BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 11-01-2007, 10:32 AM   #1 (permalink)
Thumbs Must Hurt
 
Join Date: Jul 2007
Location: Petoskey, MI
Model: 8530
OS: Win 7
PIN: N/A
Carrier: Verizon Droid
Posts: 95
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default Blocking OWA access from blackberries

Please Login to Remove!

Has anyone successfully blocked blackberries from accessing OWA? We are running Server 2003 and we want to prevent users from buying their own blackberry devices and downloading their work email to them. This a huge security risk for corporate email to be on blackberries not issued by the business.

Do blackberries have the same style MAC addresses as a Network Card?

So far we have thought of getting a range of IPs that our network (Alltel) may use along with the other cell providers in our area, which is actually only Alltel and CellularOne...this way we could block at the network level.

Anyone have any suggestions or input?
Offline  
Old 11-01-2007, 12:10 PM   #2 (permalink)
BBF Moderator
 
John Clark's Avatar
 
Join Date: Jun 2005
Model: Z30
OS: 10.2.1.x
PIN: s & needles
Carrier: AT&T
Posts: 34,679
Post Thanks: 4
Thanked 96 Times in 71 Posts
Default

Moved to BES Admin Corner.....

I think you'll have a better chance of getting the help you need over here.
Offline  
Old 11-01-2007, 12:16 PM   #3 (permalink)
CrackBerry Addict
 
bertiebassett's Avatar
 
Join Date: Aug 2005
Location: London, UK
Model: 9700
Carrier: O2
Posts: 961
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by usererror View Post
Has anyone successfully blocked blackberries from accessing OWA? We are running Server 2003 and we want to prevent users from buying their own blackberry devices and downloading their work email to them. This a huge security risk for corporate email to be on blackberries not issued by the business.

Do blackberries have the same style MAC addresses as a Network Card?

So far we have thought of getting a range of IPs that our network (Alltel) may use along with the other cell providers in our area, which is actually only Alltel and CellularOne...this way we could block at the network level.
Anyone have any suggestions or input?
The problem is NOT a blackberry problem - the problem is that you have OWA but you're worried about "huge security risks". If you turn off OWA and only allow authorised devices (laptops or BB's) to connect via approved infrastructure then you don't have a problem...what's the bigger risk (what you've outlined above) or someone using OWA in a cyber cafe or at a trade show which is running a key-logger

BB's dont have a MAC address in the same was as PC's do on the network card, they have Bluetooth MACS
__________________
LOTS of answers here: Main Page - BlackBerryFAQ
Offline  
Old 11-01-2007, 12:26 PM   #4 (permalink)
Thumbs Must Hurt
 
Join Date: Mar 2005
Model: 8700
Carrier: t-mobile
Posts: 125
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by bertiebassett View Post
The problem is NOT a blackberry problem - the problem is that you have OWA but you're worried about "huge security risks". If you turn off OWA and only allow authorised devices (laptops or BB's) to connect via approved infrastructure then you don't have a problem...what's the bigger risk (what you've outlined above) or someone using OWA in a cyber cafe or at a trade show which is running a key-logger
Exactly. Or someone could just download the mail to their home PC via OWA... Some of the security concerns make me chuckle a bit..

However, my company had similar concerns, even with many of us voicing how silly it was.. They have everyone authenticate with a portal-type screen, which is different than what the blackberry is expecting.. Thats how they blocked it..
Offline  
Old 11-01-2007, 03:04 PM   #5 (permalink)
Thumbs Must Hurt
 
Join Date: Jul 2007
Location: city11 -inspectral
Model: 8100
PIN: N/A
Carrier: Cingular
Posts: 79
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

I'm not sure this makes any sense. Accessing OWA isn't "downloading" messages anywhere. They'd be viewed in the browser just like on any other system. If you mean using ActiveSync like a Windows Mobile device can do, the BlackBerry handhelds don't support that.
__________________
Legacy of Kain: The Lost Worlds
http://www.thelostworlds.net/
Offline  
Old 11-01-2007, 03:27 PM   #6 (permalink)
BlackBerry God
 
penguin3107's Avatar
 
Join Date: Jan 2005
Model: iOS 5
Carrier: VZW
Posts: 11,701
Post Thanks: 1
Thanked 237 Times in 219 Posts
Default

Quote:
Originally Posted by blincoln View Post
I'm not sure this makes any sense. Accessing OWA isn't "downloading" messages anywhere. They'd be viewed in the browser just like on any other system.
No... the BlackBerry will use BIS to integrate the OWA account just like any POP3 or IMAP email account.
BIS works with OWA, and it will in fact download messages directly to the BlackBerry device.

