|
|
|
11-01-2007, 10:32 AM
|
#1
|
Thumbs Must Hurt
Join Date: Jul 2007
Location: Petoskey, MI
Model: 8530
OS: Win 7
PIN: N/A
Carrier: Verizon Droid
Posts: 95
|
Blocking OWA access from blackberries
Please Login to Remove!
Has anyone successfully blocked blackberries from accessing OWA? We are running Server 2003 and we want to prevent users from buying their own blackberry devices and downloading their work email to them. This a huge security risk for corporate email to be on blackberries not issued by the business.
Do blackberries have the same style MAC addresses as a Network Card?
So far we have thought of getting a range of IPs that our network (Alltel) may use along with the other cell providers in our area, which is actually only Alltel and CellularOne...this way we could block at the network level.
Anyone have any suggestions or input?
|
Offline
|
|
11-01-2007, 12:10 PM
|
#2
|
BBF Moderator
Join Date: Jun 2005
Model: Z30
OS: 10.2.1.x
PIN: s & needles
Carrier: AT&T
Posts: 34,720
|
Moved to BES Admin Corner.....
I think you'll have a better chance of getting the help you need over here.
|
Offline
|
|
11-01-2007, 12:16 PM
|
#3
|
CrackBerry Addict
Join Date: Aug 2005
Location: London, UK
Model: 9700
Carrier: O2
Posts: 961
|
Quote:
Originally Posted by usererror
Has anyone successfully blocked blackberries from accessing OWA? We are running Server 2003 and we want to prevent users from buying their own blackberry devices and downloading their work email to them. This a huge security risk for corporate email to be on blackberries not issued by the business.
Do blackberries have the same style MAC addresses as a Network Card?
So far we have thought of getting a range of IPs that our network (Alltel) may use along with the other cell providers in our area, which is actually only Alltel and CellularOne...this way we could block at the network level.
Anyone have any suggestions or input?
|
The problem is NOT a blackberry problem - the problem is that you have OWA but you're worried about "huge security risks". If you turn off OWA and only allow authorised devices (laptops or BB's) to connect via approved infrastructure then you don't have a problem...what's the bigger risk (what you've outlined above) or someone using OWA in a cyber cafe or at a trade show which is running a key-logger
BB's dont have a MAC address in the same was as PC's do on the network card, they have Bluetooth MACS
|
Offline
|
|
11-01-2007, 12:26 PM
|
#4
|
Thumbs Must Hurt
Join Date: Mar 2005
Model: 8700
Carrier: t-mobile
Posts: 125
|
Quote:
Originally Posted by bertiebassett
The problem is NOT a blackberry problem - the problem is that you have OWA but you're worried about "huge security risks". If you turn off OWA and only allow authorised devices (laptops or BB's) to connect via approved infrastructure then you don't have a problem...what's the bigger risk (what you've outlined above) or someone using OWA in a cyber cafe or at a trade show which is running a key-logger
|
Exactly. Or someone could just download the mail to their home PC via OWA... Some of the security concerns make me chuckle a bit..
However, my company had similar concerns, even with many of us voicing how silly it was.. They have everyone authenticate with a portal-type screen, which is different than what the blackberry is expecting.. Thats how they blocked it..
|
Offline
|
|
11-01-2007, 03:04 PM
|
#5
|
Thumbs Must Hurt
Join Date: Jul 2007
Location: city11 -inspectral
Model: 8100
PIN: N/A
Carrier: Cingular
Posts: 79
|
I'm not sure this makes any sense. Accessing OWA isn't "downloading" messages anywhere. They'd be viewed in the browser just like on any other system. If you mean using ActiveSync like a Windows Mobile device can do, the BlackBerry handhelds don't support that.
|
Offline
|
|
11-01-2007, 03:27 PM
|
#6
|
BlackBerry God
Join Date: Jan 2005
Model: iOS 5
Carrier: VZW
Posts: 11,701
|
Quote:
Originally Posted by blincoln
I'm not sure this makes any sense. Accessing OWA isn't "downloading" messages anywhere. They'd be viewed in the browser just like on any other system.
|
No... the BlackBerry will use BIS to integrate the OWA account just like any POP3 or IMAP email account.
BIS works with OWA, and it will in fact download messages directly to the BlackBerry device.
What doesn't make sense is the logic behind blocking this type of access to begin with.
It's OWA itself that poses the security risk. Allowing a BlackBerry to integrate with it via BIS doesn't add any additional security problems.
|
Offline
|
|
11-01-2007, 06:02 PM
|
#7
|
Thumbs Must Hurt
Join Date: Aug 2007
Model: 8800
PIN: N/A
Carrier: Rogers
Posts: 140
|
Quote:
Originally Posted by goaliemn
Exactly. Or someone could just download the mail to their home PC via OWA... Some of the security concerns make me chuckle a bit..
However, my company had similar concerns, even with many of us voicing how silly it was.. They have everyone authenticate with a portal-type screen, which is different than what the blackberry is expecting.. Thats how they blocked it..
|
There are still ways around that. They have you navigate to a server 2003 portal by the sounds of it but there is still most likely an address https://mail.domain.com/exchange or mail.domain.com/owa associated with your mailbox.
