In Exchange Server 2007 and Exchange 2010, OWA automatically filters message attachments that appear to be HTML...
when they’re saved through the OWA interface. This prevents users from accessing harmful content or content that can waste bandwidth.
Unfortunately, the filtering process doesn’t just remove HTML that can be potentially malicious, but can also mangle the formatting or the message’s contents entirely. This has been a widely-discussed problem since the days of Exchange Server 2003. While this isn’t a problem for users who can access the full version of Outlook, it’s a big issue for OWA-reliant users.
In Exchange Server 2007 SP1, Microsoft added a setting to OWA that saves HTML attachments without filtering them first. To add this setting, you must edit the web.config file for your OWA instance. This is usually done on your OWA server by going to: \Program Files\Microsoft\Exchange Server\ClientAccess\Owa, then adding the following code to the<appSettings> section of the file:
<add key = "BypassOwaHTMLAttachmentFiltering" value="true" />
If there is no <appSettings> section, you can add it by placing <appSettings> and </appSettings> before and after the above code. The changes should take effect immediately.
You’ll also need to edit the Force Save list in the Direct File Access Setting of the Exchange Management Console (EMC). This allows you to whitelist one or more file types that can be saved directly from OWA. To do so, follow these steps:
1. In the EMC, go to Server Configuration -> Client Access -> Outlook Web Access -> Properties.
2. Choose either Public or Private Computer File Access, depending on the type of client access you want to allow. For example, select Private if you don’t want people saving HTML attachments at a shared computer like a Web kiosk.
3. Select Enable direct file access and then click Customize.
4. Select Force Save then in the Enter the file extensions you want to force save dialog box, add the file extension(s) you want to save (.HTML, .HTM, .XHTML, etc.) and click Add. You must add file extensions individually.
5. Click OK.
Allowing users access to HTML attachments is useful in a few ways:
1. It allows tech-savvy users who aren’t likely to download a virus or large documents the ability to open all attachments.
2. If you’re using a third-party inbound filtering system that cuts down on the amount of HTML material entering users’ inboxes, you don’t have to apply additional filtering levels to attachments.
3. It allows you to test your own email campaign and see how the results render in OWA with filtering turned on and off.
An interesting wrinkle on this topic was posted by a blogger at the Intrepidus Group, a provider of mobile application and device security services. The author found what appeared to be a way to manually bypass the OWA filter by padding out the first 1,000 or so characters of the attachment with spaces. This situation was unusual because he’s a security consultant who needed to send an attachment that the recipient’s computer might perceive as a security threat.
Another workaround is to attach the results as a password-protected archive. Unfortunately, this becomes problematic for users who can’t install software on their machines and don’t already have an archive reader that understands these types of files.