In Outlook Web Access, direct file access can pose the greatest security risk. This feature allows users to access file servers and SharePoint document libraries directly through OWA. The biggest problem is that there's no way to know from where a user is accessing OWA.
For example, users can access OWA from a computer located in a hotel lobby. Imagine that this computer runs a default configuration and is badly infected with malware. Accessing files through OWA on this computer would be a huge risk and could possibly expose the user's files to the outside world.
This scenario makes me want to disable the direct file access feature. However, there likely are users in your organization that will always need access to the direct file access feature, so completely disabling direct file access isn't an option.
The solution is to create multiple instances of OWA. By doing so, you can assign users to a specific OWA instance and then provision that instance according to users' needs. This is the best way to grant users access to the required set of OWA features without giving them access to unnecessary files. One major benefit is that you don't have to deploy any additional client access servers.
Built-in OWA security measures
Although they won't completely address the aforementioned security issue, OWA has several built-in security features that can protect users' sessions. The OWA sign-on screen allows users to specify
The Public Computer option is selected by default. This way, if a user doesn't select the Private Computer option, they will sign onto OWA using a hardened profile that you can specifically tailor to insecure environments.
A second safeguard is that folders and libraries are treated as read-only when accessed through OWA. Users can save and modify a copy of a document -- unless you force them to use WebReady Document Viewing -- but they can't modify the original copy on the file server. This helps prevent viral infections.
Finally, because an administrator must specify which servers are accessible through OWA, you can explicitly block access to specific network locations.
About the author: Brien M. Posey, MCSE, is a five-time recipient of Microsoft's Most Valuable Professional (MVP) award for his work with Exchange Server, Windows Server, Internet Information Services (IIS), and File Systems and Storage. Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal website at www.brienposey.com.
Do you have comments on this tip? Let us know.
Please let others know how useful this tip was via the rating scale below. Do you know a helpful Exchange Server, Microsoft Outlook or SharePoint tip, timesaver or workaround? Email the editors to talk about writing for SearchExchange.com.
This was first published in September 2009