Minimize remote and mobile Outlook Web Access (OWA) security risks

Malware isn't a direct threat to Exchange. The real threat is the potential disclosure of sensitive data. Malware methods such as keystroke loggers or other mechanisms attempt to relay details of an infected user's online activity to the virus' creator. This means that any user's sent or opened OWA email can be viewed by the malware creator.

More Outlook Web Access security resources: How to improve Outlook Web Access (OWA) security Enhance OWA logon security using Microsoft ISA Server

The million-dollar question is: What can you do to minimize the risks? Many companies forbid OWA use from computers that are not secure. The real solution is to control malware; however, this is easier said than done.

Internet Explorer (IE) can be infected far too easily. Alternative browsers such as Firefox are less prone to malware infection than Internet Explorer, but may give users a false sense of security.

Here are recommendations for securing Outlook Web Access for mobile and remote users:

• Limit OWA access only to those users who have a legitimate business need for it (i.e., mobile and remote users). Taking OWA away will probably upset some users, but it is a big step toward improving your organization's security.
• Install Virtual PC 2007 onto each laptop and create a dedicated virtual operating system (OS) for the sole purpose of providing a secure OWA environment. That way, even if the host operating system's copy of Internet Explorer becomes infected, the virtual OS should remain unaffected.

  You can't expect mobile users to access OWA only from the confines of a virtual OS, so you need to take some additional security steps to make this type of setup work properly:

  • Run Windows Vista as the host operating system. Windows Vista has drawn a lot of criticism for various reasons, but there is no denying that Internet Explorer 7 is much less prone to malware when run on Vista than when it's run on Windows XP.
  • Add your OWA server URL to the Restricted Sites zone of the host operating system's browser. While this won't stop users from accessing OWA from the host copy of Internet Explorer, it should prevent them from logging in.

• Create strict group policies to lock down the guest operating system. It's possible to create a group policy that hides the Windows Start menu and all of the various Windows options. You can configure this so that Internet Explorer opens when a user logs onto the guest operating system. It then connects the user to the OWA server directly. You can also use IE-related group policy settings to completely lock down the browser.

  Group policy settings for locking down Internet Explorer are found in the Group Policy Object Editor under Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer and under User Configuration -> Administrative Templates -> Windows Components -> Internet Explorer.

It is important to remember that if you implement a dedicated virtual environment, it will only secure Outlook Web Access against the unintentional disclosure of information on an "assigned" PC. If a mobile worker uses a home PC instead of their laptop, it can completely undermine everything that you've done. You could hide the OWA URL; however IE7 requires that a URL be shown for all websites (there is a way to get around this requirement, though). An alternative option is to eliminate Outlook Web Access and require mobile and remote users to use Microsoft Outlook with RPC over HTTP.

About the author: Brien M. Posey, MCSE, has previously received Microsoft's MVP award for Exchange Server, Windows Server and Internet Information Server (IIS). Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal website at www.brienposey.com.

Do you have comments on this tip? Let us know.

Please let others know how useful this tip was via the rating scale below. Do you know a helpful Exchange Server, Microsoft Outlook or SharePoint tip, timesaver or workaround? Email the editors to talk about writing for SearchExchange.com.

Rate this Tip To rate tips, you must be a member of SearchExchange.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Outlook Web Access Can OWA 5.5 users access email from Exchange Server 2003? OWA Light vs. Exchange ActiveSync on Windows Mobile devices Create a secure Microsoft Outlook Web Access (OWA) redirect page Why does a security alert pop up when accessing Outlook Web Access? Troubleshooting slow Outlook Web Access (OWA) performance Revised Outlook out-of-office (OOF) messages don't update in OWA Use the OWA Admin tool to 'segment' Outlook Web Access 2003 features Repairing damaged OWA virtual directories in Exchange Server 2003 Customizing an Outlook Web Access 2003 email signature Outlook Web Access limitations using Exchange Server public folders User Authentication for Microsoft Outlook and OWA Create a secure Microsoft Outlook Web Access (OWA) redirect page Why does a security alert pop up when accessing Outlook Web Access? OWA won't load after applying Exchange 2007 SP1 security patch How to improve Outlook Web Access (OWA) security Alleviate Outlook Web Access (OWA) email attachment security issues How to customize OWA authentication logon in Exchange Server 2003 Automated redirects to OWA directories may fail when SSL is enforced Configure Windows Mobile devices to local wipe after failed logons How to set up an SSL certificate to encrypt OWA and ActiveSync traffic Error: 'The name of the security certificate is invalid or does not match the name of the site' Antivirus Software and Virus Protection Microsoft Exchange Server security dos and don'ts How effective is tracking the IP address of an email hacker? Secure Edge Transport servers using the Security Configuration Wizard The six-layered secret of effective Exchange Server email filtering Microsoft Outlook and Exchange Server 2003 Email Security Guide How to install and configure an Edge Transport server for Exchange 2007 Process, compress and block Microsoft Outlook email attachments How to configure attachment blocking in Outlook Web Access Beware of bare linefeeds in Exchange Server email Dell, Symantec simplify Secure Exchange for SMBs RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Vouch by Reference (VBR)  (SearchExchange.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.