Problem solve Get help with specific problems with your technologies, process and projects.

Minimize remote and mobile Outlook Web Access (OWA) security risks

Get tips on securing Outlook Web Access (OWA) for mobile users such as setting up a dedicated virtual OS and creating strict group policies to lock down IE.

Outlook Web Access (OWA) is one of the biggest security threats to Microsoft Exchange Server. Although OWA itself...

is fairly secure if properly implemented, user PCs accessing Outlook Web Access, such as home PCs, can be more susceptible to malware.

Malware isn't a direct threat to Exchange. The real threat is the potential disclosure of sensitive data. Malware methods such as keystroke loggers or other mechanisms attempt to relay details of an infected user's online activity to the virus' creator. This means that any user's sent or opened OWA email can be viewed by the malware creator.

The million-dollar question is: What can you do to minimize the risks? Many companies forbid OWA use from computers that are not secure. The real solution is to control malware; however, this is easier said than done.

Internet Explorer (IE) can be infected far too easily. Alternative browsers such as Firefox are less prone to malware infection than Internet Explorer, but may give users a false sense of security.

Here are recommendations for securing Outlook Web Access for mobile and remote users:

  • Limit OWA access only to those users who have a legitimate business need for it (i.e., mobile and remote users). Taking OWA away will probably upset some users, but it is a big step toward improving your organization's security.
  • Install Virtual PC 2007 onto each laptop and create a dedicated virtual operating system (OS) for the sole purpose of providing a secure OWA environment. That way, even if the host operating system's copy of Internet Explorer becomes infected, the virtual OS should remain unaffected.

    You can't expect mobile users to access OWA only from the confines of a virtual OS, so you need to take some additional security steps to make this type of setup work properly:

    • Run Windows Vista as the host operating system. Windows Vista has drawn a lot of criticism for various reasons, but there is no denying that Internet Explorer 7 is much less prone to malware when run on Vista than when it's run on Windows XP.
    • Add your OWA server URL to the Restricted Sites zone of the host operating system's browser. While this won't stop users from accessing OWA from the host copy of Internet Explorer, it should prevent them from logging in.
  • Create strict group policies to lock down the guest operating system. It's possible to create a group policy that hides the Windows Start menu and all of the various Windows options. You can configure this so that Internet Explorer opens when a user logs onto the guest operating system. It then connects the user to the OWA server directly. You can also use IE-related group policy settings to completely lock down the browser.

    Group policy settings for locking down Internet Explorer are found in the Group Policy Object Editor under Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer and under User Configuration -> Administrative Templates -> Windows Components -> Internet Explorer.

It is important to remember that if you implement a dedicated virtual environment, it will only secure Outlook Web Access against the unintentional disclosure of information on an "assigned" PC. If a mobile worker uses a home PC instead of their laptop, it can completely undermine everything that you've done. You could hide the OWA URL; however IE7 requires that a URL be shown for all websites (there is a way to get around this requirement, though). An alternative option is to eliminate Outlook Web Access and require mobile and remote users to use Microsoft Outlook with RPC over HTTP.

About the author:
Brien M. Posey, MCSE, has previously received Microsoft's MVP award for Exchange Server, Windows Server and Internet Information Server (IIS). Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal website at

Do you have comments on this tip? Let us know.

Please let others know how useful this tip was via the rating scale below. Do you know a helpful Exchange Server, Microsoft Outlook or SharePoint tip, timesaver or workaround? Email the editors to talk about writing for

Next Steps

How to improve Outlook Web Access (OWA) security

Enhance OWA logon security using Microsoft ISA Server

Dig Deeper on Outlook management