- Active Directory (1)
- Backups (10)
- Citrix (7)
- Desktops (14)
- Exchange (9)
- Funny (2)
- General Hardware (13)
- Google (2)
- Intel (2)
- Internet (17)
- Laptops (13)
- Memory (1)
- Microsoft (27)
- Nerdism (3)
- Networking (8)
- Rant (7)
- Registry (3)
- Scripting (3)
- Security (24)
- Servers (11)
- Spam (1)
- SQL (1)
- Storage (9)
- Technical Questions (6)
- Uncategorized (2)
- 13. January 2011: What happened on the Internet in 2010?
- 15. June 2010: Microsoft Warns of Help Flaw in Windows XP, Server 2003
- 20. April 2010: Create bootable USB drive with Server 2008
- 3. March 2010: New IE vulnerability found - Win 2000 and XP
- 15. February 2010: Windows 7 - memory leaks, hangs and freezes detailed
- 14. February 2010: MS10-015 bulletin - possible BSOD with never ending boot cycles
- 7. January 2010: Commvault Simpana 8 - update
- 21. December 2009: Fighting malware, Trojans and a multitude of other web-related threats
- 10. December 2009: Commvault Simpana 8 saving lives, disk space and relieving stress
- 24. November 2009: Windows 7 - Explorer.exe keeps crashing
Secure mobile devices in Exchange 2003
The device security policies are configured within the same place as the other mobile device related settings, and that is under the Property page of the Mobile Services object in the Exchange System Manager. When you click the Device Security button you get to the page where you configure the different Device Security Settings.
As the device security settings are global, it’s rather important you know the exact purpose of each setting. I’ve therefore listed all of them with a description in the table below.
| Device Security Setting | Description |
| Enforce password on device | Activates the device password policy. None of the device security settings will work before the feature has been enabled. |
| Minimum password length (characters) | Enable this option to specify the required length of the user’s device password. The default setting is 4 characters. You can specify a password length of 4 to 18 characters. |
| Require both numbers and letters | Enable this option if you want to require that users choose a password with both numbers and letters. This option is not selected by default. |
| Inactivity time (minutes) | Enable this option to specify if you want your users to log on to their devices after a specified number of minutes of inactivity. This option is not selected by default. If selected, the default setting is 5 minutes. |
| Wipe device after failed (attempts) | Enable this option to specify if you want the device memory wiped after multiple failed logon attempts. This option is not selected by default. If selected, the default setting is 8 attempts. |
| Refresh settings on the device (hours) | Enable this option to specify how often you want to send a provision request to devices. This option is not selected by default. If selected, the default setting is every 24 hours. |
| Allow access to devices that do not fully support password settings | Select this option if you want to allow devices that do not fully support the device security settings to be able to synchronize with Exchange Server. This option is not selected by default. If this option is not selected, devices that do not fully support device security settings (for example, devices that do not support provisioning) will receive a 403 error message when they attempt to synchronize with Exchange Server. |
In addition to the settings in the table, there’s also an Exceptions button (see Figure 3.) After clicking this button you can specify the users who you want to be exempt from the settings that you have configured in the Device Security Settings dialog box. This exceptions list can be useful if you have specific trusted users (or perhaps managers!) of whom you do not need to require device security settings.
Be sure you don’t configure a device security policy that is too strict, as this could end up with frustrated users erasing their devices all the time. Also remember a user in some situations could have problems contacting the IT department if his device has just been erased. Users are already used to four-digit numbers (among other things from their credit cards) so requiring a four-digit number would in most situations be a good idea. Actually the best solution would be to use a four-digit number in combination with a reasonably configured wipe device after failed attempts setting to make sure you don’t become unpopular.
So where are all the device security settings stored? Almost all the values configured under the device security settings page are stored in Active Directory, more specifically in an attribute called msExchOmaExtendedProperties, which can be found under CN=Outlook Mobile Access,CN=Global Settings,CN=Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com using a tool such as ADSI Edit.
If you select the msExchOmaExtendedProperties attribute and click the Edit button you get to the screen shown in Figure 5 below.
As you can see, all the device security related values are stored in a string prefixed PolicyData. The values are encoded between the <wap-provisioningdoc> tags. Because this is nothing else than a XML blob, you have the possibility of provisioning your own custom policies by specifying the required values in an XML format similar to this one. It would have been nice to be able to set these policies per user via the GUI but for now the only way to configure these settings on a per user basis is to configure the msExchOmaExtendedPropertiesattribute on each user, but that’s not exactly a friendly method is it? Good thing is I’ve heard Microsoft will make it possible to configure these settings per user, using GPOs or a similar approach; the bad thing is this won’t be before Exchange 12 RTMs.
When you have configured and enabled the device security settings on the server, the dialog box shown below will appear on the device during the next synchronization with the server.
After clicking OK you need to specify and confirm the PIN or password you want to use. The PIN or password needs to be entered every time the device is unlocked or after you have issued a cold reset. If an incorrect password is entered, perhaps because one of your kids was playing with the device or if you forgot to lock the keypad while the device was in your pocket, you’ll get a message similar to the one below:
The password you typed is incorrect. Please try again. 1/5 attempts have been made.
This of course depends on how many allowed attempts you have specified under Wipe device after failed option in your Device Security Settings (refer back to Figure 2).
After the second failed attempt you’ll be notified that several incorrect passwords have been entered. In order to confirm the login attempt is not due to accidental button presses, you’re asked to enter A1B2C3 or something similar (depends on how the mobile provider configured this in the specific build). When you have entered these characters you’ll once again have the option of specifying your device password. Should you for some reason manage to enter it incorrectly once again, you’re faced with the incorrect password dialog box again. Before the last available attempt you’ll be informed that all information on the device will be erased after the next unsuccessful password attempt. An erase (similar to a local wipe) will clear out all memory on the device, i.e. the device will be reset back to its factory defaults. Bear in mind though that data on the storage card in the device will remain intact. You can argue whether this is a good design decision or not, personally I think this is a major security risk factor, especially because you can configure the device to store e-mail message attachments on the storage card!
Note:
If you know for a fact that a device has been lost or stolen, you can also initiate a remote wipe to the device, a remote wipe wipes the device immediately. We’ll talk more about this possibility in part 3 of this article series.
If you want to change your PIN or password, you do so by clicking Start > Settings > Lock.
You’ll now need to enter your current PIN or password in order to access the change password feature, when you have done so, you’ll get to the screen shown below.
It’s also interesting to note that a locked device that is connected to a PC using a USB cable won’t be accessible either, instead you’ll be faced with the dialog box shown below.
Posted by: Travis Sarbin
Tested by: Myke Reinhold
Leave a Reply
You must be logged in to post a comment.