A few weeks ago I had a look at some of the new features in Exchange 2010 regarding how Exchange ActiveSync (EAS) can be “locked down” or restricted to only allow certain devices to sync (as opposed to the default open-for-all configuration). While those techniques specifically targeted Exchange 2010 there are some other methods you can employ as well, and I thought I’d take a look at some of them here. Not all of them are bullet proof, but it’s interesting to have them listed nonetheless.
Self-signed root certificate
While the recommended approach with Exchange 2007 and onwards is to use SSL certificates from a commercial CA on your internet facing services it’s perfectly ok to use certificates signed by your own CA. Windows Mobile devices are enforcing SSL trust, and will not allow the device to sync if the certificate fails validation. In other words – if you use a self-signed SSL certificate, and you don’t distribute this to the users, they will not be able to sync their devices. Seemingly a good approach, but there’s a few drawbacks.
- Since you distribute the root certificate to the users who are allowed to sync it is possible that one of these users are able to extract the certificate and re-distribute it.
- Other devices than Windows Mobile may be perfectly happy to sync with untrusted certificates. Symbian devices prompt the user to accept the untrusted cert. and will proceed if accepted by the user. iPhones will just do the sync (user-firendly remember).
Most likely the self signed approach will not help you in the long run.
Bonus tip: A very useful tool for extracting the certificate when you know the address of the server is SSLChainSaver:
http://blogs.msdn.com/windowsmobile/archive/2008/05/18/sslchainsaver-v2-released.aspx
“Faking” the Common Name and/or hostname
A variation of the trick above is to issue the certificate to a non-resolvable address; like eas.contoso.local or possibly not even add a host record to the public facing DNS server so you can only access EAS by knowing the IP address. To make it work on a Windows Mobile device you’d add a static host name entry to the registry so the certificate will be validated even with the .local suffix. This solution will also block the basic users, but you can count on one clever user locating the loophole and telling the others all about it.
Blocking by default, only allowing specific devices
Ok, we’re not really that much closer to a real solution to the problem are we? How about looking further at Exchange itself? Exchange 2007 introduced a cmdlet that will let you “disable” EAS for new devices. This means that while EAS is available as a service. only devices you specifically allow will be able to use it. Basically a whitelisting feature. The drawback? Well, you have to manually enter the specific device ids that are allowed through another cmdlet (ok, the same cmdlet, but different parameters). So it introduces a certain administrative overhead, but if you have enough people manning your helpdesk it’s doable. Well, if you know how to extract the device id you need to enter that is. (More on this later.)
To disable EAS run the following cmdlet:
Set-CASMailbox –ActiveSyncEnabled $false –Identity user@domain.com
(You can pipe the output of a Security Group to this command to disable it for multiple users.)
To enable a specific device, for a specific user:
Set-CASMailbox –ActiveSyncAllowedDeviceIDs xyz –Identity user@domain.com
While this approach is effective I believe it’s a hassle on the admin side of things.
Installing middleware
A totally efficient approach, and one that should perhaps have been mentioned earlier is disabling ActiveSync altogether. No EAS enabled on your Exchange server – no user able to sync without permission. Or with permission for that matter 
Jokes aside, it is an alternative that could be worthwhile for some enterprises. If you disable EAS, and install a BlackBerry Enterprise Server for instance, only BlackBerry devices will be able to sync. Of course introducing another server into your infrastructure introduces other aspects as well – someone needs to manage it, does it support all the devices you need (?), are there more or less features than native EAS, etc. I don’t think I would implement a PIM solution purely with the intent of blocking certain devices, but it might make sense if you choose a PIM solution that will let you do more than just shuffle PIM data, and include this as part of a larger mobility strategy.
Blocking User Agent in ISA/ForeFront
If you are more gung ho than the average Exchange admin/architect maybe you have exposed your ActiveSync virtual directory directly to the dangers of the Internet. Odds are, if you’re slightly more sane that you’ve got some box wedged in between. Something like a firewall, reverse proxy or similar to put an extra hop between your domain and your WAN. While there are a number of products out there, for some reason ISA Server / ForeFront Threat Management Gateway comes highly recommended from Redmond Since ISA / TMG is able to inspect every last octet of bits that flows through it’s network interfaces you have some options available for filtering.
EAS uses HTTP as the transport protocol, and one of the details in this protocol is that the client side is supposed to report a “user agent” where it reports what kind of client it is. (This is most commonly an identifier of the browser, but in cases like custom apps, or OS components some other agent is reported.)
