Flawed password management model for Microsoft’s new Outlook app

Filed in Microsoft Exchange 2010, Microsoft Exchange 2013, Other Email Clients, SecurityTags: ,
The Outlook for iOS and Android app has a security flaw, but it's not alone

Outlook for iOS and Android: BANNED

Microsoft’s new Outlook for iOS and Android isn’t like other ActiveSync clients. In fact, it isn’t really an ActiveSync client at all. The actual ActiveSync client is a Microsoft-owned server that stores your username and password in order to get data from the Exchange server and then push it to the Outlook app. Why they didn’t just make a standard ActiveSync app and store the credentials on the mobile device is anyone’s guess.

The problem with this model is that the millions of usernames and passwords that will inevitably be stored in Microsoft’s servers will make an extremely tempting target for hackers. If someone manages to compromise that database, they’ll have carte blanche access to a lot of very important email accounts.

You can block access to your Exchange 2010 server via this app by using this cmdlet:

New-ActiveSyncDeviceAccessRule -Characteristic DeviceModel -QueryString “Outlook for iOS and Android” -AccessLevel Block

(Thanks to Paul Cunningham for putting this up on ExchangeServerPro.com.)

This creates two more potential problems:

  1. I’m not sure if your credentials will still be stored at Microsoft if you attempt to connect via the Outlook app after placing this block or not. I suspect they will be, so you will also have to warn your users not even to attempt to use it.
  2. If a user attempts to connect via the Outlook app after you have activated the block, they’ll get a message like this one in their mailbox:
From: Microsoft Outlook 
Sent: Wednesday, February 15, 2015 11:32 AM
To: Jay T. Test
Subject: Your mobile phone has been denied access to the server via Exchange ActiveSync because of server policies.

Your phone won't be able to synchronize with the server via Exchange ActiveSync because of an access policy defined on the server.
Information about your mobile phone:
Device model:	Outlook for iOS and Android
Device type:	Outlook
Device ID:	XXXXXXXXXXXXXXX
Device OS:	Outlook for iOS and Android 1.0
Device user agent:	Outlook-iOS-Android/1.0
Device IMEI:	
Exchange ActiveSync version:	14.1
Device access state:	Blocked
Device access state reason:	DeviceRule
Sent at 2/15/2015 11:32:09 AM to jay.test@domain.com.

 

Notice how it says “Your mobile phone has been denied access…” and “Your phone won’t be able to synchronize…” These error messages could be very misleading to some of your end users because their phone is fine. Their phone was not denied access and their phone will be able to synchronize via ActiveSync just fine, as long as they use some other app to do it.

And that’s not all.

The very same problem has existed for years in a number of other email services. For example, Google offers to check any POP or IMAP account for you and copy all of the messages to your Gmail mailbox. The only way they can do that is by storing your username and password on their servers, and the only way you can block this on Exchange is at the network level by blocking connections from Google’s servers or in Exchange by disabling POP and/or IMAP.

That should bother any security conscious mail administrator. Unfortunately, I don’t know what to tell you about how to solve it. User education is great, but not likely to get you very far. You’d probably just make the problem worse by alerting some users who weren’t aware of these helpful options before.

I’d love to hear how you are handling these issues in your organization. Leave a comment, ask a question, drop a link… You know the drill.

 
Click to view/hide

5 Personal Computer Operating Systems

Filed in IT Fundamentals

Part 2 in Cameron’s ongoing series on IT Fundamentals.

Microsoft WindowsWindows 7 is one of Microsoft’s more popular recent operating systems. Like most versions of Windows, it’s written using various dialects of the C programming language originally developed in the 1970s. One unique feature of Windows 7 is the BitLocker Drive Encryption, which enables you to encrypt your hard disk. The minimum system requirements (for the 32-bit version) are a 1 GHz processor, 1 GB RAM, and 16 GB hard drive space. Compared to its predecessors, Windows 7 is faster and possesses easier networking methods. However, there are numerous versions of the operating system. Not all of them are available in all countries. There are also features from Vista that are not present in 7.

