Better OWA Attachment Security
Remote users love OWA. You'll love these tips that limit the risks.
August 28, 2006
Microsoft Outlook WebAccess (OWA) is auseful tool for givingremote or mobile users accessto their Outlook mailboxes.Although OWA lacks some ofOutlook's features, the overalluser experience is similar tothat of Outlook and is a reasonable alternative. However, someof the functionality that makesOWA useful and convenientalso raises some security concerns—among them fearsabout attachment safety, eitherfrom sensitive information getting into the wrong hands orfrom malicious content that canharm a user's PC or the network. But rather than denyusers the ability to use OWA toremotely access their mailboxes, you can take some stepsto help secure OWA attachments and reduce the securityrisks involved. You can also planahead to take advantage ofsome new attachment-controlfeatures that Microsoft hasincluded in Exchange Server2007.
OWA Attachment Handling
When an OWA user receives anemail message containing anattachment, the user can perform one of three actions:
From within the browser, the user can right-click and save the attachment. This behavior is purely a function of the browser and has nothing to do with OWA.
From within the browser, the user clicks the attachment link, and the browser displays a dialog box that asks whether the user wants to save or open the file. If he or she chooses to save it, the browser saves the file—again without OWA being involved.
The user chooses to open the document, in which case, OWA sends an HTTP header to the browser indicating that the document expired the previous day. This causes the browser to not cache the document, although it might write the document to a temporary file area on the hard disk.
Note that in the first two cases,OWA has no control over whathappens to the file. If the userchooses to save the file, thebrowser will simply ignore the"don't cache this" header. Evenif you manually add the Cache-control: no-cache header to theExchange virtual directory,users will still be able to saveattachments. To amend this behavior, you can take advantage of OWA 2003's attachment-controlfeatures to prevent users from beingable to open the attachments. To bespecific, with OWA you can
customize the list of file types that are completely blocked and those that can be opened only after saving to disk. This capability parallels the controls you get in Outlook when you install the Outlook Security Features Administrator Package.
control whether users can access documents saved directly in public folders.
restrict which servers users can use to access attachments.
These controls help prevent usersfrom opening malicious attachments,and they give you a degree of controlover where users can open attachments that might contain sensitive orproprietary data.
Blocking AttachmentsDepending on File Type
The first line of attachment control isrestricting the types of files that userscan open directly from the email message. This capability came aboutbecause Outlook users have shown adistressing tendency to open malwareprograms disguised as legitimateattachments. By making some filetypes unavailable in Outlook andrequiring users to save other files todisk before opening them, the Outlook development team successfullyblocked several potential attack vectors. OWA implements these samecontrols.
Attachment types that are completely unavailable are known as Level1 file types; attachment types thatusers can save to disk but not directlyopen are called Level 2 file types. Youcan use a registry setting to controlwhich file types are in each category.By adding the Level1FileTypes andLevel2FileTypes values (of type REG_SZ) under the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMSExchangeWebOWAregistry subkey and setting the valueof each to a comma-delimited list ofthe attachment types you want in thatcategory, you can force OWA to blockcertain file types or force users to savethem to disk first. For example, if youwant to specify Perl (.pl) scripts as aLevel 2 file type, perform these steps:
Log on to your OWA server with an account that has Windows administrative privileges.
Open a registry editor (regedit.exe).
Navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControl SetServicesMSExchangeWebOWA.
Double-click the Level2FileTypes entry.
When the Edit String dialog box ap- pears, scroll to the end of the string and add, "pl" (without the quotes). Click OK.
You can also customize theLevel1MIMETypes and Level2MIMETypes, which instruct the OWA serverto block attachments according to theMIME type of the file delivered by theserver. This feature is useful if yourusers frequently work with messagesthat contain links to content thatdoesn't contain extensions (e.g., Macintosh-format files on a Windows fileserver) because you can block theMIME type that corresponds to thefile content no matter what the actualfile extension might be. It also helpsprotect you against situations inwhich the extension of an attachmentdoesn't match the true MIME type;malware payloads sent via email oftencontain misleading extension information that attempts to fool users andantivirus software. To customize theMIME types used for filtering, use thesteps outlined for customizing theLevel2FileTypes value, except you'llmodify the appropriate Level1MIMETypes and Level2MIMETypes values.
Controlling FreeDoc Access
Public folders can contain many different data types. After Exchange 2000Server shipped, the fact that publicfolders supported direct access viaWWW Distributed Authoring and Versioning (WebDAV) led many organizations to store documents directly inpublic folders—not as attachments toposts in those folders, but as raw documents. Microsoft calls these documents FreeDocs, and they raise asecurity problem. FreeDocs can haveembedded macro code that will execute in the local security context of thebrowser when someone opens thedocument. Exchange Server 2003blocks FreeDoc access from OWA outof the box. You can override thisbehavior by adding a new REG_DWORD value named EnableFreeDocs under the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMSExchangeWebOWA,then customizing its value. You can setthe value to
0 to block all FreeDoc access from within OWA (OWA's default behavior). However, this setting doesn't stop Microsoft Office users (or others using WebDAV–capable applications) from creating and opening FreeDocs.
1 to block FreeDoc access from front-end servers but allow access via WebDAV and via back-end servers.
2 to allow FreeDoc access from back-end servers and from front-end servers whose names appear in the AcceptedAttachmentFront Ends value. You specify the set of allowable front-end servers by creating or adding to a comma-delimited list that includes the Fully Qualified Domain Name (FQDN) of each server. The list should go in a REG_SZ value named HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMSExchangeWebOWAAcceptedAttachmentFrontEnds.
To set the way OWA handles Free-Docs, perform these steps:
Log on to your OWA server with an account that has Windows administrative privileges.