So how does it look? Well, it’s a silly example, but here’s how to block Internet Explorer (because that’s quick and easy to test). Normally when opening EAS in IE you’ll get an error code of 501/505. So I’ve run through the wizard in ForeFront for publishing EAS. I then edit the rule created (you have to create the rule first, it cannot be done in the wizard).
Click “Configure HTTP”.
Go to the “Signatures” tab and click “Add”.
I’ve specified MSIE as that is how Internet Explorer identifies itself, but you can add “iPhone”, “Android” or whatever have you here. When I try to browse the site now I get the following error:
Nice indeed. But are we happy with this? No, unfortunately not. While you have the ability to blacklist specific user agents you do not have the ability to whitelist. And you don’t really want to be updating this on a weekly basis as an admin task. Another weakness of the mechanism is that on some platforms the user might be able to modify the user agent, and then you run into a classic cat and mouse game. Now if you want to use this method it should also be combined with parsing the EAS-logs on your CAS server to know the actual user agents being used, and also try to catch the usernames of those who try to circumvent the system.
Have a look in c:\inetpub\logs\LogFiles\W3SVC1 (if running IIS in the default location). And/or parse the log files more thoroughly:
http://msexchangeteam.com/archive/2006/02/14/419562.aspx
ForeFront UAG
ForeFront is not a single product – there’s a whole family of products. A new member of the family is ForeFront Universal Access Gateway, which is currently in the RC0 stage. I believe it’s the successor to the Intelligent Application Gateway which was only available as OEM appliances (correct me if I’m wrong). I’m not exactly sure how this will position itself versus ForeFront TMG when they both hit RTM. (TMG will RTM before UAG as per my understanding.) If you want to use the DirectAccess feature in Windows 7/Windows Server 2008 R2 UAG is apparently the way to go, and it is intended as a gateway to your infrastructure as alluded to in the product name. To complicate matters further ForeFront TMG is actually a component that is used for firewall services in UAG. Still hanging on? Not me…
So why do I bring it up? Wouldn’t it be the same as the last bullet point? Yeah, well, sort of. You can publish Exchange ActiveSync through UAG as well. You’ve got more options than you can shake a stick at too, as far as I can tell. I did not however see a clever whitelist feature though, so thus far I haven’t found a compelling reason to use it. I could of course be wrong, since I am not as familiar with this product yet.
Network Level Restrictions
While EAS makes the most sense when you can access it externally, you don’t have to publish it to the whole Internet. Many mobile operators will set up a private APN for you if you ask nicely (read: ordering extra services). This means that while you are using the same GSM network as other subscribers you’ll basically have your own VLAN. There’s different implementations out there involving authenticating against a RADIUS server, connecting a dedicated router in your infrastructure that is hooked up to your operator, etc. The device is then allowed access based on a username/password combo, authenticating the IMSI number of the SIM card, or a combination.
While some mobile operators are pushing this as a good solution, and often incorrectly labeling it as mobile VPN, it also has a few drawbacks.
- It will usually cost you extra money.
- You need to standardize on one operator. (This isn’t really a drawback per se, but it’s more difficult to change operator when you’re unhappy with their service if you’re dependent on services like these.)
- It may not work properly when roaming.
- Depending on the authentication scheme it might be possible for a clever user to copy the configuration settings to a non-compliant device along with the SIM card. (Remember; this is not an authentication of the device.)
- Deployment can be tricky – you cannot expect users to handle this themselves.
- If you need to maintain an extra RADIUS server that’s more work for you.
- You may see reduced throughput, and if you’re really lucky you’ll see sporadic time-out related errors.
If you build a RADIUS filter that will let you check both IMEI and IMSI, and only allow devices you pre-approve it should work though. There are some benefits to bringing the mobile devices closer to your infrastructure on a VLAN level too, so it might be beneficial as a component in your overall strategy. As you can probably tell by now I like the concept of a grand strategy:)
In the same vein – I have heard people suggesting putting IP filters/restrictions in place. Only allow a certain range of IPs to sync, etc. Stop right there. It’s not a good idea. Don’t pursue it further – it is:
- A hassle to maintain
- Usually a large range of IPs you need to allow. If there are potentially a million other people who can have an IP in that range you’re not really restricting things.
- NAT anyone?
- Also works on the SIM level – a non-provisionable device is still non-provisionable.
