Flawed password management model for Microsoft’s new Outlook app
Microsoft’s new Outlook for iOS and Android isn’t like other ActiveSync clients. In fact, it isn’t really an ActiveSync client at all. The actual ActiveSync client is a Microsoft-owned server that stores your username and password in order to get data from the Exchange server and then push it to the Outlook app. Why they didn’t just make a standard ActiveSync app and store the credentials on the mobile device is anyone’s guess.
The problem with this model is that the millions of usernames and passwords that will inevitably be stored in Microsoft’s servers will make an extremely tempting target for hackers. If someone manages to compromise that database, they’ll have carte blanche access to a lot of very important email accounts.
You can block access to your Exchange 2010 server via this app by using this cmdlet:
New-ActiveSyncDeviceAccessRule -Characteristic DeviceModel -QueryString “Outlook for iOS and Android” -AccessLevel Block
(Thanks to Paul Cunningham for putting this up on ExchangeServerPro.com.)
This creates two more potential problems:
- I’m not sure if your credentials will still be stored at Microsoft if you attempt to connect via the Outlook app after placing this block or not. I suspect they will be, so you will also have to warn your users not even to attempt to use it.
- If a user attempts to connect via the Outlook app after you have activated the block, they’ll get a message like this one in their mailbox:
From: Microsoft Outlook Sent: Wednesday, February 15, 2015 11:32 AM To: Jay T. Test Subject: Your mobile phone has been denied access to the server via Exchange ActiveSync because of server policies. Your phone won't be able to synchronize with the server via Exchange ActiveSync because of an access policy defined on the server. Information about your mobile phone: Device model: Outlook for iOS and Android Device type: Outlook Device ID: XXXXXXXXXXXXXXX Device OS: Outlook for iOS and Android 1.0 Device user agent: Outlook-iOS-Android/1.0 Device IMEI: Exchange ActiveSync version: 14.1 Device access state: Blocked Device access state reason: DeviceRule Sent at 2/15/2015 11:32:09 AM to firstname.lastname@example.org.
Notice how it says “Your mobile phone has been denied access…” and “Your phone won’t be able to synchronize…” These error messages could be very misleading to some of your end users because their phone is fine. Their phone was not denied access and their phone will be able to synchronize via ActiveSync just fine, as long as they use some other app to do it.
And that’s not all.
The very same problem has existed for years in a number of other email services. For example, Google offers to check any POP or IMAP account for you and copy all of the messages to your Gmail mailbox. The only way they can do that is by storing your username and password on their servers, and the only way you can block this on Exchange is at the network level by blocking connections from Google’s servers or in Exchange by disabling POP and/or IMAP.
That should bother any security conscious mail administrator. Unfortunately, I don’t know what to tell you about how to solve it. User education is great, but not likely to get you very far. You’d probably just make the problem worse by alerting some users who weren’t aware of these helpful options before.
I’d love to hear how you are handling these issues in your organization. Leave a comment, ask a question, drop a link… You know the drill.