Since Outlook Web Access is nothing more than a Web application, it should be fairly simple to secure. If an organization follows Microsoft's best practices for securing Internet Information Services (IIS), then Outlook Web Access will indeed be safe for any end user. However, if Client Access Server-related settings on back-end servers aren't configured properly, then the info that users access may be open to attack -- even if Outlook Web Access is secure.
It is the responsibility of solution providers to educate customers on Outlook Web Access security and teach them how to use the program responsibly. Security risks and configuration needs vary considerably, depending on whether a user is going to be using Outlook Web Access from a public machine, or a company-issued private machine. There are also notable risks associated with using Outlook Web Access from a user's privately owned computer since the company has no control over the machine's security. It could be running an outdated OS, or be infested with Trojans, keystroke loggers, etc.
As a solution provider, one can never be sure of where a customer's users will be when they log on. As such, Outlook Web Access can be configured to be more secure if a user is accessing it from a public computer vs. a non-public machine. However, Outlook Web Access has no way of knowing if a user is logged on through a public or a private computer. Therefore, its logon screen asks the user if he or she is using a public or a private computer.
Differentiating between public and private computer settings is possible because Exchange maintains separate configurations for both public and private usage, which can be configured through the Exchange Management Console.
The Exchange Management Console is the primary management tool in Exchange 2007. It is located on the Start | All Programs | Microsoft Exchange menu. If you open the Exchange Management Console and navigate through the console tree to Server Configuration | Client Access, you will see a listing for Client Access Servers (the servers that host Outlook Web Access in Exchange Server 2007) in the lower portion of the details pane. Select the Outlook Web Access tab, right-click on the Outlook Web Access container, and choose the Properties command from the resulting shortcut menu. From there, the console will display the Outlook Web Access (Default website) Properties sheet.
Looking at Figure A below, you can see the properties sheet's Public Computer File Access tab, which allows an administrator to enable or disable direct file access and Web Ready Document Viewing.
Direct file access is a feature that enables a link found in an email message to offer direct access to a file that is stored on a SharePoint server or on a network file server. This makes it possible for a user to access files, even if they aren't attached to an email message. Disabling this feature blocks access to back-end SharePoint servers or file servers via Outlook Web Access. Web Ready Document Viewing allows users to open certain types of attachments, even if they do not have the associated application installed. For example, if a user wanted to open a Word document from a machine that did not have Microsoft Office installed, Web Ready Document Viewing enables file viewing through a Web browser. Disabling this feature prevents a user from opening the documents unless associated client applications are installed locally.
Just to the right of the Public Computer File Access tab on the Exchange Management Console is another tab labeled Private Computer File Access. The options on this tab are identical to the options on the Public Computer File Access tab. By maintaining disparate settings on the "Public" and "Private" tabs, administrators can vary the behavior of Outlook Web Access depending on how users classify their session when they log on. Unfortunately, there is no blanket configuration recommendation that would work for all customers. If an organization has a business need for using a feature, then the security risks may not justify disabling the feature. Of course the opposite can also be true. The organization must assess its needs and security requirements and use those assessments as the basis for configuration choices.
To that end, before adjusting any Outlook Web Access settings, Exchange administrator must decide what types of online activities are considered "safe" when a user is logged on from a public kiosk. When a user is using Outlook Web Access through a public computer, the biggest security risk is accidental disclosure of information. If a user sends a message, reads a message or opens a file using Web Ready Document Viewing, the messages -- and their attached documents -- are cached on the computer's hard drive. Anybody who knows what they are doing can easily extract this data from the browser cache. This isn't such a big deal on a private computer, but it is an issue to think about on public computers.
Some administrators like to configure Outlook Web Access so that users can't access attachments, file servers or SharePoint document libraries while using a public computer. Other administrators aren't as concerned with the disclosure of information as they are with users' ability to do their jobs. Keep in mind that normally a user can only open an attachment if the application that is associated with the attachment is installed on the computer. Therefore, if a user needs to view a Microsoft Word document, then under normal circumstances Microsoft Word would need to be installed on the computer being used.
Exchange Server 2007 gets around this problem by offering the Web Ready Document Viewing feature, explained above. Still, a determined hacker could retrieve the data from the browser cache. This means Exchange administrators must decide whether email attachments pose a security threat when viewed through Outlook Web Access.
While these settings and policy options can help channel partners keep customers' email data safe, user education is also essential. Users must be taught to understand the difference between a public and private setting, and distinguish between them when logging on, namely by selecting the public computer option when they are using a public kiosk. Otherwise, users might treat every Outlook Web Access session the same.About the author:
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as the CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies.