Wednesday, June 30, 2010

One Good Reason to use UAG

Ever since the release of TMG and UAG I have been trying to work out what is there best product to use if I just want to publish Exchange stuff such as OWA, ActiveSync and Outlook Anywhere. Well I have finally found the answer. Quite a number of companies are worried that publishing these services will create an opportunity for hackers to lock their users accounts simply by attempting to access these services and providing the right username with the wrong password. I agree that the risk is probably not that big but it is there never the less. Certificate based authentication is one way to get around this but brings about its own challenges such as the TMG/ISA server needing to be a member of the domain.

After some testing I also found out that TMG tries to authenticate the user before deciding if the user is even allowed to access the services. This means that if you have used a group or create a "User Group" on TMG to limit the users that can use these services, you are still faced with the risk that your entire organisation is still at risk from this kind of attack.

Thankfully UAG has something to help combat this. UAG has an option that holds off further authentication attempts for a configurable amount of time when a threshold has been reached. For example, an administrator can say that after 3 incorrect logon attempts the user is held off for 60 minutes. Obviously you need to take into consideration your current password polices to ensure you have the optimal configuration.


Another thing I learnt the hard way is that UAG by default requires access to your CA's CRL and if it cannot get to it will provide your users with a generic Certificate Error message. To modify this behaviour you need to change the HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\Von\URLFilter\Comm\SSL\ValidateRwsCertCRL value to 0.

I also found this whitepaper (http://go.microsoft.com/fwlink/?LinkId=197136) from Microsoft that outlines Publishing Exchange Services with both TMG and UAG and also includes some intersting info that you can use to work out which product will best meet your needs.


So for Matt's 5 cents:
UAG has some cool features that are not well documented. If security is a major concern and you require the ability to set a more comprehensive policy then UAG is for you. A word of warning though, for those of you that are familiar with TMG, UAG is a totally different look and feel and it is a bit more complicated.

Monday, June 28, 2010

iPhone: Friend or Foe

From the many articles that have been circulating around the iPhone and Microsoft employees it would seem that Microsoft views the iPhone as an enemy. Windows mobile (pre version 7 of course) seemed like a great platform that was until the iPhone came out and we saw (myself included) people change their views of what Windows Mobile could offer. A comparison between the two was like comparing NT4 Workstation with Windows 7. So what did Microsoft really expect? It seems like the only people left using Windows Mobiles are Microsoft employees and people who had been given the device as a work mobile. Don't believe me, next time you are in a meeting ask everyone to show you what they are carrying around.
So let me get to my point. Microsoft claimed that Windows Mobile coupled with Exchange ActiveSync was going to be a Blackberry killer. A few years later and this is still as far away as ever from being a reality… Enter the iPhone. We are now seeing that even C levels are starting to ask when they can connect their iPhone to Exchange and also even seeing some corporates adopting and handing out the iPhone as a standard device. This is easy to achieve by leveraging the ActiveSync protocol that Apple have licensed and allowing users
But how do you get around the issues that have been talked about around security. The easiest and cheapest way is to ensure you have a solid ActiveSync Policy. Here are some of the key settings that should be considered:
  •  Allow Non Provisionable Devices - This setting ensures that only devices that are able to apply ActiveSync polices are able to connect. If you enforce device encryption an iPhone 3G running OS 3.x and later (there is a bug in earlier versions that falsely reported to Exchange that the device supported hardware encryption) will not be able to connect.
  • Enforce password on device – This setting ensures that all users of ActiveSync have a password/pin protecting their device.
  • Maximum failed password attempts – In case a device is lost or stolen, this setting ensures that the device is completely wiped after the maximum number of attempts to gain access to the device has been exceeded. This setting needs to be thought out carefully as too few attempts means that users may end up wiping their devices accidently and too many gives attackers a greater chance to gain access to corporate data.
  • Inactivity time in minutes – Another setting that needs to be thought out carefully, too short a setting can be frustrating to users if the password requirements are complicated and too long can result in increased risk of unauthorised access to data.
  • Minimum password length – This setting can cause a great deal of pain in terms of usability. The right balance between minimum password length, Inactivity time and Maximum failed password attempts is key to having happy users.
When building your ActiveSync policy keep in mind that only a subset of the available policies, listed below are supported by iPhones:
• Remote wipe
• Enforce password on device
• Minimum password length
• Maximum failed password attempts (before local wipe)
• Require both numbers and letters
• Inactivity time in minutes (1 to 60 minutes)
• Allow or prohibit simple password
• Password expiration
• Password history
• Policy refresh interval
• Minimum number of complex characters in password
• Require manual syncing while roaming
• Allow camera

So for Matt’s 5 cents:
The iPhone is proving to be a catalyst for people to move towards ActiveSync as a mobile messaging platform. While planning for iPhone access to ActiveSync don’t forget that your ActiveSync policy really needs to cater for all ActiveSync users regardless of device type. So even though the iPhone policy support is limited you should still ensure that the other settings are still suitable for those people with Windows Mobile or Android devices.