What doesn't make sense is the logic behind blocking this type of access to begin with.
It's OWA itself that poses the security risk. Allowing a BlackBerry to integrate with it via BIS doesn't add any additional security problems.
__________________
BCSA
BES 5.0.3 MR4 :-: Exchange 2007 SP3 RU3
http://port3101.org
Offline  
Old 11-01-2007, 06:02 PM   #7 (permalink)
Thumbs Must Hurt
 
Keyscan's Avatar
 
Join Date: Aug 2007
Model: 8800
PIN: N/A
Carrier: Rogers
Posts: 140
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by goaliemn View Post
Exactly. Or someone could just download the mail to their home PC via OWA... Some of the security concerns make me chuckle a bit..

However, my company had similar concerns, even with many of us voicing how silly it was.. They have everyone authenticate with a portal-type screen, which is different than what the blackberry is expecting.. Thats how they blocked it..
There are still ways around that. They have you navigate to a server 2003 portal by the sounds of it but there is still most likely an address https://mail.domain.com/exchange or mail.domain.com/owa associated with your mailbox.
__________________
BES 4.1.4 - Exchange 2003
8800 and my trusty 8700r.
To change your PIN to FFFFFFFF, drop the BB in a lake.
Offline  
Old 11-01-2007, 08:57 PM   #8 (permalink)
Thumbs Must Hurt
 
Join Date: Jul 2007
Location: Petoskey, MI
Model: 8530
OS: Win 7
PIN: N/A
Carrier: Verizon Droid
Posts: 95
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by penguin3107 View Post
What doesn't make sense is the logic behind blocking this type of access to begin with.
It's OWA itself that poses the security risk. Allowing a BlackBerry to integrate with it via BIS doesn't add any additional security problems.
I disagree. Our concern is "unauthorized" users having company email on an "unauthorized" blackberry. If the "unauthrized" user loses their "unauthorized" blackberry then the contents of the email are not protected at all.

The only "authorized" blackberries are the ones purchased and connected with the BES by the company IT staff. Those "authorized" blackberries issued by IT to only certain employees are password encrypted and after so many mis-entries the blackberry wipes itself. While not full proof it is still better (and considered best practice) than any one of our employees buying a blackberry and using it for their work mail, personal mail, etc.

Does that make sense...?

So to get back to the question, is there anyway a blackberry or smart phone for that matter can be stopped from connecting and reading mail via OWA?

Are the BB packets formed differently? MAC addresses? Even if we knew the first 4 or 8 characters of the RIM MAC we could possibly do that at the network level. There has to be something. We looked at Exchange but cannot disable OWA entirely...

Thanks.
Offline  
Old 11-02-2007, 04:18 AM   #9 (permalink)
Talking BlackBerry Encyclopedia
 
tobyw's Avatar
 
Join Date: Feb 2007
Location: UK
Model: 8100
Carrier: T-Mobile UK
Posts: 278
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

The options you have that spring to mind are:

1. As you suggest, blocking relevant IPs
2. Change to a different kind of authentication for OWA like RSA, although this would not be costless
3. Only allow OWA access via a VPN connection

As others have said, this issue is partly inseparable from making OWA accessible at all. I'm assuming, given your concerns, that you don't allow RPC-over-HTTP etc., so consider this example: someone has Entourage on their Macbook. This connects through the OWA webdav mechanism and keeps a local copy of the mailbox. Said person could then leave the Macbook in a cab, on a train or have it stolen. There may be some way to cripple webdav whilst leaving OWA functional (I honestly don't know), but the point is that as others have pointed out the BB is only one security risk from having OWA open to the world.
Offline  
Old 11-02-2007, 02:07 PM   #10 (permalink)
Thumbs Must Hurt
 
