Recipe 8.4. Configuring Attachment Blocking for OWA 2003 Problem You want to restrict OWA 2003 users' ability to open attachments. Solution Using a graphical user interface Log on to your Exchange Front-End server. Open the Registry Editor (regedit.exe). Select the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSEx-changeWeb\OWA registry key. Choose New DWORD Value from the Edit menu; name the new value DisableAttachments. Double-click DisableAttachments and set the value as appropriate:
- 0 (the default)
-
Makes attachments available, subject to the file-type blocking described in the Discussion section
- 1
-
Blocks access to all attachments from within OWA 2003. Outlook, IMAP, and POP users can access attachments normally
- 2
-
Allows attachment access for only those users who connect to back-end Exchange servers or to the specified front-end servers only
If you want to allow access to attachments from one or more front-end servers, do the following on your front-end servers: Select the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSEx-changeWeb\OWA registry key. Choose New String Value from the Edit menu; name the new value AcceptedAttachmentFrontEnds. Double-click AcceptedAttachmentFrontEnds and enter the names of the front-end servers through which you want to allow users to access attachments. For multiple servers, separate the server names with spaces. Using a command-line interface The following command sets the DisableAttachments value: > reg add HKLM\System\currentcontrolset\services\MSExchangeWeb\OWA /v DisableAttachments /t REG_DWORD /d <value> where <value> is a value from the list in step 5. Using VBScript ' This code enables attachment blocking on an OWA 2003 server, ' allowing access only to users who connect to one of the specified FE servers ' ------ SCRIPT CONFIGURATION ------ strOWA = "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeWeb\OWA\" strAllowedFEs = "<FE Servers>" e.g., "BATMAN SUPERMAN" ' ------ END CONFIGURATION --------- Set objWSH = wscript.CreateObject("WScript.Shell") objWSH.RegWrite strOWA & "DisableAttachments", 2, "REG_DWORD" WScript.echo "DisableAttachments set to disallow access except through FEs" objWSH.RegWrite strOWA & "AcceptedAttachmentFrontEnds", strAllowedFEs, "REG_SZ" Wscript.Echo "Set attachment front ends to " & strAllowedFEs Discussion OWA 2003 adds attachment blocking that works very much like the Outlook equivalent described in Recipe 8.2. OWA 2003 gives you three modes of attachment blocking. By default, attachments are allowed, but they're filtered. Attachments whose extensions appear on the Level1FileTypes registry value under the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeWeb\OWA key are blocked, while those whose extensions fall into the Level2FileTypes list can be saved but not opened directly. Although these lists start off with the same contents described in Tables Table 8-1 and Table 8-2, you can change them by editing the registry values, and those changes will affect only OWA 2003 users. If you create the DisableAttachments value and set its value to 1, OWA users can't access any attachments, period. If you create DisableAttachments and set its value to 2, OWA users who connect to a back-end server can get attachments (again subject to file-extension filtering). You can optionally create the AcceptedAttachmentFrontEnds value and use it to specify a set of front-end servers from which users can access attachments; this is useful if you want to allow some users, but not others, to access attachments through OWA. See Also Recipe 8.2 for blocking attachments in Outlook; Chapter 3 of the Managing Client Access to Exchange Server 2003 Guide (Microsoft) |