Repercussions of disabeling basic authentication?
I've been trying to search for an answer to this question and havn't had much luck. What are the repercussions of disabeling basic authentication (password sent in clear text) within the ActiveSync properties? We are looking at changing security measures and are weary about user accounts and passwords being being obtained in the event that SSL breaks. FYI, I am fairly new to Exchange.
November 19th, 2009 9:51pm
Can you clarify what you define as 'SSL breaks'.You can require SSL on the ActiveSync virtual directory, thus dis-allowing anything other than SSL.What version of Exchange and Windows Servers (for IIS instructions) are you using?If you are using Exchange 2003 or 2007 on Windows 2003 Server then in IIS goto the properties of the activesync VD | Directory Security | Edit button under Secure Communications | Require Secure Channel (SSL).Ensure all activesync users are prefixing your address with https:// before enforcing this change.Note: Disabling basic authentication would cause activesync to break, without an alternate method of authentication. Both Token and Certificate solutions are supported for Exchange 2007, and possibly 2003 (i'd need to double check), but note for Token you will need a 3rd party 2 factor authentication system.Take a read of: "Choosing an Authentication Method for Your Exchange ActiveSync Server" http://technet.microsoft.com/en-us/library/bb232023.aspxOliverOliver Moazzezi | Exchange MVP, MCSA:M, MCTS:Exchange 2010, BA (Hons) Anim
| http://www.exchange2007.com | http://www.exchange2010.com | http://www.cobweb.com |
Free Windows Admin Tool Kit Click here and download it now
November 19th, 2009 11:24pm
Thanks for your reply Oliver,I've been told there are known vulnerabilities that allow you to spoof the certificate and perform a man in the middle attack, by obtaining the username and password which are sent via clear text while using the basic authentication method. I am using Exchange 2007 on Windows Server 2008.I have already read through the knowledgebase article, but didn't find itinformative about the downsides to using certain authentication solutions.- Craig
November 20th, 2009 12:00am
Hi there,I presume you mean: http://www.theregister.co.uk/2009/11/05/serious_ssl_bug/which was then performed in a real world attack on Twitter in the last few days: http://www.theregister.co.uk/2009/11/14/ssl_renegotiation_bug_exploited/I would wait for a fix to come about and sit and wait- Activesync won't be your only problem i'm sure you have publicly exposed urls with SSL all over the place.OliverOliver Moazzezi | Exchange MVP, MCSA:M, MCTS:Exchange 2010, BA (Hons) Anim
| http://www.exchange2007.com | http://www.exchange2010.com | http://www.cobweb.com |
Free Windows Admin Tool Kit Click here and download it now
November 20th, 2009 12:33am