[usererror]

Has anyone successfully blocked blackberries from accessing OWA? We are running Server 2003 and we want to prevent users from buying their own blackberry devices and downloading their work email to them. This a huge security risk for corporate email to be on blackberries not issued by the business.

Do blackberries have the same style MAC addresses as a Network Card?

So far we have thought of getting a range of IPs that our network (Alltel) may use along with the other cell providers in our area, which is actually only Alltel and CellularOne...this way we could block at the network level.

Anyone have any suggestions or input?

[John Clark]

Moved to BES Admin Corner.....

I think you'll have a better chance of getting the help you need over here.

[bertiebassett]

Quote:

Originally Posted by usererror

Has anyone successfully blocked blackberries from accessing OWA? We are running Server 2003 and we want to prevent users from buying their own blackberry devices and downloading their work email to them. This a huge security risk for corporate email to be on blackberries not issued by the business.

Do blackberries have the same style MAC addresses as a Network Card?

So far we have thought of getting a range of IPs that our network (Alltel) may use along with the other cell providers in our area, which is actually only Alltel and CellularOne...this way we could block at the network level.
Anyone have any suggestions or input?

The problem is NOT a blackberry problem - the problem is that you have OWA but you're worried about "huge security risks". If you turn off OWA and only allow authorised devices (laptops or BB's) to connect via approved infrastructure then you don't have a problem...what's the bigger risk (what you've outlined above) or someone using OWA in a cyber cafe or at a trade show which is running a key-logger

BB's dont have a MAC address in the same was as PC's do on the network card, they have Bluetooth MACS

[goaliemn]

Quote:

Originally Posted by bertiebassett

The problem is NOT a blackberry problem - the problem is that you have OWA but you're worried about "huge security risks". If you turn off OWA and only allow authorised devices (laptops or BB's) to connect via approved infrastructure then you don't have a problem...what's the bigger risk (what you've outlined above) or someone using OWA in a cyber cafe or at a trade show which is running a key-logger

Exactly. Or someone could just download the mail to their home PC via OWA... Some of the security concerns make me chuckle a bit..

However, my company had similar concerns, even with many of us voicing how silly it was.. They have everyone authenticate with a portal-type screen, which is different than what the blackberry is expecting.. Thats how they blocked it..

[blincoln]

I'm not sure this makes any sense. Accessing OWA isn't "downloading" messages anywhere. They'd be viewed in the browser just like on any other system. If you mean using ActiveSync like a Windows Mobile device can do, the BlackBerry handhelds don't support that.

[penguin3107]

Quote:

Originally Posted by blincoln

I'm not sure this makes any sense. Accessing OWA isn't "downloading" messages anywhere. They'd be viewed in the browser just like on any other system.

No... the BlackBerry will use BIS to integrate the OWA account just like any POP3 or IMAP email account.
BIS works with OWA, and it will in fact download messages directly to the BlackBerry device.

What doesn't make sense is the logic behind blocking this type of access to begin with.
It's OWA itself that poses the security risk. Allowing a BlackBerry to integrate with it via BIS doesn't add any additional security problems.

[Keyscan]

Quote:

Originally Posted by goaliemn

Exactly. Or someone could just download the mail to their home PC via OWA... Some of the security concerns make me chuckle a bit..

However, my company had similar concerns, even with many of us voicing how silly it was.. They have everyone authenticate with a portal-type screen, which is different than what the blackberry is expecting.. Thats how they blocked it..

There are still ways around that. They have you navigate to a server 2003 portal by the sounds of it but there is still most likely an address https://mail.domain.com/exchange or mail.domain.com/owa associated with your mailbox.

[usererror]

Quote:

Originally Posted by penguin3107

What doesn't make sense is the logic behind blocking this type of access to begin with.
It's OWA itself that poses the security risk. Allowing a BlackBerry to integrate with it via BIS doesn't add any additional security problems.

I disagree. Our concern is "unauthorized" users having company email on an "unauthorized" blackberry. If the "unauthrized" user loses their "unauthorized" blackberry then the contents of the email are not protected at all.

The only "authorized" blackberries are the ones purchased and connected with the BES by the company IT staff. Those "authorized" blackberries issued by IT to only certain employees are password encrypted and after so many mis-entries the blackberry wipes itself. While not full proof it is still better (and considered best practice) than any one of our employees buying a blackberry and using it for their work mail, personal mail, etc.

Does that make sense...?

So to get back to the question, is there anyway a blackberry or smart phone for that matter can be stopped from connecting and reading mail via OWA?

Are the BB packets formed differently? MAC addresses? Even if we knew the first 4 or 8 characters of the RIM MAC we could possibly do that at the network level. There has to be something. We looked at Exchange but cannot disable OWA entirely...

Thanks.

