Tip

Addressing Outlook Web App 2010 security concerns

Microsoft transformed Outlook Web App in Exchange Server 2010 by making it more user-friendly. For example, OWA now works more consistently with Web browsers outside the Microsoft universe. Users can check email at a glance using conversation threads and a universal view. And since OWA automatically

    Requires Free Membership to View

suggests contacts as users begin typing in the To: field, they can compose messages faster. The company also improved OWA’s search and search filtering capabilities.

These new features may entice more users to log onto Exchange 2010 remotely, making it even more important to ensure that OWA isn't used as a gateway for mischief on your network. Therefore, it's a good idea to create a buffer zone between your internal network and the Internet. OWA users will be accessing the system from various locations and from a variety of machines. Since you can't ensure the security of these machines, it’s best to put a protective layer between them and the network.

In earlier versions of Exchange, the buffer zone -- sometimes known as the demilitarized zone (DMZ) -- typically contains a copy of Exchange to massage incoming traffic from the Internet before it reached back-end servers. Exchange Server 2010 limits the server’s role when it is installed in the DMZ. Microsoft made these changes for two reasons -- to address configuration issues customers were making and to boost security.

Microsoft learned that more customers used reverse proxy servers, such as Internet Security and Acceleration (ISA), to perform tasks previously assigned to client access servers in the DMZ. One such task is to re-authenticate traffic before it reaches back-end servers.

One reason reverse proxy servers are popular is because they are more secure than a client access server (CAS) installation in the DMZ. For example, in order to function properly, the CAS needs full access to all mailboxes and significant access rights to Active Directory. However, this configuration places a lot of privilege in a perimeter layer and should be avoided.

Additionally, because a CAS needs a lot of Exchange business logic to operate, placing it in the DMZ exposes that logic at the perimeter of your network and opens it up to hackers. Minimizing the amount of code and logic that’s exposed in the DMZ reduces the attack surface available to outside intruders.

Exchange servers expose more surface logic than reverse proxy servers, which are designed to withstand Internet attacks. Reverse proxy servers are placed at the perimeter of a network, offering better protection and more flexibility because they have more in-depth defense features and deployment options.

Public access security in OWA 2010
It’s important to differentiate how OWA behaves on a private computer versus a public computer. If you're concerned about OWA users polluting your organization's file system from a public computer, I recommend shutting off direct file access via public machines.

Opening documents in a Web browser is another security risk. This occurs when a user tries to open an document on a system that doesn’t have the required application. Documents viewed in a Web browser are placed in the browser's cache folder. On a public computer, subsequent users can view those documents via the cache. Disabling WebView in OWA's public computer settings will prevent this.

When controlling how OWA accesses files, remember that users aren't always as cooperative. It doesn't take users long to figure out that they have more freedom if they tell the system they're working on a private computer -- whether they are or not. If this becomes an issue, you can resort to using third-party tools to fill the gaps.

Using Secure Socket Layer (SSL) connections when accessing OWA via the Internet can also improve security. Without SSL, this communication would be transmitted as clear text that’s easy for Net snoopers to obtain.

In most organizations, SSL isn't turned on by default. To turn it on, configure an SSL certificate on Exchange and enable it for Internet use. Once SSL is enabled, most OWA communication over the Internet is encrypted.

ABOUT THE AUTHOR:
John P. Mello
has served as journalist, managing editor and freelancer at media enterprises including The Boston Globe, CFO Magazine, PC World, Harvard Management Update and the State House News Service.

This was first published in March 2011

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.