Outlook Anywhere vs Activesync and Enterprise Security

[byteguy]

I would like to deploy new MS Surface Pro 2s (SP2s) installed with Windows 8.1 and MS Office 2013. I will keep these outside the corporate firewall so that users can install non company standard apps (as they currently do on iPads). However, unlike with iPads, they can enjoy a fully featured MS Office experience for work related activities. However, the key ‘connection’ they will have to the corporate systems will be email.

I am responsible for my local office’s IT infrastructure which is limited to LAN connected desktops and a local domain for file and print services. Our Exchange environment recently was migrated to our HQ.

I have encountered a roadblock with corporate IT. I would like to use Outlook 2013 on the SP2s connecting via Outlook Anywhere when working remotely (as we do with existing company issued laptops). Corporate IT will only permit an Activesync connection, as is used with company issued iPads. I believe that Outlook 2013 will not work with Activesync which would require us to use the (sadly disappointing) Windows8.1 email client – it won’t be a great experience for our users.

I have countered various arguments regarding ActiveSync benefits (remote wipe, forced encryption, forced passwords) but have encountered one argument that I can’t readily answer. Corporate IT insist that their Exchange environment is more vulnerable if a user’s SP2 is connected to Exchange via Outlook Anywhere rather than Activesync and it becomes compromised by a virus, Trojan or other hack (by using personal apps such as Skype, iTunes, games, etc.).

I can’t find a definitive answer, in my searching, that compares the vulnerability of the enterprise Exchange server when connecting to compromised clients via Outlook Anywhere rather than ActiveSync.

Can anyone help as well as direct me to a MS issued paper that answers this in a manner that corporate IT, or I, can’t refute?

 

[Diane Poremsky]

I'm not sure why they are treating the surface any differently than the laptops? Both should be treated the same.

And yes, you are correct, outlook can't use ActiveSync - they'd have to use the builtin mail app or OWa.

IT is incorrect - outlook is secure against viruses. I don't have any documentation for security EAS vrs Outlookanywhere, but I believe they are both equally secure.

 

[byteguy]

I'm not sure why they are treating the surface any differently than the laptops? Both should be treated the same.

And yes, you are correct, outlook can't use ActiveSync - they'd have to use the builtin mail app or OWa.

IT is incorrect - outlook is secure against viruses. I don't have any documentation for security EAS vrs Outlookanywhere, but I believe they are both equally secure.

Thanks for your confirmation, Diane. In order for me to convince my IT HQ of this, I doubt that they would accept anything but an MS tech document or a paper from another credible third party analyst. Do you have any guidance as to where I will find such? I have already spent half a day in Google but drawing blanks. Another possible option is for a persuasive document that compares how a client connecting to Exchange via EAS is any different from one connecting via Outlook Anywhere, in particular, whether a compromised client can more easily gain access to the corporate Exchange environment. Please note that these SP2s will have Symantec Endpoint Protection (stand-alone) just as any domain connected laptop - except they will never join the domain.

 

[Diane Poremsky]

I'll see what i can find.

They'll only have access to the Exchange server either way.

 

[byteguy]

I'll see what i can find.

They'll only have access to the Exchange server either way.

Another related thought: while never having used it, doesn't MS offer its Office 365 suite, to enterprises and individuals, in a configuration that permits the client end to be a full blown Outlook client that connects via Outlook Anywhere to MS's Office 365 Exchange infrastructure? If so, could it be argued that MS has no way of knowing whether the client PCs connecting are compromised by some kind of malware? If this is the case, would they have any better protection from untrusted connecting clients than a enterprise would have with their own Exchange farm? I guess I am asking "if Outlook Anywhere is deemed safe by MS, with untrusted clients, why would an enterprise feel differently?" Any idea the approximate number of clients that Office 365 sees connecting via Outlook Anywhere?

 

[Diane Poremsky]

100% of the outlook clients connecting to office 365 use outlook anywhere - it's the only way. I have no idea of the number, but it's in the millions.

Did they give any specifics about why they think outlook anywhere is unsafe?

 

[Diane Poremsky]

i don't think these articles will help any - they cover it more from the angle of SSL and someone sniffing email or credentials, which would apply to ActiveSync too, rather than security from the standpoint of viruses and such. From the security/virus angle, the rpc connection is secure - a virus could only get in via email and outlook is secure against viruses.

http://social.technet.microsoft.com...0/thread/140eca3f-bea0-4e40-a74f-9ed7ede6cd3a

Understanding Security for Outlook Anywhere

http://technet.microsoft.com/en-us/library/bb430792.aspx

Securing Client Access Servers

http://technet.microsoft.com/en-us/library/bb400932.aspx

 

[Diane Poremsky]

I wonder if they read this article - http://www.computerworld.com/s/arti...nager_s_Journal_Closing_off_a_hole_in_Outlook

If so

1) ActiveSync is a problem too - users can add an account to any win8 computer. Once mail is downloaded to a surface, the user can do anything they want with it, just like they can with outlook.

2) "A few weeks ago, the manager of a local hotel called to tell us that the hotel staff had discovered over 1GB of our company email on the computer in the hotel lobby. " WTF? The problem isn't Outlook Anywhere, it's the idiot user who created an outlook profile on someone else's computer... i can't believe a computer in the hotel lobby has outlook or that they don't reimage nightly. Or that the user was dumb enough to set up a profile on it - they should be using OWA on public computers. But making users use active sync isn't going to prevent this, they can still create accounts in Mail apps on other computers - only educating users will prevent this.

 

[byteguy]

I wonder if they read this article - http://www.computerworld.com/s/arti...nager_s_Journal_Closing_off_a_hole_in_Outlook

If so

1) ActiveSync is a problem too - users can add an account to any win8 computer. Once mail is downloaded to a surface, the user can do anything they want with it, just like they can with outlook.

2) "A few weeks ago, the manager of a local hotel called to tell us that the hotel staff had discovered over 1GB of our company email on the computer in the hotel lobby. " WTF? The problem isn't Outlook Anywhere, it's the idiot user who created an outlook profile on someone else's computer... i can't believe a computer in the hotel lobby has outlook or that they don't reimage nightly. Or that the user was dumb enough to set up a profile on it - they should be using OWA on public computers. But making users use active sync isn't going to prevent this, they can still create accounts in Mail apps on other computers - only educating users will prevent this.

Thanks for all the links. I have already reviewed most of them. I also have sent across a 'request' to HQ to consider that seeks to draw comparisons to EAS but also relevance to our company owned SP2s (unlike the hotel faux-pas our data 'should' only be on the SP2). I can't answer your question on why they think OA is not secure as my initial feedback has been vague. The iniital position is that OA would connect an untrusted SP2 directly to their Exchange. I am trying to work through their concerns in a constructive way -- which I thought would benefit from a definitive MS document that would dispell their fears or, at least, categorically, clarify that OA expsoures are not greater that EAS exposures. I might find that their concerns are well placed but my research to date doesn't support this.