__________________
BES 4.1.4 - Exchange 2003
8800 and my trusty 8700r.
To change your PIN to FFFFFFFF, drop the BB in a lake.
|
Offline
|
|
11-01-2007, 08:57 PM
|
#8
|
Thumbs Must Hurt
Join Date: Jul 2007
Location: Petoskey, MI
Model: 8530
OS: Win 7
PIN: N/A
Carrier: Verizon Droid
Posts: 95
|
Quote:
Originally Posted by penguin3107
What doesn't make sense is the logic behind blocking this type of access to begin with.
It's OWA itself that poses the security risk. Allowing a BlackBerry to integrate with it via BIS doesn't add any additional security problems.
|
I disagree. Our concern is "unauthorized" users having company email on an "unauthorized" blackberry. If the "unauthrized" user loses their "unauthorized" blackberry then the contents of the email are not protected at all.
The only "authorized" blackberries are the ones purchased and connected with the BES by the company IT staff. Those "authorized" blackberries issued by IT to only certain employees are password encrypted and after so many mis-entries the blackberry wipes itself. While not full proof it is still better (and considered best practice) than any one of our employees buying a blackberry and using it for their work mail, personal mail, etc.
Does that make sense...?
So to get back to the question, is there anyway a blackberry or smart phone for that matter can be stopped from connecting and reading mail via OWA?
Are the BB packets formed differently? MAC addresses? Even if we knew the first 4 or 8 characters of the RIM MAC we could possibly do that at the network level. There has to be something. We looked at Exchange but cannot disable OWA entirely...
Thanks.
|
Offline
|
|
11-02-2007, 04:18 AM
|
#9
|
Talking BlackBerry Encyclopedia
Join Date: Feb 2007
Location: UK
Model: 8100
Carrier: T-Mobile UK
Posts: 278
|
The options you have that spring to mind are:
1. As you suggest, blocking relevant IPs
2. Change to a different kind of authentication for OWA like RSA, although this would not be costless
3. Only allow OWA access via a VPN connection
As others have said, this issue is partly inseparable from making OWA accessible at all. I'm assuming, given your concerns, that you don't allow RPC-over-HTTP etc., so consider this example: someone has Entourage on their Macbook. This connects through the OWA webdav mechanism and keeps a local copy of the mailbox. Said person could then leave the Macbook in a cab, on a train or have it stolen. There may be some way to cripple webdav whilst leaving OWA functional (I honestly don't know), but the point is that as others have pointed out the BB is only one security risk from having OWA open to the world.
|
Offline
|
|
11-02-2007, 02:07 PM
|
#10
|
Thumbs Must Hurt
Join Date: Jul 2007
Location: city11 -inspectral
Model: 8100
PIN: N/A
Carrier: Cingular
Posts: 79
|
Quote:
Originally Posted by penguin3107
No... the BlackBerry will use BIS to integrate the OWA account just like any POP3 or IMAP email account.
BIS works with OWA, and it will in fact download messages directly to the BlackBerry device.
|
Ah, I hadn't realized that OWA used WebDAV. That's pretty messed up. Maybe look into blocking external WebDAV access, assuming that you can do that without breaking the OWA website itself?
|
Offline
|
|
11-02-2007, 04:04 PM
|
#11
|
Retired BBF Moderator
Join Date: Feb 2007
Location: Nor Cal
Model: 9000
PIN: ups! ;)
Carrier: AT&T
Posts: 5,890
|
Or just put your OWA Server behind a reverse proxy and poof! There goes access. That's what happened at my organization and it wasn't intentionally to block BIS but it worked VERY effectively!
E-
|
Offline
|
|
11-02-2007, 06:48 PM
|
#12
|
CrackBerry Addict
Join Date: Jun 2005
Location: Washington
Model: 8800
Carrier: T-mobile
Posts: 848
|
So, you aren't trying to block them from accessing the OWA website from their personal devices, you are trying to block them from using BIS service or directly connecting a WinMobile phone, correct?
I know that on my personal Exchange server, I had to enable mobile device access under Mobile services in ESM in order to access my account via BIS on my work BB. At work we use the gov authentication and BIS can't read that. So yes, there are ways.
__________________
~Di~
Windows 2003
Exchange 2003
BES 4.1
|
Offline
|
|
12-04-2008, 08:07 PM
|
#13
|
Thumbs Must Hurt
Join Date: Jul 2007
Location: Petoskey, MI
Model: 8530
OS: Win 7
PIN: N/A
Carrier: Verizon Droid
Posts: 95
|
Quote:
Originally Posted by ladydi
So, you aren't trying to block them from accessing the OWA website from their personal devices, you are trying to block them from using BIS service or directly connecting a WinMobile phone, correct?
I know that on my personal Exchange server, I had to enable mobile device access under Mobile services in ESM in order to access my account via BIS on my work BB. At work we use the gov authentication and BIS can't read that. So yes, there are ways.
|
That might be what recently happened to us, but it was accidental We had a user call our IT Helpdesk and say "hey, my personal blackberry no longer can get my email."
