Better OWA Attachment Security

Microsoft Outlook WebAccess (OWA) is auseful tool for givingremote or mobile users accessto their Outlook mailboxes.Although OWA lacks some ofOutlook's features, the overalluser experience is similar tothat of Outlook and is a reasonable alternative. However, someof the functionality that makesOWA useful and convenientalso raises some security concerns—among them fearsabout attachment safety, eitherfrom sensitive information getting into the wrong hands orfrom malicious content that canharm a user's PC or the network. But rather than denyusers the ability to use OWA toremotely access their mailboxes, you can take some stepsto help secure OWA attachments and reduce the securityrisks involved. You can also planahead to take advantage ofsome new attachment-controlfeatures that Microsoft hasincluded in Exchange Server2007.

OWA Attachment Handling
When an OWA user receives anemail message containing anattachment, the user can perform one of three actions:

Note that in the first two cases,OWA has no control over whathappens to the file. If the userchooses to save the file, thebrowser will simply ignore the"don't cache this" header. Evenif you manually add the Cache-control: no-cache header to theExchange virtual directory,users will still be able to saveattachments. To amend this behavior, you can take advantage of OWA 2003's attachment-controlfeatures to prevent users from beingable to open the attachments. To bespecific, with OWA you can

These controls help prevent usersfrom opening malicious attachments,and they give you a degree of controlover where users can open attachments that might contain sensitive orproprietary data.

Blocking AttachmentsDepending on File Type
The first line of attachment control isrestricting the types of files that userscan open directly from the email message. This capability came aboutbecause Outlook users have shown adistressing tendency to open malwareprograms disguised as legitimateattachments. By making some filetypes unavailable in Outlook andrequiring users to save other files todisk before opening them, the Outlook development team successfullyblocked several potential attack vectors. OWA implements these samecontrols.

Attachment types that are completely unavailable are known as Level1 file types; attachment types thatusers can save to disk but not directlyopen are called Level 2 file types. Youcan use a registry setting to controlwhich file types are in each category.By adding the Level1FileTypes andLevel2FileTypes values (of type REG_SZ) under the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMSExchangeWebOWAregistry subkey and setting the valueof each to a comma-delimited list ofthe attachment types you want in thatcategory, you can force OWA to blockcertain file types or force users to savethem to disk first. For example, if youwant to specify Perl (.pl) scripts as aLevel 2 file type, perform these steps:

You can also customize theLevel1MIMETypes and Level2MIMETypes, which instruct the OWA serverto block attachments according to theMIME type of the file delivered by theserver. This feature is useful if yourusers frequently work with messagesthat contain links to content thatdoesn't contain extensions (e.g., Macintosh-format files on a Windows fileserver) because you can block theMIME type that corresponds to thefile content no matter what the actualfile extension might be. It also helpsprotect you against situations inwhich the extension of an attachmentdoesn't match the true MIME type;malware payloads sent via email oftencontain misleading extension information that attempts to fool users andantivirus software. To customize theMIME types used for filtering, use thesteps outlined for customizing theLevel2FileTypes value, except you'llmodify the appropriate Level1MIMETypes and Level2MIMETypes values.

Controlling FreeDoc Access
Public folders can contain many different data types. After Exchange 2000Server shipped, the fact that publicfolders supported direct access viaWWW Distributed Authoring and Versioning (WebDAV) led many organizations to store documents directly inpublic folders—not as attachments toposts in those folders, but as raw documents. Microsoft calls these documents FreeDocs, and they raise asecurity problem. FreeDocs can haveembedded macro code that will execute in the local security context of thebrowser when someone opens thedocument. Exchange Server 2003blocks FreeDoc access from OWA outof the box. You can override thisbehavior by adding a new REG_DWORD value named EnableFreeDocs under the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMSExchangeWebOWA,then customizing its value. You can setthe value to

To set the way OWA handles Free-Docs, perform these steps:

Controlling Access toAttachments Via Front-EndServers
Blocking certain types of attachmentsor documents is useful in itself, butsometimes you want to keep peoplefrom accessing attachments depending on where the person is, not justwhat the file type is. This concern isdue to the nature of how OWA works.Outlook is typically installed on amachine in an environment in whichthe user is presumed to be an honestmember of the company, and therefore it's reasonable to assume that themachine is under the user's controland is in a place where it's safe for theuser to open sensitive attachments.OWA, however, is designed to be usedfrom most any modern Webbrowser—even browsers running onmachines that aren't under the user'scontrol and aren't necessarily safe.OWA 2003 addresses this problem ina couple of ways, such as its provisionfor automatically ending users' sessions after an administrator-specifiedtime period. (You can set separatetimes for public and trusted computers.) OWA 2003 also lets you restrictwhich servers users can use to accessattachments to help reduce the riskthat users will open sensitive attachments on untrusted machines. Forexample, you probably wouldn't blockMicrosoft Word documents for allusers, but you might want to preventOWA users from accessing Word documents from outside the corporatenetwork. OWA 2003 offers two interlocking controls that let you do thisfairly easily.

First, the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMSExchangeWebOWADisableAttachments subkey lets you controlwhether attachments are open,blocked, or open only for users whoare connecting directly to a back-endserver. When you create this entry, youcan assign one of three values:

To apply this setting, perform thesesteps:

Additionally, you can use the AcceptedAttachmentFrontEnds value (of typeREG_SZ) under the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMSExchangeWebOWAsubkey to allow users who connect tospecified front-end servers to accessattachments. Any request that comesfrom a server whose host headermatches the name of a server on theAcceptedAttachmentFrontEnds listwill be accepted. (Use commas to separate the entries on the acceptedserver list.) This setting takes effectonly if the DisableAttachments valueis set to 2.

Note that the Level 1 and Level 2block lists take precedence over DisableAttachments. If you specify that aparticular file type should be blocked,it will be blocked for all users, no matter what DisableAttachments is set to.

OWA 2007 Attachment-ControlFeatures
Microsoft has added two significantnew attachment-control features inthe Exchange 2007 version of OWA.The first, OWA Document Access,allows the OWA server to translatelinks to internal Windows SharePointServices Web sites for use by Internetclients. This gives OWA users read-only access to administrator-specifiedSharePoint sites—provided the usershave access with their normal Windows accounts; Document Accessuses the user's credentials to requestaccess. This SharePoint functionalityreduces the need to send attachmentsvia email in the first place.

The second feature, WebReadyDocument Viewing, is an HTMLtranscoder that renders some Officedocument types (e.g., Word, PowerPoint, Excel) and PDF files as HTMLpages. This feature prevents usersfrom modifying an attachment's content, and it means that there's nolonger an easy way for users to save anintact document file to an untrustedmachine. Look for more coverage ofboth of these features in future issues.

Technical Solutions toBehavioral Problems
Controlling access to attachments ispart of a strong security posture, andOWA offers some security features thatcan help reduce the risk that a userwill accidentally leave copies of sensitiveattachments on untrusted machinesor that an attachment containingmalicious content will cause damageto your network. However, these features aren't foolproof. For example, asufficiently determined user can simply rename a file before sending it toevade the file-type blocking restrictions.

If your email users frequentlyexchange or send sensitive documents, you need to couple the technical measures discussed here withuser education that helps themunderstand what the security measures are for and why they're implemented. Then you need to design asecurity policy that specifies properattachment-handling procedures.OWA's attachment-management features will help make that policy a reality.