What are some of the OWA security implications and how can I fix them?

There are several ways to secure OWA.  Microsoft’s recommended approach is a cookie based solution called Exchange Forms-based authentication, this comes with Exchange Server 2003.  For added security make sure that users connect to OWA via SSL only.   

The article below from MSExchange.org has some more information on securing OWA. http://www.msexchange.org/tutorials/Securing-Exchange-Server-2003-Outlook-Web-Access-Chapter5.html  

Some additional security implications include:

  • Attachment security – opening and saving attachments may results in a copy of the file being left behind in the Temporary Internet Files folder on the client machine available for the next user to copy, print and email.  Printing files can result in a hardcopy being left behind on a public printer or desk. 

    Solution: You can block users from accessing attachments or look for a third party that does attachment conversions into safe HTML pages.
  • Session Inactivity – Users that are not active in OWA should be timed out to ensure they do not leave an active session behind unknowingly.

    Solution: Exchange forms based authentication has a public and private timeout value that is enabled by default.
  • Navigation protection – if a user does not logoff and enters a new URL in the address bar, the user on the computer can click the back button to get into the previous user’s OWA session – no need for credentials.

    Solution: ISA Forms-based authentication offers navigation protection.
  • Maximum session time – There is no maximum session time so if someone hijacks a session and can keep it active indefinitely without re-authenticating.

    Solution: RSA SecurID offers a maximum session time

There is a third party, Messageware, that offers OWA security and enhancement solutions.  It would be a good idea to check with them as well.