One of the most important decisions regarding Outlook Web Access (OWA) in Exchange Server 2007 is how to handle file attachments. Users may access OWA from public computers. If you allow them to open file attachments, information contained in those files potentially could be left behind in the computer's
You don't have to block users entirely from opening file attachments with OWA; often there are legitimate reasons to do so. OWA offers five different settings to allowing or prevent users from opening attachments:
- Allow users to open file attachments that consist of approved file types. For example, you might allow users to open Microsoft Word documents. In such cases, an attachment would be opened using an application that has registered the attachment's file type. This means that if a user tried to open a Microsoft Word document, then that application would be used to open the document. This might sound trivial, but using an associated application to open a file type is an important distinction.
- Allow users to open approved file types, but require them to save attachments to a disk before opening them. The main advantage of this technique is that it makes it more difficult for users to open file attachments on public computers. Keep in mind that users technically aren't forbidden from opening file attachments on public computers.
This technique can also be used to reduce the chances that a user will accidentally execute malicious code. For example, if you have developers in your company that write HTML code, then you may not be able to block HTML or HTM file extensions. You can, however, require that users save HTML files to prevent them from accidentally executing malicious HTML code by clicking on those attachments.
- Prevent users from opening attachments that are unknown file types to help prevent the spread of email viruses.
- Although it's more of a convenience feature than a security feature, you can require users to view attachments in a separate browser window. Users don't need an installed application to access files that an application creates. For example, if a user needed to open a Microsoft Word document from a public computer that didn't have Microsoft Word or the Microsoft Word viewer installed, a Exchange 2007's built-in transcoder can render the document in HTML format and display it in a browser window.
There are two important aspects about this option.
- This presents a security risk because a copy of the document will be stored in the browser cache. While inconsequential on private computers, this can lead to disclosure of sensitive information on public computers.
- The feature doesn't work immediately because Exchange Server 2007 isn't equipped with the required document transcoders. In this case, you can open HTML and PDF files as well as legacy Microsoft Office documents through a browser window. Required transcoders were included in Exchange Server 2007 Service Pack 1 (SP1).
Configure OWA file-attachment security settings
Exchange Server 2007 makes a distinction between public and private computer use. The OWA sign-on screen contains options that let users specify whether they're using a public or a private computer. Exchange allows you to configure separate file access limitations based on the type of computer being used.
It is assumed that private computers are more secure than public computers; many companies give users a higher level of file access when they use a private computer. But Exchange Server doesn't detect whether or not a user is accessing OWA on a public computer.
If you give users different levels of access to attachments based on whether or not they're using a public computer, users could circumvent your security measures by selecting the private computer option from the OWA sign-on screen.
To configure OWA file-attachment security:
- Open the Exchange Management Console and navigate through the console tree to: Server Configuration -> Client Access.
- Select the server that you want to configure from the console's top pane, and then select the OWA option from the bottom pane, as shown in Figure 17.
- Right click on OWA (Default Web Site), and choose Properties from the menu. Your computer will display the OWA properties sheet, which contains separate tabs: Public Computer File Access and Private Computer File Access. These two tabs are identical, but allow you to configure OWA's behavior, depending on whether a user is accessing a public or private computer (Figure 18).
- Direct file access is enabled by default, but I recommend configuring various options in this setting as well. To do so, click Configure to view the screen shown in Figure 19.
You can control which file attachment types users can and cannot access through OWA.
- The Always Allow option lets you inform Exchange Server 2007 which file types users must access.
- The Block option prevents users from opening potentially malicious file types. This option also lets you specify which file types must be saved to a disk before opening.
There is no way to populate the Allow, Block and Force Save lists with every file type. But you can use the Unknown Files option to choose how OWA should behave if someone receives an unspecified attachment type. Public computer and Private computer options both default to a forced save of unknown file types. I recommend blocking access to unknown file types altogether.
In the Direct File Access settings, the Always Allow, Always Block and Force Save lists are pre-populated with Microsoft's recommendations. If your goal is to strictly control OWA file access, you should go through these lists and make required changes. For example, Microsoft allows users to open AVI files in OWA. While there is nothing malicious about an AVI file, users may not need to play video files. Therefore, you may want to add this file type to the blocked list.
TUTORIAL: Customizing Outlook Web Access in Exchange Server 2007
Part 1: Modifying the look of OWA in Exchange Server 2007
Part 2: Using cascading style sheets to change a color in OWA
Part 3: How to handle file attachment access in OWA
Part 4: Control how users access files with WebReady Document Viewing
Part 5: Enable user-level segmentation to control OWA components
|ABOUT THE AUTHOR:|
Brien M. Posey, MCSE|
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Exchange Server, and has previously received Microsoft's MVP award for Windows Server and Internet Information Server (IIS). Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at http://www.brienposey.com.
This was first published in April 2008