Minimize remote and mobile Outlook Web Access (OWA) security risks

Malware isn't a direct threat to Exchange. The real threat is the potential disclosure of sensitive data. Malware methods such as keystroke loggers or other mechanisms attempt to relay details of an infected user's online activity to the virus' creator. This means that any user's sent or opened OWA email can be viewed by the malware creator.

The million-dollar question is: What can you do to minimize the risks? Many companies forbid OWA use from computers that are not secure. The real solution is to control malware; however, this is easier said than done.

Internet Explorer (IE) can be infected far too easily. Alternative browsers such as Firefox are less prone to malware infection than Internet Explorer, but may give users a false sense of security.

Here are recommendations for securing Outlook Web Access for mobile and remote users:

Create strict group policies to lock down the guest operating system. It's possible to create a group policy that hides the Windows Start menu and all of the various Windows options. You can configure this so that Internet Explorer opens when a user logs onto the guest operating system. It then connects the user to the OWA server directly. You can also use IE-related group policy settings to completely lock down the browser.

Group policy settings for locking down Internet Explorer are found in the Group Policy Object

To continue reading for free, register below or login

Requires Membership to View

To gain access to this and all member only content, please provide the following information (all fields required):

Email Address:
Create Password:
Confirm Password:

By joining SearchExchange.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

To read more you must become a member of SearchExchange.com

As an existing member of the TechTarget network please provide your password to activate your account (Forgot your password?):

Password:

By joining SearchExchange.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Outlook Web Access Detecting update rollup and patch failures in OWA Troubleshoot IIS metabase corruption in Outlook Web Access Fix 'Service unavailable' errors and other common OWA login problems Troubleshooting Microsoft Outlook Web Access logon issues Tools to report on Outlook Mobile Access usage Outlook Web Access issues after an Exchange 2003 migration Top 5 Outlook Web Access (OWA) tips of 2008 Troubleshooting Outlook Web Access issues on a 64-bit system Restrict access to Outlook Web Access via Exchange System Manager Manage user rights and access to Outlook Web Access (OWA) mailboxes User Authentication for Microsoft Outlook and OWA Top 5 Outlook Web Access (OWA) tips of 2008 Manage user rights and access to Outlook Web Access (OWA) mailboxes Create a secure Microsoft Outlook Web Access (OWA) redirect page Why does a security alert pop up when accessing Outlook Web Access? OWA won't load after applying Exchange 2007 SP1 security patch How to improve Outlook Web Access (OWA) security Alleviate Outlook Web Access (OWA) email attachment security issues How to customize OWA authentication logon in Exchange Server 2003 Automated redirects to OWA directories may fail when SSL is enforced Configure Windows Mobile devices to local wipe after failed logons Antivirus Software and Virus Protection How file-level antivirus software can harm your Exchange Server Troubleshooting Outlook Web Access issues on a 64-bit system Microsoft Exchange Server security dos and don'ts How effective is tracking the IP address of an email hacker? Secure Edge Transport servers using the Security Configuration Wizard The six-layered secret of effective Exchange Server email filtering Microsoft Outlook and Exchange Server 2003 Email Security Guide How to install and configure an Edge Transport server for Exchange 2007 Process, compress and block Microsoft Outlook email attachments How to configure attachment blocking in Outlook Web Access

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Vouch by Reference (VBR)  (SearchExchange.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

Editor under Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer and under User Configuration -> Administrative Templates -> Windows Components -> Internet Explorer.

It is important to remember that if you implement a dedicated virtual environment, it will only secure Outlook Web Access against the unintentional disclosure of information on an "assigned" PC. If a mobile worker uses a home PC instead of their laptop, it can completely undermine everything that you've done. You could hide the OWA URL; however IE7 requires that a URL be shown for all websites (there is a way to get around this requirement, though). An alternative option is to eliminate Outlook Web Access and require mobile and remote users to use Microsoft Outlook with RPC over HTTP.

About the author: Brien M. Posey, MCSE, has previously received Microsoft's MVP award for Exchange Server, Windows Server and Internet Information Server (IIS). Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal website at www.brienposey.com.

Do you have comments on this tip? Let us know.

Please let others know how useful this tip was via the rating scale below. Do you know a helpful Exchange Server, Microsoft Outlook or SharePoint tip, timesaver or workaround? Email the editors to talk about writing for SearchExchange.com.

Rate this Tip To rate tips, you must be a member of SearchExchange.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.