your Exchange server, then walk you through the process of locking down your mobile devices and performing remote wipes on them.
2 Key Abilities
With SP2 and MSFP, you get two new capabilities to help mitigate the security
risk of a lost or stolen mobile device. First, you can lock down devices by
enforcing the use of a device PIN or password to prevent unauthorized access.
You can even configure requirements for the password, such as minimum length
and character composition. To prevent endless guessing of a device's PIN, you
can specify how many consecutive attempts the device should allow before it
wipes all data. Second, upon receiving a report of a lost or stolen device,
you can issue a remote wipe command to the device and have it delete all information.
This centralized control of a few critical functions on mobile devices is similar
to the centralized control Group Policy provides over your PCs. These new capabilities
are likely just the beginning of centralized device-fleet-management features
from Microsoft. (However, if you need sophisticated device-fleet management
now, check out Good Technology's product line at http://www.good.com. In my
opinion, Good Technology offers the best comprehensive management environment
for a heterogeneous mix of mobile devices, and its products far outpace Microsoft's
current offerings.)
Although I discuss Windows Mobile devices here (which require MSFP to take advantage of SP2's mobility features), some Exchange ActiveSync (EAS)-compliant devices that don't run Windows Mobile can also carry out remote wipe and password policy instructions from the Exchange server. For example, a growing number of non-Windows Mobile devices—such as Symbian OS-based smartphones and some Sony Ericsson, Motorola, and Nokia phones—use DataViz RoadSync, a third-party EAS client, which supports SP2's Direct Push and remote wipe mobility features.
Installing SP2
I'll assume you already have Exchange Server 2003 SP1 with Outlook Web Access
(OWA) installed. Before installing SP2, you might need to load one or two hotfixes.
If you've installed the security update for Microsoft security bulletin MS05-019
or Windows Server 2003 SP1, you should also install hotfix 898060. If you use
or intend to implement Sender ID, you should also install hotfix 905214. (For
more information about these hotfixes, see the release notes for SP2 at http://download.microsoft.com/download/f/b/5/fb5c54af-fe5c-48e9-be97-f9e8207325ab/ex_2003_sp2_relnotes.htm.)
After you install the necessary hotfixes, it's time to install SP2, which you can download at http://www.microsoft.com/downloads/details.aspx?familyid=535bef85-3096-45f8-aa4360f1f58b3v40&displaylang=en. Microsoft recommends performing a full system backup before installing SP2. Although the installation goes very quickly and doesn't require a reboot, access to Exchange is temporarily interrupted while the services are stopped and restarted, so you'll probably want to do the installation during nonpeak hours.
Lock Down
After installing SP2, you're ready to specify policies regarding PIN or password
usage and lock down your fleet's mobile devices. From the Microsoft Management
Console (MMC) System Manager snap-in, open the properties dialog box for Global
Settings\Mobile Services, which Figure 1 shows.
You'll notice two new elements. The Enable Direct Push over HTTP(s) check
box lets you enable or disable Direct Push technology over HTTP or HTTP Secure
(HTTPS). Direct Push is a new feature of SP2 and MSFP, and it's Microsoft's
answer to Research In Motion's (RIM's) BlackBerry devices, which can receive
real-time email updates. However, Direct Push is also important to security,
because it lets you immediately reach out to a lost or stolen device and erase
your data before a bad guy can exploit it. (I cover the remote-device-wipe feature
a little later.)
The other new element is the Device Security button, which, when clicked, displays
the Device Security Settings dialog box that Figure
2 shows. To centrally mandate a device password, select the Enforce password
on device check box, which activates the other settings and lets you select
or clear them depending on your needs.
As Figure 2 shows, I've specified that a
device must have a password of at least four characters and that the device
be wiped after eight consecutive failed attempts to enter the password. The
device will lock after a five-minute period of inactivity.
Be reasonable with the requirements you configure in Device Security Settings. Remember that users need quick access to their devices—if you're too strict, you'll foster uncooperative users. If your users' devices are also mobile phones, they'll be happy to know that with most devices, as far as I know, users can answer incoming calls without first unlocking the device. However, the device remains locked during the call until the user enters a password. Also, regardless of the physical buttons on the device, Windows Mobile 5.0 displays an on-screen numeric keypad when prompting for a PIN. Many organizations will determine that a four-digit PIN is sufficient to guard the device, provided it's configured to wipe after a reasonable number of failed attempts. I believe a four-digit PIN combined with automatic wipe provides the right balance of security and usability.
If you support devices that aren't enabled for MSFP, you need to select the
Allow access to devices that do not fully support password settings check
box to apply the settings to all devices in your fleet. Since there are always
special situations, Exchange also lets you specify exceptions. When you click
Exceptions, Exchange System Manager (ESM) displays the Device Security Exception
List dialog box that Figure 3 shows. Here
you can add users whose devices are exempt from the requirements configured
in the Device Security Settings dialog box. You make exceptions for users, not
specific devices; for example, if an exempt user has two devices, both devices
will be made exempt.
Previous
