IT tutorials
 
Applications Server
 

Securing an Exchange Server 2007 Environment : Securing Outlook Web Access

10/24/2014 3:37:37 AM
- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire

Outlook Web Access (OWA) provides the interface for users to access their mail across the Internet utilizing a web browser. With the implementation of OWA 2003, Microsoft improved the features and performance of the product until it was almost as powerful as the actual Microsoft Outlook client.

With OWA 2007, Microsoft has continued this trend, providing an improved user experience and enhanced security over previous versions.

Some of the security-related features that were included in OWA 2003, and remain in OWA 2007, include the following:

  • Stripping of web beacons, referrals, and other potentially harmful content from messages

  • Attachment blocking

  • OWA forms-based (cookie) authentication

  • Session inactivity timeout

  • OWA infrastructure using IPSec and Kerberos

  • Safe and block lists

In addition, Outlook Web Access 2007 provides features and improvements over OWA 2003. Some of these are listed here:

  • Improved logon screen— In OWA 2003, there was the option to select a “private” logon, which increased the session timeout significantly. However, it was easy to forget to select this option when signing on. In OWA 2007, when you connect from a trusted machine, your previous “private” selection (and your username) is remembered on subsequent connections.

  • Junk email management— OWA 2007 has improved the capabilities of the junk email filter by allowing users to manage their junk email settings from within OWA.

  • Protection from harmful content— If an OWA 2007 user clicks a link that is embedded in an email message, and the link uses a protocol that is not recognized by OWA, the link is blocked, and the user receives a warning stating “Outlook Web Access has disabled this link for your protection.”

Supported Authentication Methods

Client Access servers in Exchange Server 2007 support more authentication methods than Exchange Server 2003 front-end (OWA) servers did.

The following types of authentication are allowed:

  • Standard— Standard authentication methods include Integrated Windows authentication, Digest authentication, and Basic authentication.

  • Forms-based authentication— Using forms-based authentication creates a logon page for OWA. Forms-based authentication uses cookies to store user logon credentials and password information in an encrypted state.

  • Microsoft Internet Security and Acceleration (ISA) Server forms-based authentication— By using ISA Server, administrators can securely publish OWA servers by using Mail server publishing rules. ISA Server also allows administrators to configure forms-based authentication and control email attachment availability.

  • Smart card and certificate authentication— Certificates can reside on either a client computer or on a smart card. By utilizing certificate authentication, Extensible Authentication Protocol (EAP) and Transport Layer Security (TLS) protocols are used, providing a two-way authentication method where both the client and server prove their identities to each other.

Table 1 shows a comparison of authentication methods along with the security level provided relative to password transmission and client requirements.

Table 1. Authentication Methods for OWA Logon Options
Authentication MethodSecurity Level ProvidedHow Passwords Are SentClient Requirements
Basic authenticationLow (unless Secure Sockets Layer [SSL] is enabled)Base 64-encoded clear text.All browsers support Basic authentication.
Digest authenticationMediumHashed by using MD5.Microsoft Internet Explorer 5 or later versions.
Integrated Windows authenticationLow (unless SSL is enabled)Hashed when Integrated Windows authentication is used; Kerberos ticket when Kerberos is used. Integrated Windows authentication includes the Kerberos and NTLM authentication methods.Internet Explorer 2.0 or later versions for Integrated Windows authentication. Microsoft Windows 2000 Server or later versions with Internet Explorer 5 or later versions for Kerberos.
Forms-based authenticationHighEncrypts user authentication information and stores it in a cookie. Requires SSL to keep the cookie secure.Internet Explorer.

Note

When multiple methods of authentication are configured, Internet Information Services (IIS) uses the most restrictive method first. IIS then searches the list of available authentication protocols (starting with the most restrictive), until an authentication method that is supported by both the client and the server is found.


Disabling Web Beacons for Outlook Web Access

Web beaconing is a method used to retrieve valid email addresses and recipient information. Web beaconing is often used by unscrupulous advertisers and spammers to improve the accuracy and effectiveness of their spamming campaigns.

Exchange Server 2007 allows the disabling of web beacons for OWA users by utilizing one of two methods:

  • Users can enable or disable web beacon content filtering from within OWA.

  • Administrators can use the Exchange Management Shell to define the type of filtering that is used for web beacon content and enforce it for all users.

By default, web beacons are disabled for OWA users. To change the default setting in OWA:

1.
Access OWA from a web browser.

2.
Click Options.

3.
Under Security, clear the Block External Content in HTML E-Mail Messages check box.

To use the Exchange Management Shell to configure web beacon filtering settings, perform the following command from the shell:

Set-OwaVirtualDirectory -identity "Owa (Default Web Site)" -FilterWebBeaconsAndHtmlForms ForceFilter


This command configures the filtration of web beacon content in the Outlook virtual directory named OWA in the default IIS website. Possible values for the FilterWebBeaconsandHtmlforms setting are as follows:

  • UserFilterChoice— Prompts the user to allow or block web beacons

  • ForceFilter— Blocks all web beacons

  • DisableFilter— Allows web beacons

Using Safe and Block Lists

OWA 2007 users can now manage their junk email settings from within OWA. Users can enable or disable junk email filtering, create and maintain Safe Senders, Blocked Senders, and Safe Recipient lists, enter email domains or Simple Mail Transfer Protocol (SMTP) addresses, and elect to trust email from their contacts.

Note

The option to “always trust contacts” does not function if the user has more than 1,024 contacts. Although this limitation will not be reached for most users, those with an exceptionally large number of contacts should be aware of the limitation.


To access the Junk E-Mail settings in OWA, select Options from the upper-right corner of the screen, and then select Junk E-Mail on the left side of the page.

 
Others
 
- Securing an Exchange Server 2007 Environment : Protecting Against Spam (part 2) - Filtering Junk Mail
- Securing an Exchange Server 2007 Environment : Protecting Against Spam (part 2) - Filtering Junk Mail
- Securing an Exchange Server 2007 Environment : Protecting Against Spam (part 1) - Protecting Against Web Beaconing
- Securing an Exchange Server 2007 Environment : Securing Outlook 2007 (part 2) - Encrypting Communications Between Outlook and Exchange , Blocking Attachments
- Securing an Exchange Server 2007 Environment : Securing Outlook 2007 (part 1) - Outlook Anywhere
- Securing an Exchange Server 2007 Environment : Securing Your Windows Environment (part 3) - Keeping Up with Security Patches and Updates
- Securing an Exchange Server 2007 Environment : Securing Your Windows Environment (part 2) - Utilizing Security Templates
- Securing an Exchange Server 2007 Environment : Securing Your Windows Environment (part 1) - Windows Server 2003 Security Improvements , Windows Vista Security Improvements
- Securing an Exchange Server 2007 Environment : Client-Level Secured Messaging - Exchange Server 2007 Client-Level Security Enhancements
- Microsoft Exchange Server 2010 Requirements : Additional Requirements
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
programming4us programming4us
 
Popular tags
 
Video Tutorail Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS