Welcome to In Depth Defense. In Depth Defense LLC is a privately owned Information Security Consulting company owned and operated by Mark Baggett. In Depth Defense specializes in Penetration Testing and Incident Response. At this time In Depth Defense is not accepting any new client work, but we are happy to speak to you and point you to other resources in the community.

Mark Baggett has been active in Information Security for 18+ years. I've served in a variety of roles from software developer to CISO. You can find archives of older blog entries below and read my newer posts on http://www.pauldotcom.com, http://isc.sans.edu and http://pen-testing.sans.org

Friday, July 25, 2008

Controlling iPhones in your enterprise

iPhone 2.0 is really cool and it will, like all other Microsoft Mobile devices, allow the user to synchronize their email to the device unless you take action to prevent it.   Whether you plan to support the iphone or not you will need to take some steps if you want any control of the devices in your enterprise.   See these arguments in support of the iPhone.  And this organization that suggests not supporting it.  

If your not supporting iPhones you have a couple of options.   You can block the requestes based on their User-Agent by using isapirewrite as I suggested in an earlier blog.   The iPhones USER-AGENT string is  Apple-iPhone/501.347 so your new isapi filters begin to look like this..

RewriteEngine  on

#Block Blackberry, iphones and other smartphones

RewriteCond %{HTTP:User-Agent}  (?:BWC.Worker.*|BWC.Engine.*|MSFT-SPhone.*|PalmOne-TreoAce.*|AvantGO.*|Apple-iPhone.*) [NC]  

RewriteRule .? -  [F,L]  

This is a good approach for handling any devices that use WEBDAV or OWA Screen scraping (such as Entourage and Blackberry) to synchronize to handhelds.
Alternatively, since the iPhone is a Microsoft ActiveSync device you can block it by disabling ActiveSync on your exchange server.  I will describe that process in this article.

If you plan to allow the iPhone but want to control who can use it you will need to make some changes.  By default anyone with iPhone 2.0 software can point their phone at your webmail server and start storing email.     To prevent this from happening you need to set the users msExchOmaAdminWirelessEnable attribute to a value of 7.  By default its value is NULL which allows all ActiveSync functions.   (Default ALLOW... Thanks Microsoft)
I like a little control over who is storing corporate emails on mobile devices.   Like minded corporations will need to run a script nightly that disables active sync for new users that are added to your network.  Microsoft has a sample script that will disable active-sync for unconfigured users.   The script takes user objects where the msExchOmaAdminWirelessEnable is NULL (unconfigured) and sets them to a value of 7 which disables ActiveSync.  Download the sample script here.

Here is an explanation of the msExchOmaAdminWirelessEnable attribute:

1 (bit 0) = 1 to disable Server Activesync, 0 to enable it

2 (bit 1) = 1 to disable OMA, 0 to enable it

4 (bit 2) = 1 to disable Always Up-To-Date (AUTD), 0 to enable it 

1 + 2 + 4 = 7 = All ActiveSync Features disabled

When you want to enable a user you will need to set the value to 0 (ZERO).  A value of 0 (Zero) enables all ActiveSync Functions.    This can be enabled through the Exchange Admin tool on the "EXCHANGE FEATURES" tab.

If you enable it you will want to consider enabling some security controls.   The iPhone and Microsoft ActiveSync falls short (by a long shot) of the controls you have with Blackberry enterprise.   Most notably in  my opinion is the lack of device encryption.   But you can enable some features such as requiring passwords on the device, inactivity timeouts, wiping the device after a number of failed login attempts and remote "Wipe" of the device.    These policies are set on your exchange server using Microsoft Tools.

You can also try the Apple utility, but it lacks central enforcement and users can simply choose not to use it.  It is more of a configuration convenience than a security policy enforcement tool.  If you try to use that tool, but do not address the fundamental problem of ActiveSync being enabled by default for everyone, then users can simply point to your web server and ignore your Apple XML based configuration.

Note "Wipe" is in quotes.  If you "Wipe" the device using the ActiveSync functions built into exchange it appears to just put the device in recovery mode requiring the reinstallation of the iPhone software.   I somewhat doubt that this actually wipes the device.   It will be interesting to check that out after I get dd on my 2.0 phone.  

I also found it interesting that once the "WIPE" command is sent from Exchange, it continues to send the command until you tell it to stop.    This will put iPhone users in a circular loop of Wipe, Reinstall,  Restore backup (which contains Exchange settings), and the phone is IMMEDIATELY wiped again if they have PUSH email enabled.    The users only choice is to setup the iPhone as a new device and not restore that backup again.