Active Directory Password Protection
Publishing ActiveSync increases the risk of exposing the Active Directory credentials. Using the Mobile Access Control module, your organization can protect corporate passwords by defining custom login credentials exclusively for ActiveSync (i.e., Active Directory credentials are not stored on mobile device).
Following are a few examples of how you organization can take advantage of the custom login features:
Avoid Storing Active Directory Credentials on Device
Using the Active Directory credentials in the non-secure environment of a mobile device introduces risk. The exposed credentials could be hacked and used to either receive your emails or login to other corporate applications.
Hacking is typically done in two ways in the mobile world: "Eavesdropping" on public networks; or hostile applications installed by users or received by SMS.
Smart Card Solution
Many organizations with high security requirement use smart card or token for network login. In these networks, users do not have a username and password for Active Directory. Mobile Access Control allows the usage of ActiveSync without the need to manage ActiveDirectory credentials. With the custom login solution, the user logs into the Access Portal, authenticates with his smart card from his network computer and creates dedicated email credentials for use on the mobile device.
Active Directory Account Lockout Guard
Account lockout can be a result of two scenarios:
- User has changed the Active Directory password but did not change the device settings, so the device keeps trying to authenticate with the old password.
- An attacker that has the username (without the password) tries to login several times.
These scenarios cause help desk overhead and may even cause denial of service in case of an attack.
Using the Mobile Access Control custom login, all failed attempts are blocked on the gateway level (Forefront/Bastion) before reaching the Active Directory, thus avoiding account lockout and denial of service.