Exchange 2003 Mobile Messaging Part 2 - Uncovering the Device Security Policies
Written by David Noel-Davies   

We all know how easy it is to lose a mobile device, or even worse have it stolen. Now that we have the possibility of synchronizing our devices with a mailbox, we need a way to properly secure our devices, so that any corporate information or other sensitive data can be held secure. With Exchange 2003 SP2 applied, you as an administrator have the possibility of configuring mandatory PIN or password requirements for the Windows 5.0 Mobile Devices that synchronize with the Exchange servers in your organization. You could for example configure a device to require a four-digit personal identification number (PIN), that the users would need to enter before they were allowed access to their device. If a user were to enter this PIN incorrectly let's say four times, you could even configure the device security settings so that all data on the device would be erased (equal to a local wipe).

Note:
If you haven't already seen it, I highly recommend you checkout this video before you continue reading this article, it demonstrates how device security policies, as well as the remote wipe functionality, works in practice.

 

Configuring the Device Security Policies

The device security policies are configured within the same place as the other mobile device related settings, and that is under the Property page of the Mobile Services object in the Exchange System Manager (see Figure 1).


Figure 1: Property page of Mobile Services in the Exchange System Manager

When you click the Device Security button you get to the page where you configure the different Device Security Settings (see Figure 2).


Figure 2: Device Security Settings

As the device security settings are global (yes that's correct they're applied to every single user connecting to the Exchange Servers in your organization), it's rather important you know the exact purpose of each setting. I've therefore listed all of them with a description in the table below.

Device Security Setting

Description

Enforce password on device

Activates the device password policy. None of the device security settings will work before the feature has been enabled.

Minimum password length (characters)

Enable this option to specify the required length of the user's device password. The default setting is 4 characters. You can specify a password length of 4 to 18 characters.

Require both numbers and letters

Enable this option if you want to require that users choose a password with both numbers and letters. This option is not selected by default.

Inactivity time (minutes)

Enable this option to specify if you want your users to log on to their devices after a specified number of minutes of inactivity. This option is not selected by default. If selected, the default setting is 5 minutes.

Wipe device after failed (attempts)

Enable this option to specify if you want the device memory wiped after multiple failed logon attempts. This option is not selected by default. If selected, the default setting is 8 attempts.

Refresh settings on the device (hours)

Enable this option to specify how often you want to send a provision request to devices. This option is not selected by default. If selected, the default setting is every 24 hours.

Allow access to devices that do not fully support password settings

Select this option if you want to allow devices that do not fully support the device security settings to be able to synchronize with Exchange Server. This option is not selected by default. If this option is not selected, devices that do not fully support device security settings (for example, devices that do not support provisioning) will receive a 403 error message when they attempt to synchronize with Exchange Server.

Table 1: Description of the Device Security Setting

In addition to the settings in the table, there's also an Exceptions button (see Figure 3.) After clicking this button you can specify the users who you want to be exempt from the settings that you have configured in the Device Security Settings dialog box. This exceptions list can be useful if you have specific trusted users (or perhaps managers!) of whom you do not need to require device security settings.


Figure 3: Device Security Exception List

Be sure you don't configure a device security policy that is too strict, as this could end up with frustrated users erasing their devices all the time. Also remember a user in some situations could have problems contacting the IT department if his device has just been erased. Users are already used to four-digit numbers (among other things from their credit cards) so requiring a four-digit number would in most situations be a good idea. Actually the best solution would be to use a four-digit number in combination with a reasonably configured wipe device after failed attempts setting to make sure you don't become unpopular.

Storage Location of the Device Security Settings

So where are all the device security settings stored? Almost all the values configured under the device security settings page are stored in Active Directory, more specifically in an attribute called msExchOmaExtendedProperties, which can be found under CN=Outlook Mobile Access,CN=Global Settings,CN=Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com using a tool such as ADSI Edit (see Figure 4).