[tobyw]

The options you have that spring to mind are:

1. As you suggest, blocking relevant IPs
2. Change to a different kind of authentication for OWA like RSA, although this would not be costless
3. Only allow OWA access via a VPN connection

As others have said, this issue is partly inseparable from making OWA accessible at all. I'm assuming, given your concerns, that you don't allow RPC-over-HTTP etc., so consider this example: someone has Entourage on their Macbook. This connects through the OWA webdav mechanism and keeps a local copy of the mailbox. Said person could then leave the Macbook in a cab, on a train or have it stolen. There may be some way to cripple webdav whilst leaving OWA functional (I honestly don't know), but the point is that as others have pointed out the BB is only one security risk from having OWA open to the world.

[blincoln]

Quote:

Originally Posted by penguin3107

No... the BlackBerry will use BIS to integrate the OWA account just like any POP3 or IMAP email account.
BIS works with OWA, and it will in fact download messages directly to the BlackBerry device.

Ah, I hadn't realized that OWA used WebDAV. That's pretty messed up. Maybe look into blocking external WebDAV access, assuming that you can do that without breaking the OWA website itself?

[Thatzmister2u]

Or just put your OWA Server behind a reverse proxy and poof! There goes access. That's what happened at my organization and it wasn't intentionally to block BIS but it worked VERY effectively!

E-

[ladydi]

So, you aren't trying to block them from accessing the OWA website from their personal devices, you are trying to block them from using BIS service or directly connecting a WinMobile phone, correct?

I know that on my personal Exchange server, I had to enable mobile device access under Mobile services in ESM in order to access my account via BIS on my work BB. At work we use the gov authentication and BIS can't read that. So yes, there are ways.

[usererror]

Quote:

Originally Posted by ladydi

So, you aren't trying to block them from accessing the OWA website from their personal devices, you are trying to block them from using BIS service or directly connecting a WinMobile phone, correct?

I know that on my personal Exchange server, I had to enable mobile device access under Mobile services in ESM in order to access my account via BIS on my work BB. At work we use the gov authentication and BIS can't read that. So yes, there are ways.

That might be what recently happened to us, but it was accidental We had a user call our IT Helpdesk and say "hey, my personal blackberry no longer can get my email."

So yes, there are ways!

[mpaque]

I did it by blocking the IP ranges in this BlackBerry document at the firewall.

[FBuzin]

we dont hang our OWA out there anymore. So you have to either use a Blackberry on the BES, or company owned laptop and spin up VPN... or you don't get email while away from the office.

[knottyrope]

RPC - HTTPS, BB or OMA with SSL ONLY.

OWA is not enabled here.

We thought about web based email but too many people would never close the browser.

[Fleetside]

Quote:

Originally Posted by ladydi

So, you aren't trying to block them from accessing the OWA website from their personal devices, you are trying to block them from using BIS service or directly connecting a WinMobile phone, correct?

I know that on my personal Exchange server, I had to enable mobile device access under Mobile services in ESM in order to access my account via BIS on my work BB. At work we use the gov authentication and BIS can't read that. So yes, there are ways.

Ladydi,

I am working an issue with our company OWA/OMA and unauthorized access to business email. Please correct me if I read your conversation incorrectly. By disabling mobile device access under Mobile services in ESM those personal BB with a BIS account will not be able to gain access to our exchange email?
In addition the W3SVC1 logs on our OWA servers I am finding activesync activity with pocketpc's and iPhones.

We have 5 BES and 3000 BB accounts within our company and we have a company policy stating that only company issued BB's are allowed access to send and received business email and non-BB mobile device use is prohibited.
In addition in the W3SVC1 logs on our OWA servers I am finding activesync activity with pocketpc's and iPhones.

[sniffs]

I dont think OWA is a security risk. When you log into it via a PC, your email messages are not cached locally for later retrieval.. You are basically viewing it. Close the web browser and unplug your internet and those emails aren't viewable anywhere.

On the Blackberry, they are downloaded, and because you can't remotely manage BIS connections, that's a HUGE security risk IMO..

ActiveSync devices such as Windows Mobile, or the iPhone can be remotely managed.. they can be remotely wiped, locked down. BIS connections can't.

What my company did, was we put up a Owa 07 auth server and somewhere along the lines, it blocked BIS connections.. not sure how or why, but it worked great.

[usererror]

Quote:

Originally Posted by sniffs

I dont think OWA is a security risk. When you log into it via a PC, your email messages are not cached locally for later retrieval.. You are basically viewing it. Close the web browser and unplug your internet and those emails aren't viewable anywhere.

On the Blackberry, they are downloaded, and because you can't remotely manage BIS connections, that's a HUGE security risk IMO..

ActiveSync devices such as Windows Mobile, or the iPhone can be remotely managed.. they can be remotely wiped, locked down. BIS connections can't.

What my company did, was we put up a Owa 07 auth server and somewhere along the lines, it blocked BIS connections.. not sure how or why, but it worked great.

How did they block BIS? Did they block the RIM IP range for BIS?

Also now Iphones are a new problem.

[sniffs]

We are running OWA 2003 but the authentication server is 07. Somehow it's blocking it..

iPhones aren't a problem. They use ActiveSync. If you have Mobile Admin installed on OWA, you can remotely wipe, lock, disable features, etc..

Hell, you can do that within the Exchange console.. =)