Outlook
Web App (OWA) provides the interface for users to access their mail
across the Internet utilizing a web browser. Over the years, Microsoft
improved the OWA client until it was almost as powerful as the actual
Microsoft Outlook client.
With OWA 2010,
Microsoft has continued this trend, providing an improved user
experience and enhanced security over previous versions.
Some of the security-related features in OWA include the following:
Stripping of web beacons, referrals, and other potentially harmful content from messages
Attachment blocking
OWA forms-based (cookie) authentication
Session inactivity timeout
OWA infrastructure using IPSec and Kerberos
Safe and block lists
Improved logon screen—
In OWA 2010, when you connect from a trusted machine, your previous
“private” selection (and your username) is remembered on subsequent
connections.
Junk email management—
OWA 2010 has improved the capabilities of the junk email filter by
allowing users to manage their junk email settings from within OWA.
Protection from harmful content—
If an OWA 2010 user clicks a link that is embedded in an email message,
and the link uses a protocol that is not recognized by OWA, the link is
blocked, and the user receives a warning stating “Outlook Web App has
disabled this link for your protection.”
Supported Authentication Methods
Client access
servers in Exchange Server 2010 support more authentication methods than
Exchange Server 2003 front-end (OWA) servers did.
The following types of authentication are allowed:
Standard— Standard authentication methods include Integrated Windows authentication, Digest authentication, and Basic authentication.
Forms-based authentication—
Using forms-based authentication creates a logon page for OWA.
Forms-based authentication uses cookies to store user logon credentials
and password information in an encrypted state.
Microsoft Internet Security and Acceleration (ISA) Server forms-based authentication— By
using ISA Server, administrators can securely publish OWA servers by
using Mail server publishing rules. ISA Server also allows
administrators to configure forms-based authentication and control email
attachment availability.
Smart card and certificate authentication—
Certificates can reside on either a client computer or on a smart card.
By utilizing certificate authentication, Extensible Authentication
Protocol (EAP) and Transport Layer Security (TLS) protocols are used,
providing a two-way authentication method where both the client and
server prove their identities to each other.
Table 1
shows a comparison of authentication methods along with the security
level provided relative to password transmission and client
requirements.
Table 1. Authentication Methods for OWA Logon Options
| Authentication Method | Security Level Provided | How Passwords Are Sent | Client Requirements |
|---|
| Basic authentication | Low (unless Secure Sockets Layer [SSL] is enabled) | Base 64-encoded clear text. | All browsers support Basic authentication. |
| Digest authentication | Medium | Hashed by using MD5. | Microsoft Internet Explorer 5 or later versions. |
| Integrated Windows authentication | Low (unless SSL is enabled) | Hashed
when Integrated Windows authentication is used; Kerberos ticket
Integrated Windows authentication includes the Kerberos and NTLM
authentication methods. | Internet
Explorer 2.0 or later versions for Integrated Windows authentication.
Microsoft Windows 2000 Server or later versions with Internet Explorer 5
or later versions for Kerberos. |
| Forms-based authentication | High | Encrypts user authentication information and stores it in a cookie. Requires SSL to keep the cookie secure. | Forms-based authentication is now supported in Internet Explorer, Mozilla Firefox, Apple’s Safari, and other browsers. |
Note
When
multiple methods of authentication are configured, Internet Information
Services (IIS) uses the most restrictive method first. IIS then searches
the list of available authentication protocols (starting with the most
restrictive), until an authentication method that is supported by both
the client and the server is found.
Disabling Web Beacons for Outlook Web App
Web beaconing is a method used to
retrieve valid email addresses and recipient information. Web beaconing
is often used by unscrupulous advertisers and spammers to improve the
accuracy and effectiveness of their spamming campaigns.
Exchange Server 2010
allows the disabling of web beacons for OWA. Administrators can use the
Exchange Management Shell to define the type of filtering that is used
for web beacon content and enforce it for all users.
To use the Exchange Management Shell to configure web beacon filtering settings, perform the following command from the shell:
Set-OwaVirtualDirectory -identity "Owa (Default Web Site)" -FilterWebBeaconsAndHtmlForms ForceFilter
This command
configures the filtration of web beacon content in the Outlook virtual
directory named OWA in the default IIS website. Possible values for the FilterWebBeaconsandHtmlforms setting are as follows:
UserFilterChoice— Prompts the user to allow or block web beacons
ForceFilter— Blocks all web beacons
DisableFilter— Allows web beacons
Using Safe and Block Lists
OWA 2010 users can
now manage their junk email settings from within OWA. Users can enable
or disable junk email filtering, create and maintain Safe Senders,
Blocked Senders, and Safe Recipient lists, enter email domains or Simple
Mail Transfer Protocol (SMTP) addresses, and elect to trust email from
their contacts.
Note
The option to “always
trust contacts” does not function if the user has more than 1,024
contacts. Although this limitation will not be reached for most users,
those with an exceptionally large number of contacts should be aware of
the limitation.
To access the Junk E-Mail
settings in OWA, select Options from the upper-right corner of the
screen, and then select Junk E-Mail on the left side of the page.
