I'm trying to convince my boss that our organization can provide email access over the Internet without security...
threats. I plan to use Outlook Web App -- what are the risks and countermeasures of doing so? And what can I do to secure OWA in this situation?
Of all the clients I've supported, only a few opted to completely disable Outlook Web App (OWA) externally for security reasons. Not to discourage you, but my attempts to convince them otherwise in those instances did little to change their minds. When there are across-the-board security policies prohibiting Web-based access to internal data sources, it may already be a done deal. Based on your question, I sense you're part of such an organization that would be willing to disable OWA for security reasons.
Does this mean organizations that choose to externally implement OWA are oblivious to the potential security risk? Not necessarily. Most organizations want to implement OWA on the basis that it's a business requirement to facilitate communications, but also to do all they can to secure the connections. In many cases, it comes down to the benefits of OWA outweighing the risks.
I've seen organizations use a number of measures to secure OWA. Outside of obvious actions such as having stronger password policies, here are some common countermeasures for OWA risks.
|Secure Sockets Layer (SSL) encryption||
|Forms-based authentication (FBA)||
|Dedicated servers for Client Access Server role (Exchange 2007 to Exchange 2013)||
Some advanced countermeasures to secure OWA that you could also consider include:
- Two-factor authentication – Requires more than just a password, often described as "something you have and something you know"
- One-time password - Unlike a static password, a one-time password changes each time the user logs in
- S/MIME – Secure MIME extensions are used to provide non-repudiation and email item level encryption
- Active Directory Rights Management Service (AD RMS) – Protects email by allowing the owner to apply rights management policies that stay with the file regardless of where it goes
About the author:
Richard Luckett is a consultant and instructor specializing in messaging and unified communications. He's been a certified professional with Microsoft since 1996 and has 20 years of experience in the public and private sectors. He's a Microsoft Certified Trainer with more than 15 years of training experience with the Microsoft product line and received the Exchange MVP award in 2006, 2007 and 2008. He's also an expert in deploying and integrating Exchange Server and Lync Server. He leads the Microsoft training and consulting practice at LITSG.
Dig Deeper on Outlook Web Access
Related Q&A from Richard Luckett
When you're stumped on how to track email items following a central mailbox move, fix the dilemma by knowing what happens to items in mailboxes when ...continue reading
You can pull out the big guns to manually remove what's left of your failed Exchange Server from Active Directory, but it's best to consider ...continue reading
Our resident Microsoft Lync expert explains where to find IP phones that are compatible with Microsoft Lync Server.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.