Outlook Web Access (OWA) provides the interface for
users to access their mail across the Internet utilizing a web browser.
With the implementation of OWA 2003, Microsoft improved the features
and performance of the product until it was almost as powerful as the
actual Microsoft Outlook client.
With OWA
2007, Microsoft has continued this trend, providing an improved user
experience and enhanced security over previous versions.
Some of the security-related features that were included in OWA 2003, and remain in OWA 2007, include the following:
Stripping of web beacons, referrals, and other potentially harmful content from messages
Attachment blocking
OWA forms-based (cookie) authentication
Session inactivity timeout
OWA infrastructure using IPSec and Kerberos
Safe and block lists
In addition, Outlook Web Access 2007 provides features and improvements over OWA 2003. Some of these are listed here:
Improved logon screen—
In OWA 2003, there was the option to select a “private” logon, which
increased the session timeout significantly. However, it was easy to
forget to select this option when signing on. In OWA 2007, when you
connect from a trusted machine, your previous “private” selection (and
your username) is remembered on subsequent connections.
Junk email management—
OWA 2007 has improved the capabilities of the junk email filter by
allowing users to manage their junk email settings from within OWA.
Protection from harmful content—
If an OWA 2007 user clicks a link that is embedded in an email message,
and the link uses a protocol that is not recognized by OWA, the link is
blocked, and the user receives a warning stating “Outlook Web Access
has disabled this link for your protection.”
Supported Authentication Methods
Client
Access servers in Exchange Server 2007 support more authentication
methods than Exchange Server 2003 front-end (OWA) servers did.
The following types of authentication are allowed:
Standard— Standard authentication methods include Integrated Windows authentication, Digest authentication, and Basic authentication.
Forms-based authentication—
Using forms-based authentication creates a logon page for OWA.
Forms-based authentication uses cookies to store user logon credentials
and password information in an encrypted state.
Microsoft Internet Security and Acceleration (ISA) Server forms-based authentication—
By using ISA Server, administrators can securely publish OWA servers by
using Mail server publishing rules. ISA Server also allows
administrators to configure forms-based authentication and control
email attachment availability.
Smart card and certificate authentication—
Certificates can reside on either a client computer or on a smart card.
By utilizing certificate authentication, Extensible Authentication
Protocol (EAP) and Transport Layer Security (TLS) protocols are used,
providing a two-way authentication method where both the client and
server prove their identities to each other.
Table 1
shows a comparison of authentication methods along with the security
level provided relative to password transmission and client
requirements.
Table 1. Authentication Methods for OWA Logon Options
| Authentication Method | Security Level Provided | How Passwords Are Sent | Client Requirements |
|---|
| Basic authentication | Low (unless Secure Sockets Layer [SSL] is enabled) | Base 64-encoded clear text. | All browsers support Basic authentication. |
| Digest authentication | Medium | Hashed by using MD5. | Microsoft Internet Explorer 5 or later versions. |
| Integrated Windows authentication | Low (unless SSL is enabled) | Hashed
when Integrated Windows authentication is used; Kerberos ticket when
Kerberos is used. Integrated Windows authentication includes the
Kerberos and NTLM authentication methods. | Internet
Explorer 2.0 or later versions for Integrated Windows authentication.
Microsoft Windows 2000 Server or later versions with Internet Explorer
5 or later versions for Kerberos. |
| Forms-based authentication | High | Encrypts user authentication information and stores it in a cookie. Requires SSL to keep the cookie secure. | Internet Explorer. |
Note
When
multiple methods of authentication are configured, Internet Information
Services (IIS) uses the most restrictive method first. IIS then
searches the list of available authentication protocols (starting with
the most restrictive), until an authentication method that is supported
by both the client and the server is found.
Disabling Web Beacons for Outlook Web Access
Web beaconing is a method used to
retrieve valid email addresses and recipient information. Web beaconing
is often used by unscrupulous advertisers and spammers to improve the
accuracy and effectiveness of their spamming campaigns.
Exchange Server 2007 allows the disabling of web beacons for OWA users by utilizing one of two methods:
Users can enable or disable web beacon content filtering from within OWA.
Administrators
can use the Exchange Management Shell to define the type of filtering
that is used for web beacon content and enforce it for all users.
By default, web beacons are disabled for OWA users. To change the default setting in OWA:
1. | Access OWA from a web browser.
|
2. | Click Options.
|
3. | Under Security, clear the Block External Content in HTML E-Mail Messages check box.
|
To use the Exchange Management Shell to configure web beacon filtering settings, perform the following command from the shell:
Set-OwaVirtualDirectory -identity "Owa (Default Web Site)" -FilterWebBeaconsAndHtmlForms ForceFilter
This
command configures the filtration of web beacon content in the Outlook
virtual directory named OWA in the default IIS website. Possible values
for the FilterWebBeaconsandHtmlforms setting are as follows:
UserFilterChoice— Prompts the user to allow or block web beacons
ForceFilter— Blocks all web beacons
DisableFilter— Allows web beacons
Using Safe and Block Lists
OWA
2007 users can now manage their junk email settings from within OWA.
Users can enable or disable junk email filtering, create and maintain
Safe Senders, Blocked Senders, and Safe Recipient lists, enter email
domains or Simple Mail Transfer Protocol (SMTP) addresses, and elect to
trust email from their contacts.
Note
The
option to “always trust contacts” does not function if the user has
more than 1,024 contacts. Although this limitation will not be reached
for most users, those with an exceptionally large number of contacts
should be aware of the limitation.
To
access the Junk E-Mail settings in OWA, select Options from the
upper-right corner of the screen, and then select Junk E-Mail on the
left side of the page.