Putting EAS behind VPN
Closely related to looking at the network side of things is putting EAS behind a VPN. If you’re deploying SCMDM this is an interesting scenario. Since WM 6.1 is the only OS supported by SCMDM so far it’s very effective at restricting access. A minor drawback is that you will not be able to allow other devices to sync even if you want to. SCMDM isn’t the only VPN solution out there so you can achieve similar goals with other VPN clients too. Just make sure you have a wide range of client support, and preferably a client configuration the users aren’t able to copy from one device to the other.
I really like VPNs, but unfortunately it can be troublesome to get working. IPSec is locked down on many default APNs, and SSL-based VPN for mobile device isn’t really there yet. I’d really love to see DirectAccess for mobile devices, but that’s probably still in the future. (And I don’t even know if it’s there.)
ISAPI-filter / IIS Module
We’ve been through a couple of different options by know, and they’ve all had their imperfections. Wouldn’t it be nice with a silver bullet now? Well, ok, still not there, but I did defer the most promising alternative until now. That is, it might require a little help from your friendly neighborhood programmer. If that is not a problem, it might be right up your alley.
As I said EAS traffic flows through the HTTP protocol between the client side and the server side. This means that you can filter on things like user agent, source IP address, etc. But triggering the sync itself is performed by submitting an HTTP POST request. Provided your ActiveSync is located at eas.contoso.com the POST will look similar to this:
https://eas.contoso.com/Microsoft-Server-ActiveSync/?DeviceID=1234&DeviceType=iPhone&User=andreas&Cmd=Sync
The interesting parameters are DeviceID and DeviceType, as these are the ones identifying the device itself. Now if we could filter by these properties…
Enter ISAPI. By now you’ve probably figured out if you weren’t already in the know, that ActiveSync on the server side is running on Internet Information Services (IIS) – hosted either on Windows Server 2003 or Windows Server 2008 as a web application. IIS has a concept where you can add your own plug-ins to the execution stack. In IIS 6 these are implemented as so called ISAPI filters consisting of a .dll written in C++. In IIS 7/IIS 7.5 these can be the same dlls, or a managed module written in C#. (I’m not sure of the exact distinction between an ISAPI filter, and an IIS module, but MSFT seems to be recommending the latter.) This means that before the traffic is passed on to the actual web application you can do a lookup on the DeviceID and DeviceType in a database, do a regular expression, or what best suits your given scenario. Not in the list of approved DeviceTypes? No sync for you!
Yes, it is similar to the building of access rules in Exchange 2010 that I showed in my last article, but I believe it’s more flexible “outsourcing” this to a database. And you also have the option of combining DeviceIDs and DeviceTypes to build both blacklists and whitelists. I know, most Exchange admins aren’t very open to the idea of installing extra software on their servers, but configured properly it will only affect ActiveSync, and if you don’t build too complex rules it shouldn’t be much of a performance hit either.
So, what does the DeviceIDs and Type look like? Ah, here’s where the detective work comes into play. What I have found so far:
Windows Mobile –> DeviceID = long hex value (called ExchangeID), DeviceType = PPC/SmartPhone/variation of this
iPhone –> DeviceID = IMEI, DeviceType = iPhone
Symbian E-series –> DeviceID = IMEI, DeviceType = IMEI
You can catch more through monitoring the ISA Server logs, or run Network Monitor on your Client Access Server.
You’d also need to figure out things like where to store the database (preferable on a “witness server” if you have redundant CAS servers), administration of the filter (web interface to the db?), and make some planning to make sure that you understand the implications. But I believe done right it would be smooth. Trying to add two plus two you might wonder if this is possible to implement on your reverse proxy. Yes, I believe you can. ISA/TMG has an SDK allowing you to write plug-ins, and other proxies might have SDKs too. While I’m not going to dismiss this idea entirely I believe this can be considered business logic, and more suited to perform on the application server. An ISA/TMG server should pre-authenticate users as part of the security mechanisms, but other than that it should be optimized for throughput and inspecting traffic for signs of malicious activity. Filtering authenticated users seems to me like it is better to implement at the next stage in the sync pipeline. I’m open to different takes on this however
Ok, this turned out to be a longer post than I initially thought. I believe I have given you some ideas, hopefully some methods you hadn’t already come across. (I know there’s a lot of smart people out there.) Maybe there’s more options that haven’t crossed my mind yet. Well, you know where the comments sections is if you have any input, and if I come up with any more tricks you know I’ll be telling you all about it
You write:
So, what does the DeviceIDs and Type look like? Ah, here’s where the detective work comes into play. What I have found so far:
Windows Mobile –> DeviceID = long hex value (called ExchangeID), DeviceType = PPC/SmartPhone/variation of this
Do you have any idea, what the ExchangeID means? We habe hundreds of Mobiles, and I would like to find out, who has which device. The iPhone is easy, since the ExchangeID is the serial number of the device, however with Windows Mobile this long hex value does not make any sense.
