As someone who spends a lot of time traveling, I have always thought that OWA was pretty much the greatest thing since sliced bread. In the hands of a user though, OWA can present a serious security risk. You just never know when a user could potentially disclose sensitive information by opening a file attachment from a public computer or from a computer that is infected with malware. Fortunately, Exchange Server 2007 makes it easy to control when and how a user is allowed to open e-mail attachments. In this article, I will show you how.
Your Options for Blocking Attachments
When it comes to blocking attachments through OWA, you have five options. Your first option is to allow users to open attachments that have a known file type, using the application that is associated with that file type. An example of this would be using Microsoft Word to open a .DOC file.
Your second option is to force users to save certain types of attachments to disk before they are allowed to open them. The reason why this option exists is because some users are in the habit of using public kiosks to check their messages. When a user opens an attachment directly through OWA, the attachment is first copied to the machine’s hard disk prior to being open. This means that even after the user logs out, a copy of the file may remain on the machine. Administrators sometimes require attachments to be saved to disk prior to being opened as a way of preventing users from opening potentially sensitive attachments on public kiosks.
The third option for controlling attachments through OWA is to simply block unknown attachment types so that users can not open them. This prevents a user from accidentally opening a malicious file.
Our fourth option for controlling the way that users open attachments through OWA is to force users to open attachments in a browser window, rather than using the application that is associated with the attachment. When Microsoft created Exchange Server 2007, the introduced a new feature called Web Ready Document Viewing. The basic idea behind this feature is that common document types such as Microsoft Office documents and PDF files can be rendered in HTML format and displayed in a browser window rather than having to be opened by the application that is traditionally associated with the file type.
While I’m on the subject of Web Ready Document Viewing, I want to quickly mention that at the time that Exchange Server 2007 was released, Microsoft Office 2007 was not yet complete. As such, the Web Ready Document Viewing feature cannot natively open Microsoft Office 2007 documents. This issue was however addressed in Exchange Server 2007 SP1.
Your fifth option for controlling the opening of attachments through OWA doesn’t so much have to do with attachments themselves as it does with file shares. As you might have heard, one of the mobility features introduced in Exchange Server 2007 is the ability to allow mobile users to open files that are located on Windows file shares or in SharePoint document libraries. It should therefore come as no surprise that one of the content restriction features that OWA features is the ability to prevent access to file shares or SharePoint document libraries.
To control the way that users are allowed to interact with attachments through OWA, go to your Client Access Server and open the Exchange Management Console, and navigate through the console tree to Server Configuration | Client Access. Next, select the OWA (Default Web Site) listing from the console’s lower, middle pane, and then click the Properties link found in the Actions pane. When you do, Windows will display the OWA (Default Web Site) Properties sheet.
One of the first things that you may notice about this properties sheet is that there are two nearly identical tabs labeled Public Computer File Access, and Private Computer File Access. The presumption is that an administrator can set less restrictive settings if a user is logged on from a private computer. Keep in mind though, that it is ultimately up to the user to tell OWA (at sign in) whether they are using a public or a private computer. Because there is nothing stopping a user from lying to OWA about whether a computer is private or not, I recommend using identical settings for both public and private computers. You can see what this properties sheet looks like in Figure A.
Figure A You can control file access through the OWA (Default Web Site) Properties sheet.
In this article, I have explained that there are a lot of different options available to you if you want to control user’s access to files or to file attachments through OWA. In Part 2, I will conclude this series by explaining what the various options do.
Got a question? Post it on our Exchange Server Forums!