Secure OWA to minimize your risks

There are a number of actions to take to implement OWA security, including obvious ones like creating strong password policies. Admins should also consider using other popular countermeasures to lessen risks.

Richard Luckett

Learn IT Solution Group LLC
Published: 18 Jul 2014

I'm trying to convince my boss that our organization can provide email access over the Internet without security...

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

threats. I plan to use Outlook Web App -- what are the risks and countermeasures of doing so? And what can I do to secure OWA in this situation?

Of all the clients I've supported, only a few opted to completely disable Outlook Web App (OWA) externally for security reasons. Not to discourage you, but my attempts to convince them otherwise in those instances did little to change their minds. When there are across-the-board security policies prohibiting Web-based access to internal data sources, it may already be a done deal. Based on your question, I sense you're part of such an organization that would be willing to disable OWA for security reasons.

Does this mean organizations that choose to externally implement OWA are oblivious to the potential security risk? Not necessarily. Most organizations want to implement OWA on the basis that it's a business requirement to facilitate communications, but also to do all they can to secure the connections. In many cases, it comes down to the benefits of OWA outweighing the risks.

I've seen organizations use a number of measures to secure OWA. Outside of obvious actions such as having stronger password policies, here are some common countermeasures for OWA risks.

Standard countermeasure	Risk
Secure Sockets Layer (SSL) encryption	HTML data is transmitted in clear text. A man-in-the-middle attack could read the content of messages.
Forms-based authentication (FBA)	Windows Integrated Authentication (NT Lan Manager/Kerberos) will store credentials at the session layer. Credentials can persist until the browser's action is terminated. FBA stores credentials as a cookie that has a timer expiry and can be deleted independently of the session. FBA uses basic authentication but requires SSL to encrypt credentials that are entered.
Dedicated servers for Client Access Server role (Exchange 2007 to Exchange 2013)	Internet-facing servers with the CAS role are more prone to attacks. Isolating the CAS role from the mailbox role's data can create an additional layer of protection.
Reverse proxies	Domain-joined machines that allow direct connections from the Internet, even via firewalls, are prone to attacks. Publishing Web applications like OWA to a reverse proxy allows external connections to occur on a non-domain joined proxy within a DMZ network.
Segmentation	Some OWA features could be considered a security/policy risk, like allowing the changing passwords via OWA. It's possible to disable OWA features that end users see either at the virtual directory level or by using an Outlook Web App Mailbox Policy.

Some advanced countermeasures to secure OWA that you could also consider include:

Two-factor authentication – Requires more than just a password, often described as "something you have and something you know"
One-time password - Unlike a static password, a one-time password changes each time the user logs in
S/MIME – Secure MIME extensions are used to provide non-repudiation and email item level encryption
Active Directory Rights Management Service (AD RMS) – Protects email by allowing the owner to apply rights management policies that stay with the file regardless of where it goes

About the author:
Richard Luckett is a consultant and instructor specializing in messaging and unified communications. He's been a certified professional with Microsoft since 1996 and has 20 years of experience in the public and private sectors. He's a Microsoft Certified Trainer with more than 15 years of training experience with the Microsoft product line and received the Exchange MVP award in 2006, 2007 and 2008. He's also an expert in deploying and integrating Exchange Server and Lync Server. He leads the Microsoft training and consulting practice at LITSG.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

Meet all of our Windows Server experts

View all Windows Server questions and answers

Resolve an Outlook outage when using Office 365

Microsoft Outlook on the web (formerly Outlook Web App, OWA)

How do you fix Outlook display issues?

Configuration caveats when enabling Outlook offline

Office 2016 features update the mail client for more collaboration

IBM Domino goes to the enterprise social but will anyone ask it to dance?

Office 365 to get feature priority over on-premises Exchange

Microsoft to 'Clutter' Office 365 users with OWA upgrade

Microsoft Outlook on the web (formerly Outlook Web App, OWA)

Office 2016 features update the mail client for more collaboration

Better email collaboration with Exchange 2016

A first look at Modern Authentication for Outlook

Office 365 advantages, disadvantages and surprises

Exchange mobile device management poses challenges to administrators

New technology competes to become email replacement

Is the Microsoft cloud first policy floating or failing?

Configuration caveats when enabling Outlook offline

Outlook on the Web rebranded: new tools organize email

How to fix the five most common Outlook errors

Is a single Office 365 tenant better than using multiple tenants?

Resolve an Outlook outage when using Office 365

How do you fix Outlook display issues?

Configuration caveats when enabling Outlook offline

Exchange mobile device management poses challenges to administrators

Please create a username to comment.

How to implement GPUs for high-performance computing

7 HPC workload virtualization best practices

Micro VMs bridge the gap between full VMs and containers

Top 5 nontechnical skills for cloud computing success

Build cloud economics expertise in-house

Early Oracle Cloud Infrastructure customers take its measure

SQL Server database design best practices and tips for DBAs

SQL Server in Azure database choices and what they offer users

Using a LEFT OUTER JOIN vs. RIGHT OUTER JOIN in SQL

DaaS may encourage organizations to adopt Macs and Chromebooks

Zoho adds new Zoho One features, management application

4 steps to check application compatibility with Windows 10

Navigate Office 365 licensing issues with VDI

St. John's Health modernizes with digital workplace technology

How to use Samsung DeX for remote desktop clients

Dig Deeper on Outlook management

Related Q&A from Richard Luckett

Have a question for an expert?

Start the conversation

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.