Figure 4: Location of Security Device Settings in Active Directory

If you select the msExchOmaExtendedProperties attribute and click the Edit button you get to the screen shown in Figure 5 below.


Figure 5: msExchOmaExtendedProperties attribute

As you can see, all the device security related values are stored in a string prefixed PolicyData. The values are encoded between the <wap-provisioningdoc> tags. Because this is nothing else than a XML blob, you have the possibility of provisioning your own custom policies by specifying the required values in an XML format similar to this one. It would have been nice to be able to set these policies per user via the GUI but for now the only way to configure these settings on a per user basis is to configure the msExchOmaExtendedProperties attribute on each user, but that's not exactly a friendly method is it? Good thing is I've heard Microsoft will make it possible to configure these settings per user, using GPOs or a similar approach; the bad thing is this won't be before Exchange 12 RTMs. Until then I can only recommend Dan Winter & Marc Nivens implement this possibility in their ADModify.net tool.

Because of the complexity of this subject, I won't go into further details on how you accomplish this, but instead suggest you checkout this blog entry over at the You Had Me At EHLO blog.

Mobile Devices

When you have configured and enabled the device security settings on the server, the dialog box shown in Figure 6 below will appear on the device during the next synchronization with the server.


Figure 6: Security policy enforced on device

After clicking OK you need to specify and confirm the PIN or password you want to use. The PIN or password needs to be entered every time the device is unlocked or after you have issued a cold reset. If an incorrect password is entered, perhaps because one of your kids was playing with the device or if you forgot to lock the keypad while the device was in your pocket, you'll get a message similar to the one below:

The password you typed is incorrect. Please try again. 1/5 attempts have been made.

This of course depends on how many allowed attempts you have specified under Wipe device after failed option in your Device Security Settings (refer back to Figure 2).

After the second failed attempt you'll be notified that several incorrect passwords have been entered. In order to confirm the login attempt is not due to accidental button presses, you're asked to enter A1B2C3 or something similar (depends on how the mobile provider configured this in the specific build). When you have entered these characters you'll once again have the option of specifying your device password. Should you for some reason manage to enter it incorrectly once again, you're faced with the incorrect password dialog box again. Before the last available attempt you'll be informed that all information on the device will be erased after the next unsuccessful password attempt. An erase (similar to a local wipe) will clear out all memory on the device, i.e. the device will be reset back to its factory defaults. Bear in mind though that data on the storage card in the device will remain intact. You can argue whether this is a good design decision or not, personally I think this is a major security risk factor, especially because you can configure the device to store e-mail message attachments on the storage card!

Note:
If you know for a fact that a device has been lost or stolen, you can also initiate a remote wipe to the device, a remote wipe wipes the device immediately. We'll talk more about this possibility in part 3 of this article series.

Changing your Device PIN or Password

If you want to change your PIN or password, you do so by clicking Start > Settings > Lock.


Figure 7: Lock button under the Settings page

You'll now need to enter your current PIN or password in order to access the change password feature, when you have done so, you'll get to the screen shown in Figure 8 below.


Figure 8: Changing your device password

It's also interesting to note that a locked device that is connected to a PC using a USB cable won't be accessible either, instead you'll be faced with the dialog box shown in Figure 9 below.


Figure 9: Connecting a locked device to a PC via USB

Conclusion

In this article you have learned how it's possible to make the mobile devices in your environment more secure by using the new security policy feature included in Exchange 2003 SP2. You have also seen how these device security settings work from the client side. The Device Security settings feature is a nice improvement when speaking about security, but it doesn't provide optimal security just yet. Among other things because data held on a storage card doesn't get wiped as part of a local or remote wipe. But hopefully we'll have a close to perfect solution with Exchange '12'.

In the next article I'll show you how to install the Exchange Server ActiveSync Web Administration tool, as well as how you can initiate remote wipes of lost or stolen devices with this tool and much more.