BlueFort Security Ltd -

In the second of our series looking at how to secure mobile workers, we concentrate on the ActiveSync Protocol.

ActiveSync is a Microsoft Protocol, licenced by a number of different device vendors that allows smart devices to synchronise data with a Microsoft Exchange environment.

The protocol itself allows for encryption of session data but there are still a number of important areas where the ActiveSync environment can benefit from additional security protection.   This is no different from any other application accessed remotely where the user or device should typically connect to a proxy device rather, usually an IPSEC or SSL VPN concentrator rather than publishing applications directly to the Internet.

The second important consideration with ActiveSync is authentication. A traditional remote access session would typically mandate the use of two-factor authentication. For mobile devices which may drop in and out of signal range, this is not necessarily a realistic option for push based services such as ActiveSync. This means that username and password checks are relied on, but to mitigate the risk of a poorer authentication, there are certain steps, listed below is an example of some considerations that you should use to verify additional information about the user at the perimeter before allowing access to the ActiveSync infrastructure.

The types of security considerations that should be looked at are:

• User /password verified before access is enabled.
• Prelogon check of client to determine that it is a legitimate device
• GeoIP location check to block “out of region” attacks
• Verify validity of ActiveSync commands before they are sent to Exchange Server
• Verify URI and only enable access to necessary addresses
• Verify AD Group membership for each user
• Login Bruteforce detection and blocking

Another important consideration is using valid SSL certificates. These provide assurance to the user that they are connecting to the right resource, which reduces the risk of man-in-the-middle attacks. They also prevent the user from adopting the bad habit of ignoring security warnings related to remote access, which may come up routinely (dependant on the device type) if self signed certificates are used.

This list is not exhaustive, but highlights some of the common, easy to implement validation checks that should be routinely carried out. These additional checks will go a long way to mitigating drive-by attempts and targeted attacks from non-smartphone devices.

In our next article, we will look at how you can scale and optimise mobile remote access to maximise performance whilst minimising bandwidth requirements.