Manage Learn to apply best practices and optimize your operations.

How to configure attachment blocking in Outlook Web Access contributor Serdar Yegulalp explains how to edit the registry to customize what email attachment file extensions are automatically blocked by Outlook Web Access.

Outlook Web Access (OWA) is configured "out of the box" to block certain kinds of email attachments. Like the full...

version of Microsoft Outlook, this attachment blocking works on two tiers.

The first tier of attachment blocking prohibits OWA access to the file entirely; the second tier prohibits the attached file from being accessed unless it's first saved to the client's hard drive or accessible network drive.

The first-tier blocks the usual suspects -- e.g., .EXE, .COM and .BAT file extensions. But it is possible for a file to be registered in both tiers at once by default (e.g., .COM). This means that if a file is removed from the first tier, it'll still be blocked by the second tier, which increases user protection.

The list of files in tier 1 is in the registry under: HKLM\System\CurrentControlSet\Services\MSExchangeWeb\OWA\Level1FileTypes as a REG_SZ entry.

Tier 2 files are in: HKLM\System\CurrentControlSet\Services\MSExchangeWeb\OWA\Level2FileTypes.

In each case, the file lists are stored as a simple comma-separated string and can be edited as needed.

More on this topic

  • Exchange Admin 101: Attachment blocking
  • Top 5 OWA tips of 2006
  • FAQ: Outlook Web Access
  • OWA Administration Guide

Unless you have a specific reason for unblocking a particular email attachment type, it's best to leave the lists as they are. But it can be useful to know where the lists are in case you need to add a new attachment type to OWA's attachment-blocking lists.

Note that you can always work around this restriction by compressing the file as a .ZIP archive (either with or without password protection). Most clients -- even those without a third-party .ZIP extraction tool handy -- can work with .ZIP files.

About the author: Serdar Yegulalp is editor of Windows Insight, a newsletter devoted to hints, tips, tricks, news and goodies for all flavors of Windows users.


I make it a point to block all email file attachments that can be used to send anything harmful. This especially includes .ZIP files. I get more .ZIP file viruses than any other format these days. Our antivirus (CA E-Trust) strips out all specified email attachments and removes macros from Microsoft Office documents.

Currently, I allow most media file types up to a certain size. I will restrict them only if there is a danger from a new media exploit, such as the one that affected images on unpatched machines a while back.

I ask people to use WinRAR to compress and send me a file or ask them to rename the .ZIP extension to .ZIT. This ensures that email file attachments can't be opened unintentionally. We have not had a virus released in our organization since we have had external email access (1998 on Exchange 5).

It does annoy some people to have to go through a few extra steps to send us a file. But in the end it is worth it to have some peace of mind.
—Mike M.

Do you have comments on this tip? Let us know.

Please let others know how useful this tip was via the rating scale below. Do you have a useful Exchange Server or Microsoft Outlook tip, timesaver or workaround to share? Submit it to If we publish it, we'll send you a nifty thank-you gift.

Dig Deeper on Outlook management