Thank you Bernhard
I’ll admit that I haven’t doublechecked, but I believe the DeviceID Windows Mobile presents to Exchange is the GUID of the device. Each WM device has an id (probably derived from the IMEI and some extra variable), and it makes sense to use this for ActiveSync as well. I have not found a good solution for managing this without an MDM solution.
This was a perfect article – just what I’ve been looking for. I also have the problem how to allow just certain users to use ActiveSync because of security policy and others not.
What are your comments on certificate-based authentication and you have a manual process to issue client certificates? (I’m mainly talking Windows Mobiles 6.5+ here).
One thing I notice with Microsoft’s recommendations (http://technet.microsoft.com/en-us/library/bb794751.aspx#AppendixC) is that they assume the ISA server and CAS server is in the same domain but best practices is also not to put an ISA on the DMZ in the same forest as internal servers.
Thanks! I get the impression it’s a popular topic, and writing it all down helped me sort it out myself too
I’m a fan of certificate-based authentication, because once you get it working it’s secure and usually not so bad from a user perspective either. Configuring everything, and making it all work is not necessarily a cakewalk though (especially with mobile devices). I’ve made a utility for enrolling certificates in a user friendly manner for Windows Mobile devices. The drawback is that you only get 1024 bit keys, and you have to be on the LAN (or publish your CA to the network you use), so it’s sort of limited in that sense.
I have been meaning to do some more stuff regarding certificates, but as we all know – things take time
I’m not an authority on ISA, so I can’t say what the official best practice is, but from what I’ve read one of the better setups of ISA is to have a front-end/back-end ISA configuration where the back-end is domain joined, and the front-end is in a workgroup or separate forest. Whether ISA should be joined to a domain or not is one of the main discussions in the ISA community from what I’ve seen
Thanks for replying so promptly. I think we’ll go with “Blocking by default, only allowing specific devices” if I can’t figure out the certificate-based authentication which I also would prefer for the same reasons and this particular organisation already has a CA infrastructure and are pretty into certificates.
What caught my eye here: http://technet.microsoft.com/en-us/library/bb430770.aspx is that you need a domain-joined computer running Windows Mobile Device Center. According to http://searchexchange.techtarget.com/generic/0,295582,sid43_gci1356233,00.html that’s because from Win2008 (which we run) you can’t request certificates from a mobile device. Maybe this is an alternative to your util?
I would say putting a computer in the DMZ joined to your internal forest is never recommended. And if you look at the Microsoft Design and Planning guide for TMG/ISA at http://technet.microsoft.com/en-us/library/dd897048.aspx you see that they recommend a different forest. Although with a one-way trust but I wonder if Kerberos Constrained Delegation will work then. You could always do SSL tunneling straight to the CAS but then you have other (worse?) security issues.
Have you ever implemented certificate-based authentication with ActiveSync and ISA?
The official docs for Exchange states that you need to cradle your device to WMDC or ActiveSync (the desktop app) to setup the device for certificate-based authentication. This is only partially true – as my utility shows you can enroll for a certificate from the device directly. But ActiveSync itself will not let you choose a certificate. This means that in addition to my utility you need to set a registry key and provision the ActiveSync settings through xml. This can quite easily be done through packaging an xml document as a cab, and combined with my util you don’t need to cradle. Which scenario is the easiest depends of course – I have customers specifically not allowing end-users to cradle to their computers, whereas others see cradling as the easiest solution. Of course, if you are comfortable with C# you could combine what my util does with the rest of the config to make it more user-friendly.
You cannot enroll for certificates through the CA’s web interface from the device since the plug-in you need is not available for devices. This was the same for 2003 CAs, but an additional component (that I’ve never tested) was available that enabled mobile devices to access the interface.
I was in the process of researching for a write-up of a complete certificate-based EAS setup with only client certs enabled on ISA. But my ISA failed due to hardware reaching their end-of-natural-life, and I never resumed it while running through the betas and RCs of TMG. Having upgraded the other major components of my infrastructure like 2008R2, Exchange 2010, and TMG RTM I don’t find it unlikely I’ll be having a fresh look at the topic. (Not sure if ForeFront UAG would be a better choice, but TMG should work too.
