Understanding OWA Security Features

Outlook Web Access has several enhancements for security, including support for S/MIME attachments, spam beacon blocking, attachment blocking, cookie authentication, and clearing user credentials during the logoff process.

S/MIME: Sending and Receiving Digitally Signed and Encrypted Messages

OWA 2003 now supports S/MIME functionality, giving you the ability to send and receive digitally signed messages using encryption. However, an ActiveX control must be loaded on each client. To download the ActiveX component manually, go to the OWA Options page. Configuration and loading of the S/MIME functionality was covered in the section "Email Security," earlier in the chapter.

Understanding Spam Beacon Blocking

OWA 2003 provides additional security against spam. If configured, OWA does not enable spam beaconing technology to function in OWA; it blocks links to external content on the Internet from being accessed from OWA. This greatly increases the antispam features of OWA by disabling the spammer's ability to hide beacons in spam messages. Those spam beacons automatically contact the spammers when the email messages are opened, letting the spammers know they have reached a live email address. By blocking this functionality, one more method of finding live addresses is eliminated from the spammer's arsenal.

Understanding Attachment Blocking

OWA also provides configurable functionality to block Internet attachments, such as links to Web sites, music, and other Internet technologies available only outside the firewall (on the Internet). Only administrators not on the OWA client can configure these options. Users are sent a message notifying them that the attachment is blocked.

Understanding Cookie Authentication Timeout and Timed Logoff

OWA 2003 uses cookies to hold the user authentication information. When a user logs out of OWA 2003, the cookie automatically expires , so a hacker can't use the cookie to gain authentication. Additionally, the cookie is configured to automatically expire ”after 20 minutes of inactivity in OWA if the user specified a private computer, or 10 minutes if the user specified a shared or public computer.

After timed logoff has occurred and a user tries to reaccess OWA, he has to reenter user credentials.

The amount of time to wait before automatic logoff is configurable via the Registry by editing the Registry on the front-end Exchange Server.

Clearing User Credentials at Logoff

For users who access OWA 2003 via Internet Explorer 6.0 SP1 or greater and Forms Based Authentication, the user's logon credentials cache automatically clears when the user logs off from OWA 2003. It is no longer necessary to close the browser window to clear the cache. For users accessing OWA via other Internet browsers or via OWA servers that aren't configured to use Forms Based Authentication, users must still close the browser window to clear the cache and will be prompted to do so.