Join Date: Jul 2007
Location: city11 -inspectral
Model: 8100
PIN: N/A
Carrier: Cingular
Posts: 79
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by penguin3107 View Post
No... the BlackBerry will use BIS to integrate the OWA account just like any POP3 or IMAP email account.
BIS works with OWA, and it will in fact download messages directly to the BlackBerry device.
Ah, I hadn't realized that OWA used WebDAV. That's pretty messed up. Maybe look into blocking external WebDAV access, assuming that you can do that without breaking the OWA website itself?
__________________
Legacy of Kain: The Lost Worlds
http://www.thelostworlds.net/
Offline  
Old 11-02-2007, 04:04 PM   #11 (permalink)
Retired BBF Moderator
 
Thatzmister2u's Avatar
 
Join Date: Feb 2007
Location: Nor Cal
Model: 9000
PIN: ups! ;)
Carrier: AT&T
Posts: 5,890
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Or just put your OWA Server behind a reverse proxy and poof! There goes access. That's what happened at my organization and it wasn't intentionally to block BIS but it worked VERY effectively!

E-
__________________
Unlocked | AT&T BES
*gasp* Un-protected...


www.horizonwirelessonline.com - Unlocks and Repairs
Offline  
Old 11-02-2007, 06:48 PM   #12 (permalink)
CrackBerry Addict
 
ladydi's Avatar
 
Join Date: Jun 2005
Location: Washington
Model: 8800
Carrier: T-mobile
Posts: 848
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

So, you aren't trying to block them from accessing the OWA website from their personal devices, you are trying to block them from using BIS service or directly connecting a WinMobile phone, correct?

I know that on my personal Exchange server, I had to enable mobile device access under Mobile services in ESM in order to access my account via BIS on my work BB. At work we use the gov authentication and BIS can't read that. So yes, there are ways.
__________________
~Di~
Windows 2003
Exchange 2003
BES 4.1
Offline  
Old 12-04-2008, 07:07 PM   #13 (permalink)
Thumbs Must Hurt
 
Join Date: Jul 2007
Location: Petoskey, MI
Model: 8530
OS: Win 7
PIN: N/A
Carrier: Verizon Droid
Posts: 95
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by ladydi View Post
So, you aren't trying to block them from accessing the OWA website from their personal devices, you are trying to block them from using BIS service or directly connecting a WinMobile phone, correct?

I know that on my personal Exchange server, I had to enable mobile device access under Mobile services in ESM in order to access my account via BIS on my work BB. At work we use the gov authentication and BIS can't read that. So yes, there are ways.
That might be what recently happened to us, but it was accidental We had a user call our IT Helpdesk and say "hey, my personal blackberry no longer can get my email."

So yes, there are ways!
Offline  
Old 12-05-2008, 10:31 AM   #14 (permalink)
Knows Where the Search Button Is
 
Join Date: Jan 2005
Location: South Carolina
Model: 8330
OS: 4.5.0.77
Carrier: Verizon
Posts: 16
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

I did it by blocking the IP ranges in this BlackBerry document at the firewall.
Offline  
Old 12-05-2008, 12:44 PM   #15 (permalink)
New Member
 
Join Date: Jul 2008
Model: 9530
PIN: N/A
Carrier: VZW
Posts: 14
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

we dont hang our OWA out there anymore. So you have to either use a Blackberry on the BES, or company owned laptop and spin up VPN... or you don't get email while away from the office.
Offline  
Old 12-05-2008, 01:19 PM   #16 (permalink)
BlackBerry Elite
 
knottyrope's Avatar
 
Join Date: Jan 2008
Location: Massachusetts
Model: Z30
OS: 10.2.1
PIN: t of blood has been taken
Carrier: AT&T-US with I dee ten tee errors
Posts: 6,642
Post Thanks: 264
Thanked 269 Times in 255 Posts
Default

RPC - HTTPS, BB or OMA with SSL ONLY.

OWA is not enabled here.

