How to configure attachment blocking in Outlook Web Access

Outlook Web Access (OWA) is configured "out of the box" to block certain kinds of email attachments. Like the full version of Microsoft Outlook, this attachment blocking works on two tiers.

The first tier of attachment blocking prohibits OWA access to the file entirely; the second tier prohibits the attached file from being accessed unless it's first saved to the client's hard drive or accessible network drive.

    Requires Free Membership to View

The first-tier blocks the usual suspects -- e.g., .EXE, .COM and .BAT file extensions. But it is possible for a file to be registered in both tiers at once by default (e.g., .COM). This means that if a file is removed from the first tier, it'll still be blocked by the second tier, which increases user protection.

The list of files in tier 1 is in the registry under: HKLM\System\CurrentControlSet\Services\MSExchangeWeb\OWA\Level1FileTypes as a REG_SZ entry.

Tier 2 files are in: HKLM\System\CurrentControlSet\Services\MSExchangeWeb\OWA\Level2FileTypes.

In each case, the file lists are stored as a simple comma-separated string and can be edited as needed.

More on Outlook Web Access:
Exchange Admin 101: Attachment blocking

Top 5 OWA tips of 2006

FAQ: Outlook Web Access

OWA Administration Guide
Unless you have a specific reason for unblocking a particular email attachment type, it's best to leave the lists as they are. But it can be useful to know where the lists are in case you need to add a new attachment type to OWA's attachment-blocking lists.

Note that you can always work around this restriction by compressing the file as a .ZIP archive (either with or without password protection). Most clients -- even those without a third-party .ZIP extraction tool handy -- can work with .ZIP files.

About the author: Serdar Yegulalp is editor of Windows Insight, a newsletter devoted to hints, tips, tricks, news and goodies for all flavors of Windows users.


I make it a point to block all email file attachments that can be used to send anything harmful. This especially includes .ZIP files. I get more .ZIP file viruses than any other format these days. Our antivirus (CA E-Trust) strips out all specified email attachments and removes macros from Microsoft Office documents.

Currently, I allow most media file types up to a certain size. I will restrict them only if there is a danger from a new media exploit, such as the one that affected images on unpatched machines a while back.

I ask people to use WinRAR to compress and send me a file or ask them to rename the .ZIP extension to .ZIT. This ensures that email file attachments can't be opened unintentionally. We have not had a virus released in our organization since we have had external email access (1998 on Exchange 5).

It does annoy some people to have to go through a few extra steps to send us a file. But in the end it is worth it to have some peace of mind.
—Mike M.

Do you have comments on this tip? Let us know.

Please let others know how useful this tip was via the rating scale below. Do you have a useful Exchange Server or Microsoft Outlook tip, timesaver or workaround to share? Submit it to SearchExchange.com. If we publish it, we'll send you a nifty thank-you gift.

This was first published in March 2007

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.