Open a registry editor (regedit.exe).
Navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControl SetServicesMSExchangeWebOWA.
Right-click HKEY_LOCAL_MACHINESYSTEMCurrentControl SetServicesMSExchangeWebOWA and select New, DWORD Value. Name the new value EnableFreeDocs.
Double-click the new value, and in the Edit DWORD Value dialog box, enter the desired value.
Click OK.
Controlling Access toAttachments Via Front-EndServers
Blocking certain types of attachmentsor documents is useful in itself, butsometimes you want to keep peoplefrom accessing attachments depending on where the person is, not justwhat the file type is. This concern isdue to the nature of how OWA works.Outlook is typically installed on amachine in an environment in whichthe user is presumed to be an honestmember of the company, and therefore it's reasonable to assume that themachine is under the user's controland is in a place where it's safe for theuser to open sensitive attachments.OWA, however, is designed to be usedfrom most any modern Webbrowser—even browsers running onmachines that aren't under the user'scontrol and aren't necessarily safe.OWA 2003 addresses this problem ina couple of ways, such as its provisionfor automatically ending users' sessions after an administrator-specifiedtime period. (You can set separatetimes for public and trusted computers.) OWA 2003 also lets you restrictwhich servers users can use to accessattachments to help reduce the riskthat users will open sensitive attachments on untrusted machines. Forexample, you probably wouldn't blockMicrosoft Word documents for allusers, but you might want to preventOWA users from accessing Word documents from outside the corporatenetwork. OWA 2003 offers two interlocking controls that let you do thisfairly easily.
First, the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMSExchangeWebOWADisableAttachments subkey lets you controlwhether attachments are open,blocked, or open only for users whoare connecting directly to a back-endserver. When you create this entry, youcan assign one of three values:
A value of 0 tells OWA to allow unrestricted attachment access. This is OWA's default behavior.
A value of 1 forces OWA to block access to all attachments. This is pretty draconian and probably not appropriate for most environments.
A value of 2 allows attachment access for users who connect directly to the back-end mailbox server. If you're using a front-end/ back-end topology, this effectively restricts attachment access to users inside your firewall (or those that can establish sessions directly to their mailbox servers).
To apply this setting, perform thesesteps:
Log on to your OWA server with an account that has Windows administrative privileges.
Open a registry editor (regedit.exe).
Navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControl SetServicesMSExchangeWebOWA.
Right-click HKEY_LOCAL_MACHINESYSTEMCurrentControl SetServicesMSExchangeWebOWA and select New, DWORD Value. Name the new value DisableAttachments.
Double-click the new value, and in the Edit DWORD Value dialog box, enter the desired value (e.g., use a value of 2 to block outside attachment access).
Click OK.
Stop and restart the World Wide Web Publishing service. (You can quickly do this from the command line by using the net stop w3svc and net start w3svc commands.)
Additionally, you can use the AcceptedAttachmentFrontEnds value (of typeREG_SZ) under the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMSExchangeWebOWAsubkey to allow users who connect tospecified front-end servers to accessattachments. Any request that comesfrom a server whose host headermatches the name of a server on theAcceptedAttachmentFrontEnds listwill be accepted. (Use commas to separate the entries on the acceptedserver list.) This setting takes effectonly if the DisableAttachments valueis set to 2.
Note that the Level 1 and Level 2block lists take precedence over DisableAttachments. If you specify that aparticular file type should be blocked,it will be blocked for all users, no matter what DisableAttachments is set to.
OWA 2007 Attachment-ControlFeatures
Microsoft has added two significantnew attachment-control features inthe Exchange 2007 version of OWA.The first, OWA Document Access,allows the OWA server to translatelinks to internal Windows SharePointServices Web sites for use by Internetclients. This gives OWA users read-only access to administrator-specifiedSharePoint sites—provided the usershave access with their normal Windows accounts; Document Accessuses the user's credentials to requestaccess. This SharePoint functionalityreduces the need to send attachmentsvia email in the first place.
The second feature, WebReadyDocument Viewing, is an HTMLtranscoder that renders some Officedocument types (e.g., Word, PowerPoint, Excel) and PDF files as HTMLpages. This feature prevents usersfrom modifying an attachment's content, and it means that there's nolonger an easy way for users to save anintact document file to an untrustedmachine. Look for more coverage ofboth of these features in future issues.
Technical Solutions toBehavioral Problems
Controlling access to attachments ispart of a strong security posture, andOWA offers some security features thatcan help reduce the risk that a userwill accidentally leave copies of sensitiveattachments on untrusted machinesor that an attachment containingmalicious content will cause damageto your network. However, these features aren't foolproof. For example, asufficiently determined user can simply rename a file before sending it toevade the file-type blocking restrictions.
If your email users frequentlyexchange or send sensitive documents, you need to couple the technical measures discussed here withuser education that helps themunderstand what the security measures are for and why they're implemented. Then you need to design asecurity policy that specifies properattachment-handling procedures.OWA's attachment-management features will help make that policy a reality.
ADDITIONAL OWA RESOURCES Windows IT Pro Resources "Exchange Server 2003 OWA Overview"InstantDoc ID 39790 "OWA Attachment Security"InstantDoc ID 41265 "Setting Up Load-Balanced OWA Servers with Front-End SSL Accelerators" InstantDoc ID 47789 "WebDAV for Remote Access"InstantDoc ID 49847 Microsoft Resources"Outlook Web Access Features in Exchange Server 2003"http://www.microsoft.com/exchange/evaluation/features/owa_features.mspx "Outlook Web Access-Configure Attachment Blocking" http://support.microsoft.com/?kbid=555001 |
About the Author
You May Also Like