OWA Security Risks Often Overlooked
OWA can be a great tool for remote email access, but it can also put company information at risk if users and IT pros aren't aware of the dangers it can present.
October 4, 2007
More and more companies are having to deal with remote workers, whether because of satellite offices, telecommuters, employees who travel, or employees simply putting in extra hours from home. And these workers require and expect easy access to their email Inboxes, no matter where they are. For organizations that use Microsoft Exchange Server, Outlook Web Access (OWA) is an easy alternative to VPN for accessing email remotely. It provides access to email from any Web browser.
One of the biggest concerns IT pros face with an OWA implementation is security. Even though most of these companies use ISA Server and other technologies such as RSA encryption and forms-based authentication (FBA), OWA still presents vulnerabilities that these technologies don't address. I recently talked with representatives from Messageware to learn more about the various threats that OWA users face.
OWA vulnerabilities fall into two main categories: Email attachments that might contain confidential information can be read, copied, and printed by people not authorized to open them, and OWA accounts can be accessed by unauthorized users. According to Messageware founder and President Mark Rotman, when someone opens an email attachment when using OWA, it remains in the browser's cache. When the user leaves his or her computer, the document is left behind on the computer and is available to anyone who logs in next, even after the original user has logged off from the OWA session.
The other vulnerability is a navigation-related threat. If an OWA user walks away from his or her computer without closing the Web browser, the user's OWA session is left exposed; the next person to use the computer can simply hit the back button or check the history to get back to the user's OWA session without entering any credentials.
Authentication or security products such as ISA, RSA, or FBA secure the infrastructure and perimeter of networks, but they don't address specifically a Web mail application. "Organizations spend a lot of money and effort on securing access points, the point at which passwords or tokens are collected," said Rotman, "and that security is circumvented when a user navigates away from the OWA page to check something on Google while at Starbucks and then walks away. That session is left active for an extended period of time." Think about all the types of company information that users' Inboxes contain, and you begin to see the magnitude of the problem.
Rotman added that with ISA and FBA, there's still a 15-20 minute timeout period that leaves the computer exposed when a user walks away. In addition, an FBA screen has buttons that ask users whether this is a public computer or a private computer. "Users quickly realize that policies are less stringent if they click private," he said. "So many users just always click private. That can circumvent the 20-minute timeout. That takes security out of the IT department and places it into the hands of users."
Messageware seeks to put OWA security back into the IT department and has developed several products that help to do that. Two of them, AttachView and NavGuard, as their names hint, solve the specific problems discussed. With AttachView, the file open button is disabled by default and attachments are not automatically cached; they are opened in a secure Web view. Administrators can configure which users or computers can open attachments and under what circumstances. The NavGuard product detects when a user navigates away from an active OWA session, and prompts the user to either log off or return to the session. You can read more about these and other OWA-related products at the company's Web site.
About the Author
You May Also Like