locked
Possible security issue with Exchange and Blackberry Internet Services RRS feed

  • Question

  • Hi

    I have a user on exchange that has Active Sync, Webmail, etc all disabled apart from MAPI , and he has been downloading emails onto his blackberry handset for months.

    He added his work mailbox using BIS (Blackberry Internet Services) , looking at his handset the URL set for Outlook Web Access URL is https://my.domain.com/autodiscover/autodiscover.xml

    note , i have masked our real domain with my.domain.com

    How on earth is he able to download emails onto his handset , with Outlook Web Access disabled on his exchange profile!.

    Ideally only those users with OWA enabled can access this service using BIS  (note this is different to BES)

     

    Please advise how we correct this, as potentially any of our users can download emails onto their handset without any controls.

    Thursday, January 26, 2012 10:22 AM

Answers

  • You can use set-casmailbox and EwsBlockList switch. You'll have to identify the user agent in the IIS logs for the BIS connection and then filter on that and set the list at the org level

    http://technet.microsoft.com/en-us/library/bb125264.aspx

    http://technet.microsoft.com/en-us/library/aa997443.aspx

     

    Note that user agents can be spoofed. I havent done this so I can't tell you how well it work, so you'll have to do some testing on your own and perhaps block for just one user and test from there if you go this route.

    Another option is to identify the BIS ip addresses ( Blackberry forums) and block those on the firewall

     

     


    • Edited by Andy DavidMVP Thursday, January 26, 2012 4:06 PM
    • Marked as answer by uklogistics Thursday, January 26, 2012 5:39 PM
    Thursday, January 26, 2012 4:05 PM

All replies

  • BIS uses Exchange Web Serivces, not Outlook Web Access.
    Thursday, January 26, 2012 2:54 PM
  • please can you advise how you can disable "Exchange Web Serivces" against specific users?

     

     

    Thursday, January 26, 2012 3:49 PM
  • You can use set-casmailbox and EwsBlockList switch. You'll have to identify the user agent in the IIS logs for the BIS connection and then filter on that and set the list at the org level

    http://technet.microsoft.com/en-us/library/bb125264.aspx

    http://technet.microsoft.com/en-us/library/aa997443.aspx

     

    Note that user agents can be spoofed. I havent done this so I can't tell you how well it work, so you'll have to do some testing on your own and perhaps block for just one user and test from there if you go this route.

    Another option is to identify the BIS ip addresses ( Blackberry forums) and block those on the firewall

     

     


    • Edited by Andy DavidMVP Thursday, January 26, 2012 4:06 PM
    • Marked as answer by uklogistics Thursday, January 26, 2012 5:39 PM
    Thursday, January 26, 2012 4:05 PM
  • Ok, going to mark as answered , however we need to make time to test etc. -

    I feel this should be something that should be easily controlled via exchange manager

    Thursday, January 26, 2012 4:41 PM
  • Ok, going to mark as answered , however we need to make time to test etc. -

    I feel this should be something that should be easily controlled via exchange manager


    I agree that having it in the EMC GUI would be optimal.
    Thursday, January 26, 2012 4:46 PM