Windows 10 is the next step beyond Windows 8. Security is much more versatile in that network restrictions are more customizable with per-application VPNs. This version of Windows can run on the same hardware as Windows 7. However, the technical preview, which is the only available version, requires a Microsoft account and Internet access. Windows 10 possesses most of the advantages of Windows 8, like the extra battery life and automatic file encryption, but is also designed with businesses still using XP in mind.

Mac OS XMac OS X is a(n) (in)famous operating system favored by artists, casual computer users, and Apple cultists alike. It is primarily written using Objective-C and Apple-made languages. The Mac OS X is not known for security breaches for a number of reasons. One is lack of use by the demographic most likely to create malware, and another are built-in components under a Mac’s figurative hood, tools like Gatekeeper and FileVault, which provide some basic protection for Mac users. Though many computer users may scoff at Macs, they do have their advantages – especially in content creation and simplicity for more non-technical users. However, due to Apple’s exclusive nature, Macs tend to be more expensive, have less support than PCs, and have fewer hardware and software choices.

LinuxLinux is a venerable and very versatile operating system. It is frequently used in electronics that we normally don’t think of as possessing an operating system – like televisions, GPS, and other devices. It’s primarily written using C and utilizes a Discretionary Access Control to set the security for individual objects. The hardware requirements for one of the latest versions of Ubuntu is a 700 MHz processor, 512 MB RAM, 5 GB drive space, a VGA monitor, and a CD/DVD drive. Linux is generally more secure than other operating systems and is open sourced. Unfortunately, it also has a steep learning curve and is the last OS to get new high-end hardware.

Chrome OSChrome OS, or “Chromium”, is designed by Google. It’s based off of Linux and is primarily designed for netbooks – coined as “Chromebooks”. Chromium takes a somewhat aggressive stance on security. When compromised, it will update the system and reboot to a previous uninfected version. Compared to other devices and operating systems, Chromebooks are fairly cheap. Data backups and software updates are also done automatically. However, Chromebooks lack the diverse functions of Windows, Mac, and other OS’s, and they require an internet connection to utilize many of the functions it does have.

 
Click to view/hide

Exchange 2013 CU7 Rollup Roundup

Filed in Microsoft Exchange 2013

I added a 2010 roundup, so it’s only fair that I add one for 2013 as well. I wouldn’t want the early adopters to feel left out! (It’s only 2015. That still makes it a new release, right?)

Released on November 10 December 9, Cumulative Update 7 for Exchange 2013 fixes a lot of issues that I would consider pretty serious. Here are the ones that would concern me the most:

Issue Summary
3012655 Problem importing ANSI format .pst files
3012652 Delegate permissions w/ universal security groups
3009631 Advanced find doesn’t work in Sent Items
3009612 OWA gives too much detail in contact card
3009291 Shared mailboxes vs multiple domains
3008438 Can’t log into EAC
3006672 Move requests fail
2988553 Unauthorized Add-ADPermission & Remove-ADPermission
2981538 ECP crashes when proxy from 2013 to 2010
3014051 Can’t migrate mailboxes w/ multiple domains
3003518 NDR when sending to external recipients
3003068 Can’t see online archive mailbox after CU6
3000944 Can’t see subfolders of Deleted Items in Outlook
2997847 Can’t route ActiveSync to 2007 mailboxes
2997355 Exchange Online mailboxes can’t be managed via EAC
2997209 Databases unexpectedly failover
2993871 Resource Booking Assistant crashes after CU5
2931223 MAPI virtual directory missing from default web site node

See more detail for these and other fixed issues here.

Fortunately, like RU8 for Exchange 2010 SP3, the bugs have mostly been worked out of this one. The dust settled a little more quickly for 2013 administrators. Let me know if you experience any issues with it.

 
Click to view/hide