Risks security with active sync configuration?

andrelo_ · ‎08-11-2008

Hi!

We are testing the IVE's activesync solution to use exchange in IPhone mobile.

However, we think that this solution have little security because anybody can access to exchange server directly without authentication in the IVE. If anybody is able to encapsulate any traffic over SSL this traffic would arrive to exchange server and could take control of this machine and from there jump to any machine in intranet. Have the exchange server enough security to avoid this problem? Would we have risk security with this architecture?

Do you think about that? Is weak?

PD: Will active Sync solution have authentication option in the IVE?

Regards,

Andrelo

VeePeeN_ · ‎06-06-2013

Your only option is to use certificates to protect your static passwords. You will find many entries in the documentation and kb about this.

RexPGP_ · ‎06-06-2013

That is why you select active sync only protocol from the sign in page.

zanyterp_ · ‎07-31-2013

As mentioned earlier, you can require certificates for users and only allow ActiveSync traffic. In addition, if they were to hit the Exchange server, an attacker would still need to authenticate in order to do anything on the server. As long as IIS is secured, there should be no additional attack vector opened by proxying this through the SA

Risks security with active sync configuration?

Risks security with active sync configuration?

Re: Risks security with active sync configuration?

Re: Risks security with active sync configuration?

Re: Risks security with active sync configuration?