So yes, there are ways!
|
Offline
|
|
12-05-2008, 11:31 AM
|
#14
|
Knows Where the Search Button Is
Join Date: Jan 2005
Location: South Carolina
Model: 8330
OS: 4.5.0.77
Carrier: Verizon
Posts: 16
|
I did it by blocking the IP ranges in this BlackBerry document at the firewall.
|
Offline
|
|
12-05-2008, 01:44 PM
|
#15
|
New Member
Join Date: Jul 2008
Model: 9530
PIN: N/A
Carrier: VZW
Posts: 14
|
we dont hang our OWA out there anymore. So you have to either use a Blackberry on the BES, or company owned laptop and spin up VPN... or you don't get email while away from the office.
|
Offline
|
|
12-05-2008, 02:19 PM
|
#16
|
BlackBerry Elite
Join Date: Jan 2008
Location: Massachusetts
Model: DT60
OS: 123456789
PIN: t of blood has been taken
Carrier: AT&T-US with I dee ten tee errors
Posts: 7,325
|
RPC - HTTPS, BB or OMA with SSL ONLY.
OWA is not enabled here.
We thought about web based email but too many people would never close the browser.
__________________
I had to fall
To lose it all
But in the end
It doesn't even matter
Rocking the Motion with out lotion.
|
Offline
|
|
04-16-2009, 11:39 AM
|
#17
|
New Member
Join Date: Jun 2007
Model: 8830
OS: XP
PIN: N/A
Carrier: Sprint
Posts: 1
|
mobile device access under Mobile services in ESM
Quote:
Originally Posted by ladydi
So, you aren't trying to block them from accessing the OWA website from their personal devices, you are trying to block them from using BIS service or directly connecting a WinMobile phone, correct?
I know that on my personal Exchange server, I had to enable mobile device access under Mobile services in ESM in order to access my account via BIS on my work BB. At work we use the gov authentication and BIS can't read that. So yes, there are ways.
|
Ladydi,
I am working an issue with our company OWA/OMA and unauthorized access to business email. Please correct me if I read your conversation incorrectly. By disabling mobile device access under Mobile services in ESM those personal BB with a BIS account will not be able to gain access to our exchange email?
In addition the W3SVC1 logs on our OWA servers I am finding activesync activity with pocketpc's and iPhones.
We have 5 BES and 3000 BB accounts within our company and we have a company policy stating that only company issued BB's are allowed access to send and received business email and non-BB mobile device use is prohibited.
In addition in the W3SVC1 logs on our OWA servers I am finding activesync activity with pocketpc's and iPhones.
|
Offline
|
|
04-16-2009, 12:04 PM
|
#18
|
Talking BlackBerry Encyclopedia
Join Date: May 2008
Model: 8310
PIN: N/A
Carrier: AT&T
Posts: 230
|
I dont think OWA is a security risk. When you log into it via a PC, your email messages are not cached locally for later retrieval.. You are basically viewing it. Close the web browser and unplug your internet and those emails aren't viewable anywhere.
On the Blackberry, they are downloaded, and because you can't remotely manage BIS connections, that's a HUGE security risk IMO..
ActiveSync devices such as Windows Mobile, or the iPhone can be remotely managed.. they can be remotely wiped, locked down. BIS connections can't.
What my company did, was we put up a Owa 07 auth server and somewhere along the lines, it blocked BIS connections.. not sure how or why, but it worked great.
__________________
Your lack of planning is not my emergency.
Last edited by sniffs; 04-16-2009 at 12:10 PM..
|
Offline
|
|
04-16-2009, 01:11 PM
|
#19
|
Thumbs Must Hurt
Join Date: Jul 2007
Location: Petoskey, MI
Model: 8530
OS: Win 7
PIN: N/A
Carrier: Verizon Droid
Posts: 95
|
Quote:
Originally Posted by sniffs
I dont think OWA is a security risk. When you log into it via a PC, your email messages are not cached locally for later retrieval.. You are basically viewing it. Close the web browser and unplug your internet and those emails aren't viewable anywhere.
On the Blackberry, they are downloaded, and because you can't remotely manage BIS connections, that's a HUGE security risk IMO..
ActiveSync devices such as Windows Mobile, or the iPhone can be remotely managed.. they can be remotely wiped, locked down. BIS connections can't.
What my company did, was we put up a Owa 07 auth server and somewhere along the lines, it blocked BIS connections.. not sure how or why, but it worked great.
|
How did they block BIS? Did they block the RIM IP range for BIS?
Also now Iphones are a new problem.
|
Offline
|
|
04-16-2009, 01:14 PM
|
#20
|
Talking BlackBerry Encyclopedia
Join Date: May 2008
Model: 8310
PIN: N/A
Carrier: AT&T
Posts: 230
|
We are running OWA 2003 but the authentication server is 07. Somehow it's blocking it..
iPhones aren't a problem. They use ActiveSync. If you have Mobile Admin installed on OWA, you can remotely wipe, lock, disable features, etc..
Hell, you can do that within the Exchange console.. =)
__________________
Your lack of planning is not my emergency.
|
Offline
|
|
|
|