Every time I am away from the office and want to check my e-mail, I use Outlook Web Access (OWA). I can go to an...
Internet kiosk or some other sort of facility where public computers connect to the Internet, to get my mail.
Your users undoubtedly do the same thing when they are on the road. While it is a great convenience for them to be able to get their e-mail when they are away from the home office, there are certain precautions they should take on a regular basis.
One piece of advice you should give them is they should make sure that they clear any history, including cookies, they created as they wended their way to the OWA site and logged in. When you go to OWA, you leave a trail a mile wide that anyone can follow into the e-mail system.
For example, if I check my e-mail at a computer show and don't clear the browser, then the next person can find out where I've been simply be checking the history. And if my credentials (username, password) were stored in the browser, then the way into the e-mail system is open. If I walk away from the computer without closing the session, the whole e-mail system is wide open again.
You should train your users to always clear the browser history completely before leaving the computer they used to access OWA, and always close the session before leaving as well.
Microsoft's Exchange Server 2003 Administration Guide, available for download, explains that you can set up a login page for OWA in Exchange 2003 that stores all the user's credentials in a cookie, and that cookie will be cleared when the browser is closed, or after a period of inactivity.
You can configure the time-out value, so that you reduce the chance that a user who, happily working away at a public terminal on his e-mail, meets an acquaintance and is distracted enough that he leaves the terminal still logged on to OWA. The default value is 15 minutes: After 15 minutes of inactivity, the cookie times out and access is denied. You can make it shorter, and I'd recommend that you do. But for the timeout to happen, the user has to select the Public or Shared Computer option when he logs in. So again, education for users is paramount.
To set up the login page, you first have to enable forms-based authentication, and then modify the registry on the Exchange front-end server. The Administration Guide contains detailed instructions for accomplishing these tasks.
David Gabel has been testing and writing about computers for more than 25 years.
Do you have a useful Exchange tip to share? Submit it to our monthly tip contest and you could win a prize and a spot in our Hall of Fame.