I got certificate-based authentication in ActiveSync working today with Windows Mobile 6.5. I used Mobile Device Manager on a domain-joined Win7 to enroll a certificate.
I was given the impression that it would be a “client certificate” for the device itself, but the user still needed username and password because it says “in addition to the user name and password” in http://technet.microsoft.com/en-us/library/bb430770.aspx, but that doesn’t seem to be true since it’s a certificate for user authentication. I would guess that they mean that you need to supply user name and password when you enroll for the certificate?
Then I wonder, would you really consider certificate-based authentication to be any more secure than user name and password? Even though there doesn’t seem to be any way to export a certificate+key from Windows Mobile, I’m sure there are ways. So maybe the authentication alternatives are on the same level of security and you should consider additional security measuers, like the ones you state in your article above?
Yes, I consider certificate-based authentication stronger than username/password provided you also implement power-on-password. (You should always implement PoP if you are storing company data on a device.) This would give you two-factor authentication with the PoP code being something you know, and the certificate being something you have.
While I have no doubt private keys can be exported from a WM device given enough effort, it’s certainly no easily accessible interface for the user that I am aware of, and I have not located an easily accessible API for developers to do so either. (The private keys are stored in a special part of memory that is protected.) Windows Mobile is Common Criteria certified so I assume this is implemented in a proper way. The certificate template used should have private keys set to non-exportable as an additional measure.
As for enrolling the certificates; yes, you need to provide username and password if you use my utility. And user certificates will be issued. Thinking about it you’ll see that device certificates doesn’t make sense for ActiveSync. You wouldn’t associate an Outlook installation with the computer it’s installed on either. Device certificates can be implemented as a separate measure, where you use a device certificate for authenticating the network access much like NAP in Windows Vista/7, or for an L2TP VPN connection. But that’s a separate topic
The password should be flushed from the device after enrolling the certificate, and this is handled automatically by Windows Mobile Device Center per my understanding. With my utility the password may be cached until you soft-reset, but it’s never associated with ActiveSync.
The link you provided implies that the Exchange server needs both basic authentication and client certificate based authentication enabled. This isn’t entirely true either. This assumes you follow a procedure where you the wizard attempts sync with username/password, but is informed by the server (after authenticating I believe) that a certificate is required. Following my findings in a previous article (http://mobilitydojo.net/2009/03/24/personal-certificates-and-exchange-activesync/) you can disable basic authentication and enable only client certificates provided you perform the additional settings. As I said, I would probably combine it all into one app of some sort to handle both ActiveSync provisioning and certificate enrollment (I did most bits manually in my article). These experiments were conducted only through direct access to the Exchange, and ISA/TMG would add to the complexity.
If you are so inclined you can also have some manual method where users or a certificate administrator have to copy pfx files (with private key included) copied to the device, installed, and then delete the file. This would eliminate entering passwords altogether. (You’d still need username, but that’s not sensitive info in the normal sense of the word.) Of course if you want total security you might still be interested in looking into options like writing an ISAPI filter, or other measures making sure only the specific devices you allow to sync. You know better than me where you draw the line between “acceptable security” and “too much hassle to implement”
Thanks for describing so detailed. I think you’re right regarding “wizard attempts sync with username/password, but is informed by the server (after authenticating I believe)” because at first I tried username and password and then it informed me that a certificate was needed to authenticate but there was no certificate installed and I could not continue.
Regarding the certificate enrollment – thiw will surely be a problem in our scenario. We have offices all over the country (without local IT support), and the users are instructed today to simply go to the nearest shop of the chain they buy from and get a new phone if it breaks or they need a new one. Asking them to enroll for an certificate using Windows Mobile Device Center just feels like asking for trouble
. But the PFX files could definitely be a solution – I didn’t realize this actually was possible since everyone seems to state you need Mobile Device Manager.
Looking at how to enroll for certificates according to Microsoft (http://technet.microsoft.com/en-us/library/ff459604.aspx) they suggest to use the ExchangeUser template rather than a User template. Looking at the (default) ExchangeUser template, this only allows usage for “Secure E-mail” not “Client Authentication”. This can’t be right, so I sugess Microsoft simply forgot to mention the details regarding this. I used the normal User template and that worked, but I guess creating a seperate template would be a good idea to be able to identify which users actually have certificates enrolled for Mobile Devices to authenticate with ActiveSync.
Let me know if you have any other comments/experiences from the real world when implementing certificate-based authentiation for ActiveSync.