Subscribe to Windows IT Pro
August 29, 2006 12:00 AM

Better OWA Attachment Security

Remote users love OWA. You'll love these tips that limit the risks.
Paul Robichaux
Windows IT Pro
InstantDoc ID #93000
Rating: (2)

To set the way OWA handles Free-Docs, perform these steps:

  1. Log on to your OWA server with an account that has Windows administrative privileges.
  2. Open a registry editor (regedit.exe).
  3. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl Set\Services\MSExchangeWeb\OWA.
  4. Right-click HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl Set\Services\MSExchangeWeb\OWA and select New, DWORD Value. Name the new value EnableFreeDocs.
  5. Double-click the new value, and in the Edit DWORD Value dialog box, enter the desired value.
  6. Click OK.

Controlling Access to Attachments Via Front-End Servers
Blocking certain types of attachments or documents is useful in itself, but sometimes you want to keep people from accessing attachments depending on where the person is, not just what the file type is. This concern is due to the nature of how OWA works. Outlook is typically installed on a machine in an environment in which the user is presumed to be an honest member of the company, and therefore it's reasonable to assume that the machine is under the user's control and is in a place where it's safe for the user to open sensitive attachments. OWA, however, is designed to be used from most any modern Web browser—even browsers running on machines that aren't under the user's control and aren't necessarily safe. OWA 2003 addresses this problem in a couple of ways, such as its provision for automatically ending users' sessions after an administrator-specified time period. (You can set separate times for public and trusted computers.) OWA 2003 also lets you restrict which servers users can use to access attachments to help reduce the risk that users will open sensitive attachments on untrusted machines. For example, you probably wouldn't block Microsoft Word documents for all users, but you might want to prevent OWA users from accessing Word documents from outside the corporate network. OWA 2003 offers two interlocking controls that let you do this fairly easily.

First, the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeWeb\OWA\DisableAttachments subkey lets you control whether attachments are open, blocked, or open only for users who are connecting directly to a back-end server. When you create this entry, you can assign one of three values:

  • A value of 0 tells OWA to allow unrestricted attachment access. This is OWA's default behavior.
  • A value of 1 forces OWA to block access to all attachments. This is pretty draconian and probably not appropriate for most environments.
  • A value of 2 allows attachment access for users who connect directly to the back-end mailbox server. If you're using a front-end/ back-end topology, this effectively restricts attachment access to users inside your firewall (or those that can establish sessions directly to their mailbox servers).

To apply this setting, perform these steps:

  1. Log on to your OWA server with an account that has Windows administrative privileges.
  2. Open a registry editor (regedit.exe).
  3. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl Set\Services\MSExchangeWeb\OWA.
  4. Right-click HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl Set\Services\MSExchangeWeb\OWA and select New, DWORD Value. Name the new value DisableAttachments.
  5. Double-click the new value, and in the Edit DWORD Value dialog box, enter the desired value (e.g., use a value of 2 to block outside attachment access).
  6. Click OK.
  7. Stop and restart the World Wide Web Publishing service. (You can quickly do this from the command line by using the net stop w3svc and net start w3svc commands.)

Additionally, you can use the Accepted AttachmentFrontEnds value (of type REG_SZ) under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeWeb\OWA subkey to allow users who connect to specified front-end servers to access attachments. Any request that comes from a server whose host header matches the name of a server on the AcceptedAttachmentFrontEnds list will be accepted. (Use commas to separate the entries on the accepted server list.) This setting takes effect only if the DisableAttachments value is set to 2.

Note that the Level 1 and Level 2 block lists take precedence over DisableAttachments. If you specify that a particular file type should be blocked, it will be blocked for all users, no matter what DisableAttachments is set to.

OWA 2007 Attachment-Control Features
Microsoft has added two significant new attachment-control features in the Exchange 2007 version of OWA. The first, OWA Document Access, allows the OWA server to translate links to internal Windows SharePoint Services Web sites for use by Internet clients. This gives OWA users read- only access to administrator-specified SharePoint sites—provided the users have access with their normal Windows accounts; Document Access uses the user's credentials to request access. This SharePoint functionality reduces the need to send attachments via email in the first place.

The second feature, WebReady Document Viewing, is an HTML transcoder that renders some Office document types (e.g., Word, PowerPoint, Excel) and PDF files as HTML pages. This feature prevents users from modifying an attachment's content, and it means that there's no longer an easy way for users to save an intact document file to an untrusted machine. Look for more coverage of both of these features in future issues.

Technical Solutions to Behavioral Problems
Controlling access to attachments is part of a strong security posture, and OWA offers some security features that can help reduce the risk that a user will accidentally leave copies of sensitive attachments on untrusted machines or that an attachment containing malicious content will cause damage to your network. However, these features aren't foolproof. For example, a sufficiently determined user can simply rename a file before sending it to evade the file-type blocking restrictions.

If your email users frequently exchange or send sensitive documents, you need to couple the technical measures discussed here with user education that helps them understand what the security measures are for and why they're implemented. Then you need to design a security policy that specifies proper attachment-handling procedures. OWA's attachment-management features will help make that policy a reality.

ADDITIONAL OWA RESOURCES

Windows IT Pro Resources
"Exchange Server 2003 OWA Overview"
InstantDoc ID 39790

"OWA Attachment Security"
InstantDoc ID 41265

"Setting Up Load-Balanced OWA Servers with Front-End SSL Accelerators"
InstantDoc ID 47789

"WebDAV for Remote Access"
InstantDoc ID 49847

Microsoft Resources
"Outlook Web Access Features in Exchange Server 2003"
http://www.microsoft.com/exchange/evaluation/features/owa_features.mspx

"Outlook Web Access-Configure Attachment Blocking"
http://support.microsoft.com/?kbid=555001

Related Content:

ARTICLE TOOLS

Comments
Add A Comment
  • PAUL
    6 years ago
    Sep 08, 2006

    You could probably do this by customizing OWA to remove the attachment button, but off the top of my head that's the only way I can think of to do this, and of course Microsoft won't support that approach.

  • Paulo
    6 years ago
    Aug 31, 2006

    I would like to know if I can block users from attaching items in new messages written in OWA.
    Sice I have an E-mail gateway that filters inbound attachments, OWA is bypassing my rules.

You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

Dev Pro Left-Brain SharePoint Pro SQL Server Pro SuperSite for Windows Windows IT Pro

© 2012 Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.