We thought about web based email but too many people would never close the browser.
__________________
irony : many old timer posters have de-evolved into the trolls they once fought
I am on http://supportforums.blackberry.com
BES 10 running sweet for my Z30, Z10 and Q10
Offline  
Old 04-16-2009, 11:39 AM   #17 (permalink)
New Member
 
Join Date: Jun 2007
Model: 8830
OS: XP
PIN: N/A
Carrier: Sprint
Posts: 1
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default mobile device access under Mobile services in ESM

Quote:
Originally Posted by ladydi View Post
So, you aren't trying to block them from accessing the OWA website from their personal devices, you are trying to block them from using BIS service or directly connecting a WinMobile phone, correct?

I know that on my personal Exchange server, I had to enable mobile device access under Mobile services in ESM in order to access my account via BIS on my work BB. At work we use the gov authentication and BIS can't read that. So yes, there are ways.
Ladydi,

I am working an issue with our company OWA/OMA and unauthorized access to business email. Please correct me if I read your conversation incorrectly. By disabling mobile device access under Mobile services in ESM those personal BB with a BIS account will not be able to gain access to our exchange email?
In addition the W3SVC1 logs on our OWA servers I am finding activesync activity with pocketpc's and iPhones.

We have 5 BES and 3000 BB accounts within our company and we have a company policy stating that only company issued BB's are allowed access to send and received business email and non-BB mobile device use is prohibited.
In addition in the W3SVC1 logs on our OWA servers I am finding activesync activity with pocketpc's and iPhones.
Offline  
Old 04-16-2009, 12:04 PM   #18 (permalink)
Talking BlackBerry Encyclopedia
 
sniffs's Avatar
 
Join Date: May 2008
Model: 8310
PIN: N/A
Carrier: AT&T
Posts: 230
Post Thanks: 1
Thanked 0 Times in 0 Posts
Default

I dont think OWA is a security risk. When you log into it via a PC, your email messages are not cached locally for later retrieval.. You are basically viewing it. Close the web browser and unplug your internet and those emails aren't viewable anywhere.

On the Blackberry, they are downloaded, and because you can't remotely manage BIS connections, that's a HUGE security risk IMO..

ActiveSync devices such as Windows Mobile, or the iPhone can be remotely managed.. they can be remotely wiped, locked down. BIS connections can't.

What my company did, was we put up a Owa 07 auth server and somewhere along the lines, it blocked BIS connections.. not sure how or why, but it worked great.
__________________
Your lack of planning is not my emergency.

Last edited by sniffs : 04-16-2009 at 12:10 PM.
Offline  
Old 04-16-2009, 01:11 PM   #19 (permalink)
Thumbs Must Hurt
 
Join Date: Jul 2007
Location: Petoskey, MI
Model: 8530
OS: Win 7
PIN: N/A
Carrier: Verizon Droid
Posts: 95
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by sniffs View Post
I dont think OWA is a security risk. When you log into it via a PC, your email messages are not cached locally for later retrieval.. You are basically viewing it. Close the web browser and unplug your internet and those emails aren't viewable anywhere.

On the Blackberry, they are downloaded, and because you can't remotely manage BIS connections, that's a HUGE security risk IMO..

ActiveSync devices such as Windows Mobile, or the iPhone can be remotely managed.. they can be remotely wiped, locked down. BIS connections can't.

What my company did, was we put up a Owa 07 auth server and somewhere along the lines, it blocked BIS connections.. not sure how or why, but it worked great.
How did they block BIS? Did they block the RIM IP range for BIS?

Also now Iphones are a new problem.
Offline  
Old 04-16-2009, 01:14 PM   #20 (permalink)
Talking BlackBerry Encyclopedia
 
sniffs's Avatar
 
Join Date: May 2008
Model: 8310
PIN: N/A
Carrier: AT&T
Posts: 230
Post Thanks: 1
Thanked 0 Times in 0 Posts
Default

We are running OWA 2003 but the authentication server is 07. Somehow it's blocking it..

iPhones aren't a problem. They use ActiveSync. If you have Mobile Admin installed on OWA, you can remotely wipe, lock, disable features, etc..

Hell, you can do that within the Exchange console.. =)
__________________
Your lack of planning is not my emergency.
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright 2004-2014 BlackBerryForums.com.
The names RIM and BlackBerry are registered Trademarks of BlackBerry Inc.