Account disable or password change not enough for email sync termination

 

So as an experienced IT Pro you are quite confident: the management terminated an employee, you disabled her account and there is no way she could tamper her Mailbox.

Sure?

Think twice about it. Or rather read twice about it? Here:

http://support.microsoft.com/kb/2612821

And here:

http://social.technet.microsoft.com/wiki/contents/articles/exchange-best-practices-for-untrusted-mailbox-users.aspx

And now an example of a real life situation: An employee travels a lot and it is just a matter of statistics when she will report her laptop stolen or lost. Since we don’t want the user to be AD-directory or mailbox disabled we simply change the password and all other means of connection from the vanished laptop, such as VPN settings, etc. The employee is happy and you breathe out, as security is reestablished. Then you receive a phone call that the employee can still sync emails from her mobile device with the old password. You even check the IIS logs on the Exchange 2007 / 2010 client access server and are all eyes when – in point of fact – the User=name &DeviceId=tampered &DeviceType=mobileDevice happily receive 200 acknowledgements. And it can really take up to 24 hours, I tested it. Adieu, Microsoft security recommendations!

Why I consider the proposals from Microsoft support site ridiculous? This is because in most cases you will not be in a position of the mobile devices; and the third option to restart MSExchangeSyncAppPool will affect all devices. The proposals from the second link (Exchange Best Practices) are more user-centric and do a good job in the described legal persecution, or similar situations. But we need here to reestablish a single user’s “security relationship”. Luckily there is one more option to make this possible:

Open Exchange Management Console; navigate to Recipient Configuration / Mailbox. Right-click on the mailbox and from there select “Manage Mobile Device…” Erase the partnership in question, or even better all partnerships, and wait until the device will try to sync – at least at this very latest moment the holder of the device will either know the password or not.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s