Topic Last Modified: 2009-01-21

The Microsoft Exchange Server Best Practices Analyzer parses the permissions that are set on the Microsoft-Server-ActiveSync virtual directory to determine whether the appropriate permissions are assigned.

The Analyzer does not expect permissions to be set on the Microsoft-Server-ActiveSync virtual directory. The tool generates a best practices message if it determines that any of the following check boxes are selected on the Virtual Directory tab of the Microsoft-Server-ActiveSync Properties dialog box:

• Script source access
  
  
• Read
  
  
• Write
  
  

Microsoft Exchange ActiveSync allows for the synchronization of mailbox information with mobile devices. To do this, Exchange uses the Microsoft-Server-ActiveSync virtual directory in Internet Information Services (IIS). As a best practice, permissions on this virtual directory should be restricted. By default, the following check boxes are not selected on the Virtual Directory tab of the Microsoft-Server-ActiveSync Properties dialog box:

• Script source access
  
  
• Read
  
  
• Write
  
  
• Directory browsing
  
  

These permissions are not required on the virtual directory. To address this issue, modify the permission entries on the Microsoft-Server-ActiveSync virtual directory to restrict the permissions.

To modify permissions on the Microsoft-Server-ActiveSync virtual directory in IIS 6.0

1. Start the Internet Information Services (IIS) Manager tool.

2. Expand Web Sites, expand Default Web Site, right-click Microsoft-Server-ActiveSync, and then click Properties.

3. Click the Virtual Directory tab, and then click to clear the following check boxes:

   • Script source access
     
     
   • Read
     
     
   • Write
     
     
   • Directory browsing
     
     

4. Click OK.

5. Start a command prompt, and then run the iisreset command to apply the changes.

© 2009 Microsoft Corporation. All rights reserved.