Outlook Says You’re Disconnected When You Open the Address Book

Filed in Microsoft Exchange 2010, Outlook 2010, Outlook 2013

I had a case recently in which the end user couldn’t add any resource calendars to Outlook. Every time she tried, she would get this error message:

The connection to Microsoft Exchange is unavailable. Outlook must be online or connected to complete this action.

Which was curious because the Outlook status bar said it was connected and she was able to send and receive emails.

I opened Outlook Connection Status (ctrl-right-click on the Outlook icon in the system tray and select Connection Status), and everything looked normal until I attempted to add a room calendar (click Open Calendar then select “From Room List”). A couple of new lines with a Type of Directory appeared in the Outlook Connection Status window. Their statuses went from Establishing to Disconnected, back to Establishing, then to Disconnected again.

I deleted her cached directory data (%appdata%\Microsoft\Outlook) and retried. Same thing. Next, I told Outlook to download the offline address book (File tab > Account Settings > Download Address Book), fully expecting that to error out also. Except that it didn’t.

When the OAB had finished downloading, I noticed that the two Directory listings in Outlook Connection Status both said Established. I then went back to the calendar tab and added a room with no problem.

If I discover more about what the problem was, I’ll update this post. In the meantime, projects await…

 
Click to view/hide

Flawed password management model for Microsoft’s new Outlook app

Filed in Microsoft Exchange 2010, Microsoft Exchange 2013, Other Email Clients, SecurityTags: ,
The Outlook for iOS and Android app has a security flaw, but it's not alone

Outlook for iOS and Android: BANNED

Microsoft’s new Outlook for iOS and Android isn’t like other ActiveSync clients. In fact, it isn’t really an ActiveSync client at all. The actual ActiveSync client is a Microsoft-owned server that stores your username and password in order to get data from the Exchange server and then push it to the Outlook app. Why they didn’t just make a standard ActiveSync app and store the credentials on the mobile device is anyone’s guess.

The problem with this model is that the millions of usernames and passwords that will inevitably be stored in Microsoft’s servers will make an extremely tempting target for hackers. If someone manages to compromise that database, they’ll have carte blanche access to a lot of very important email accounts.

You can block access to your Exchange 2010 server via this app by using this cmdlet:

New-ActiveSyncDeviceAccessRule -Characteristic DeviceModel -QueryString “Outlook for iOS and Android” -AccessLevel Block

(Thanks to Paul Cunningham for putting this up on ExchangeServerPro.com.)

This creates two more potential problems:

  1. I’m not sure if your credentials will still be stored at Microsoft if you attempt to connect via the Outlook app after placing this block or not. I suspect they will be, so you will also have to warn your users not even to attempt to use it.
  2. If a user attempts to connect via the Outlook app after you have activated the block, they’ll get a message like this one in their mailbox:
From: Microsoft Outlook 
Sent: Wednesday, February 15, 2015 11:32 AM
To: Jay T. Test
Subject: Your mobile phone has been denied access to the server via Exchange ActiveSync because of server policies.

Your phone won't be able to synchronize with the server via Exchange ActiveSync because of an access policy defined on the server.
Information about your mobile phone:
Device model:	Outlook for iOS and Android
Device type:	Outlook
Device ID:	XXXXXXXXXXXXXXX
Device OS:	Outlook for iOS and Android 1.0
Device user agent:	Outlook-iOS-Android/1.0
Device IMEI:	
Exchange ActiveSync version:	14.1
Device access state:	Blocked
Device access state reason:	DeviceRule
Sent at 2/15/2015 11:32:09 AM to jay.test@domain.com.

 

Notice how it says “Your mobile phone has been denied access…” and “Your phone won’t be able to synchronize…” These error messages could be very misleading to some of your end users because their phone is fine. Their phone was not denied access and their phone will be able to synchronize via ActiveSync just fine, as long as they use some other app to do it.

And that’s not all.

The very same problem has existed for years in a number of other email services. For example, Google offers to check any POP or IMAP account for you and copy all of the messages to your Gmail mailbox. The only way they can do that is by storing your username and password on their servers, and the only way you can block this on Exchange is at the network level by blocking connections from Google’s servers or in Exchange by disabling POP and/or IMAP.

That should bother any security conscious mail administrator. Unfortunately, I don’t know what to tell you about how to solve it. User education is great, but not likely to get you very far. You’d probably just make the problem worse by alerting some users who weren’t aware of these helpful options before.

I’d love to hear how you are handling these issues in your organization. Leave a comment, ask a question, drop a link… You know the drill.

 
Click to view/hide

5 Personal Computer Operating Systems

Filed in IT Fundamentals

Part 2 in Cameron’s ongoing series on IT Fundamentals.

Microsoft WindowsWindows 7 is one of Microsoft’s more popular recent operating systems. Like most versions of Windows, it’s written using various dialects of the C programming language originally developed in the 1970s. One unique feature of Windows 7 is the BitLocker Drive Encryption, which enables you to encrypt your hard disk. The minimum system requirements (for the 32-bit version) are a 1 GHz processor, 1 GB RAM, and 16 GB hard drive space. Compared to its predecessors, Windows 7 is faster and possesses easier networking methods. However, there are numerous versions of the operating system. Not all of them are available in all countries. There are also features from Vista that are not present in 7.

Windows 10 is the next step beyond Windows 8. Security is much more versatile in that network restrictions are more customizable with per-application VPNs. This version of Windows can run on the same hardware as Windows 7. However, the technical preview, which is the only available version, requires a Microsoft account and Internet access. Windows 10 possesses most of the advantages of Windows 8, like the extra battery life and automatic file encryption, but is also designed with businesses still using XP in mind.

Mac OS XMac OS X is a(n) (in)famous operating system favored by artists, casual computer users, and Apple cultists alike. It is primarily written using Objective-C and Apple-made languages. The Mac OS X is not known for security breaches for a number of reasons. One is lack of use by the demographic most likely to create malware, and another are built-in components under a Mac’s figurative hood, tools like Gatekeeper and FileVault, which provide some basic protection for Mac users. Though many computer users may scoff at Macs, they do have their advantages – especially in content creation and simplicity for more non-technical users. However, due to Apple’s exclusive nature, Macs tend to be more expensive, have less support than PCs, and have fewer hardware and software choices.

LinuxLinux is a venerable and very versatile operating system. It is frequently used in electronics that we normally don’t think of as possessing an operating system – like televisions, GPS, and other devices. It’s primarily written using C and utilizes a Discretionary Access Control to set the security for individual objects. The hardware requirements for one of the latest versions of Ubuntu is a 700 MHz processor, 512 MB RAM, 5 GB drive space, a VGA monitor, and a CD/DVD drive. Linux is generally more secure than other operating systems and is open sourced. Unfortunately, it also has a steep learning curve and is the last OS to get new high-end hardware.

Chrome OSChrome OS, or “Chromium”, is designed by Google. It’s based off of Linux and is primarily designed for netbooks – coined as “Chromebooks”. Chromium takes a somewhat aggressive stance on security. When compromised, it will update the system and reboot to a previous uninfected version. Compared to other devices and operating systems, Chromebooks are fairly cheap. Data backups and software updates are also done automatically. However, Chromebooks lack the diverse functions of Windows, Mac, and other OS’s, and they require an internet connection to utilize many of the functions it does have.

 
Click to view/hide