Outlook Web AppOutlook Web App (OWA) is the webmail interface for Microsoft Exchange Server 5.0 and later, and is installed as part of an Exchange installation.  OWA makes it possible for users to work with their e-mails messages, calendars entries, contact list and tasks (OWA 2010) with nothing more than a supported Web browser and an Internet connection.

OWA in Exchange 2010 offers usability almost on-par with that of Outlook 2010, including advanced capabilities such as the ability to print and share calendars, conversation view as well as doing away with the need of advancing through multiple pages.  With most organizations loath to disable it, it is hence more important than ever that administrators maximize the security of their Outlook Web App installation.

Understanding Outlook Web Access Login Options

Users logging into OWA 2010 (Or OWA 2007) is presented with the option to select the Light version of OWA by selecting the “Outlook Web Access Light” checkbox, or opt for the Premium version.  There are in fact many differences between the Light version and the Premium one, with features such as drag-and-drop capabilities, conversation view and right-click context menus reserved only for the Premium version.

More pertinently though, would be the security option on the login page in the form of “This is a public or shared computer” and “This is a private computer.”  Selecting the former option results in OWA adopting a more restrictive stance on the security front, which include timing out the session after a period of inactivity.  This is configured to a default of 15 minutes; a huge contrast with the default session timeout of 12 hours if “This is a private computer” is selected.  As you can imagine, employees who are accessing OWA from a non-secure environment should be advised to select the appropriate option.

Enable SSL with a Digital Certificate

Security professions will tell you that unencrypted (HTTP) web connections not piped through a VPN or other encryption channels are essentially clear text transmissions – which can be disastrous if intercepted.  Given that employers are most likely accessing OWA when out of the office using public Wi-Fi networks or at other locations with unsecured Internet connectivity, it makes sense to ensure that encryption is enabled in the form of SSL (HTTPS).

The use of a self-signed digital certificate will work to enable encryption, though for all the hassle of configuring and installing your own digital certificate, it is highly recommended that businesses go one additional step and spend the fees to acquire a digital certificate from a trusted certificate authority (CA).  Compared to a self-signed digital certificate, the latter offers some form of protection against man-in-the-middle attacks.

Redirecting to HTTPS

Imagine going through the various administrative and configuration hoops to acquire and install a SSL certificate, and even training your users to verify that a SSL connection is not spoofed – only to have them circumvent all these measures by connecting via unsecured HTTP.

One simple way to seamlessly redirect users to the secure HTTPS login in Exchange 2003 and earlier is by using a simple ASP script similar to the one below and configuring it as the default web site.

If Request.ServerVariables (“HTTPS”) = “off” Then
Response.Redirect “https://” & Request.ServerVariables (“SERVER_NAME”
 & “/owa”
End If

On its part, Microsoft Support has put together an article that describes this process in more detail here.  The above step no longer works on Exchange 2010 unfortunately, though Brian Desmond has an updated solution that involves using the HTTP Redirection feature in IIS for Exchange 2010 to achieve the same result.

Monitor multiple failed OWA logon attempts

Contrary to what happens in the movies, most hackers resort to more mundane methods of breaking into computer systems.  It is hence extremely useful for administrators to periodically check on excessive bad logon attempts to detect brute-force attempts conducted against an Exchange Server installation.

Accessing these statistics requires sieving through the log files generated by Exchange, which is possible using a Microsoft tool called Log Parser that was designed to provide universal query access to the text-based data in Windows.  This includes your typical log files, CSV files, the Event Log, the Registry and Active Directory – all of which can be queried using a simple SQL-like syntax.  Administrators not as keen about rolling up their sleeves over a command line interface will probably want to check out the free Log Parser Lizard, a popular GUI for Log Parser for managing queries and exporting the results to Excel and charts.

On the other hand, command line ninjas will appreciate the option of writing a script in PowerShell to count the number of bad logon attempts over a fixed time period.  I shall be writing more about PowerShell5 for Exchange in a separate article.

Defending against keystroke loggers

The greatest weakness of OWA in my mind is probably its vulnerability to keystroke loggers.  For administrators not familiar with the term; a keystroke logger is software (or hardware) designed to surreptitiously capture and retain all data entered by means of the keyboard.  Workstations rigged with such a malware or hardware enables hackers to gain access to all data that is typed in – including passwords.

There is really no effective way of combating keystroke loggers residing on shared computers such as in an Internet café, though mitigation strategies exist.

  1. Disable OWA entirely: Given the popularity of OWA, be warned that this is a move that management is unlikely to accede to.
  2. Expiring passwords frequently:  Doing this incurs no direct costs, and can help limit the risks when passwords are stolen. This may result in users writing down their passwords however.
  3. Implement two-factor authentication: A number of third-party commercial solutions exist for OWA for companies serious about security.

Another option for secure, mobile access to Exchange is to harness Exchange ActiveSync on tablet devices or mobile smartphones.  More about Exchange ActiveSync.

Like this post?

If you like this post and would like to receive more Exchange Server tips, as well as the latest Exchange Server posts from across the web, plus a free ebook with 42 Exchange tools, subscribe to the IT Dojo – Exchange Sensei series!

Get your free 30-day GFI LanGuard trial

Get immediate results. Identify where you’re vulnerable with your first scan on your first day of a 30-day trial. Take the necessary steps to fix all issues.