Problem solve Get help with specific problems with your technologies, process and projects.

Enhance OWA logon security using Microsoft ISA Server

Learn how to enhance Outlook Web Access logon security using Microsoft ISA Server to prevent users from accessing other users' Exchange 2003 mailboxes..

I have one Exchange server and one Microsoft ISA server. Outlook Web Access (OWA) is published through the ISA server. When anybody tries to access OWA, it prompts for username and password, and then you can log on. However, after logging on you can input any username in the address bar and that user's Exchange mailbox will open. I'm using a Secure Sockets Layer (SSL) certificate (e.g., https://mail.abc.com/exchange/Username), so I'm stumped as to why this isn't secure.

The default security model in Exchange Server 2003 prevents all user accounts from being able to open more than their own mailbox. A change to the default security settings is the only way this could happen.

For example, if you were to follow the steps in the Microsoft article, "How to assign service account access to all mailboxes in Exchange Server 2003," an account could be given access to all mailboxes. If you are logging on using such an account, then it might be possible to do what you have described without being prompted for a separate set of credentials.

You'll want to look at enabling forms-based authentication (FBA) on the ISA server. This will enhance the security for each logon. It will also force each session to log on with a new set of credentials.

For step-by-step instructions on configuring the listener for FBA, take a look at Outlook Web Access Server Publishing Walk-through Procedure 4: "Secure Outlook Web Access through the listener."

Do you have comments on this Ask the Expert Q&A? Let us know.

Related information from SearchExchange.com:

  • Tip: Protecting Outlook Web Access from keystroke loggers
  • Expert Advice: Securing Exchange mailboxes from internal attacks
  • Administration Guide: Outlook Web Access security
  • Reference Center: ISA server tips and resources
  • Dig Deeper on Exchange Server setup and troubleshooting

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.