Announcement

Collapse
No announcement yet.

ActiveSync 4.5 KB817379 and security hole?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ActiveSync 4.5 KB817379 and security hole?

    Hi folks-

    I've read
    http://www.petri.co.il/problems_with...activesync.htm
    and
    http://support.microsoft.com/kb/817379/en-us

    I'm getting the Event 3031 error on my Exchange server, hence the above Technet article (which is mentioned in the event description)

    The TechNet article refers to ActiveSync 4.1 though, and this
    http://forums.petri.com/showthread.p...17379+security

    article eventually mentions that Exchange SP2 may remove the need for KB817379? I dunno.

    In any case, it reads rather as if KB817379 creates a security hole in that Mobile users no longer have SSL protecting their sessions?
    Do I read that right? Am I sending clear-text ActiveDirectory usernames and passwords over the cellular radio connection and the Internet if I do that /exchange-oma configuration?

    Secondly, does KB817379 really apply to ActiveSync 4.5 and Exchange SP2?

    I -am- getting the 0x85010014 on the device (HTC Ozone) and the Event 3031 on the server, so it LOOKS like that's the problem....
    but people seem to be removing the changes from KB817379....


    Ideas? Updates to the info in that thread from 2008?

  • #2
    Re: ActiveSync 4.5 KB817379 and security hole?

    First - Exchange 2003 SP2 does not remove the need for 817379 - it introduces the need for that KB article. Before Exchange 2003 SP2 ActiveSync worked in a different way, which made it only usable in the USA where they had free SMS to email gateways. The rest of the world does not have those so ActiveSync (known as Always up to date) was basically ignored.

    Furthermore, you have confused ActiveSync the desktop application with Exchange ActiveSync. They are different. You do not need to have anything installed on the desktop to sync with Exchange over the air.

    Finally, with regards to security, again you have misunderstood things. 817379 does not introduce any kind of security hole. The traffic is still protected by SSL. You have confused the setting to REQUIRE SSL with the ability to use it. You are not the first and will not be the last to do so. People look for a setting to turn SSL on and off, but one does not exist.
    The reason this KB article is required is because an internal call on IIS is made using port 80. That is internal to the server. With require SSL enabled by the use of FBA, that call fails. Therefore a second internal only virtual directory is created to deal with that call.

    Simon.
    --
    Simon Butler
    Exchange MVP

    Blog: http://blog.sembee.co.uk/
    More Exchange Content: http://exchange.sembee.info/
    Exchange Resources List: http://exbpa.com/
    In the UK? Hire me: http://www.sembee.co.uk/

    Sembee is a registered trademark, used here with permission.

    Comment


    • #3
      Re: ActiveSync 4.5 KB817379 and security hole?

      Thanks VERY much Simon!

      I actually did know that ActiveSync 4.5 wasn't required -
      I included that data just in case someone got all into the problems with 4.0 and 4.1, which as you point out, isn't the case.

      Glad to hear that the "uncheck require SSL" still means the device can itself do SSL if it wants to.

      I wondered about that since the device does have a checkbox for "require HTTPS" for the connection.

      Comment


      • #4
        Re: ActiveSync 4.5 KB817379 and security hole?

        Incidentally -- you mention "free SMS to email gateways"

        What I saw initially was this link
        http://www.msexchange.org/tutorials/...rver_2003.html

        I was a bit confused by the difference between ActiveSync for Exchange, where your device has your username and password, etc --

        and whatever that is in the ms Exchange article.

        I've never seen anyone have to configure each cellular provider by adding a sort of "connector" with "@cellprovider.com" == as is shown in that article with T-Mobile as an example.

        What's that per-carrier email-domain configuration for?
        What does it do?

        is it better/worse/different/outdated as compared to this article:
        http://www.petri.com/configure_oma.htm

        I don't get why both articles are talking about configuring OMA, but Daniel doesn't talk about configuring each provider, and MSExchange does?

        Not saying one is right and one is wrong --- just interested in the reasons behind the difference?

        Is the MSExchange article leveraging those free SMS-to-email gateways that the carriers use?
        Last edited by treimers; 21st February 2010, 20:57. Reason: update

        Comment


        • #5
          Re: ActiveSync 4.5 KB817379 and security hole?

          Email to SMS gateways with the email address of @carrier is almost exclusive to the USA. The USA mobile phone market is not as mature as the rest of the world, they don't text, they had IM on phones before we did. There isn't the money in texting that there is in Europe, Asia etc.

          That is clearly shown by the 1st gen iPhone, which was simply laughed at by the industry in Europe because it was based on technology available in that area for some time. However in the USA it was doing things that were not seen before.

          OMA is something different. It is a plain text version of OWA. Nothing to do with ActiveSync.

          That article from msexchange.org is like a lot of their content - riddled with errors and never updated. It is six years old, so is from the time of RTM, whereas Exchange and mobile working changed radically at SP2. They have used the term OMA to describe AUTD, whereas the two technologies are very different. I am rapidly discounting msexchange.org as a quality resource of Exchange assistance because the articles are so poor.

          Simon.
          --
          Simon Butler
          Exchange MVP

          Blog: http://blog.sembee.co.uk/
          More Exchange Content: http://exchange.sembee.info/
          Exchange Resources List: http://exbpa.com/
          In the UK? Hire me: http://www.sembee.co.uk/

          Sembee is a registered trademark, used here with permission.

          Comment

          Working...
          X