Manage Learn to apply best practices and optimize your operations.

How to handle file attachment access in OWA

Set email attachment rules in Outlook Web Access to enhance OWA security on public computers and protect systems from malicious files or viruses.

One of the most important decisions regarding Outlook Web Access (OWA) in Exchange Server 2007 is how to handle...

file attachments. Users may access OWA from public computers. If you allow them to open file attachments, information contained in those files potentially could be left behind in the computer's pagefile, or in the browser cache. You may want to reconsider giving users the ability to open file attachments to avoid exposure to email viruses.

You don't have to block users entirely from opening file attachments with OWA; often there are legitimate reasons to do so. OWA offers five different settings to allowing or prevent users from opening attachments:

  1. Allow users to open file attachments that consist of approved file types. For example, you might allow users to open Microsoft Word documents. In such cases, an attachment would be opened using an application that has registered the attachment's file type. This means that if a user tried to open a Microsoft Word document, then that application would be used to open the document. This might sound trivial, but using an associated application to open a file type is an important distinction.
  2. Allow users to open approved file types, but require them to save attachments to a disk before opening them. The main advantage of this technique is that it makes it more difficult for users to open file attachments on public computers. Keep in mind that users technically aren't forbidden from opening file attachments on public computers.

    This technique can also be used to reduce the chances that a user will accidentally execute malicious code. For example, if you have developers in your company that write HTML code, then you may not be able to block HTML or HTM file extensions. You can, however, require that users save HTML files to prevent them from accidentally executing malicious HTML code by clicking on those attachments.

  3. Prevent users from opening attachments that are unknown file types to help prevent the spread of email viruses.
  4. Although it's more of a convenience feature than a security feature, you can require users to view attachments in a separate browser window. Users don't need an installed application to access files that an application creates. For example, if a user needed to open a Microsoft Word document from a public computer that didn't have Microsoft Word or the Microsoft Word viewer installed, a Exchange 2007's built-in transcoder can render the document in HTML format and display it in a browser window.
  5. There are two important aspects about this option.

    • This presents a security risk because a copy of the document will be stored in the browser cache. While inconsequential on private computers, this can lead to disclosure of sensitive information on public computers.
    • The feature doesn't work immediately because Exchange Server 2007 isn't equipped with the required document transcoders. In this case, you can open HTML and PDF files as well as legacy Microsoft Office documents through a browser window. Required transcoders were included in Exchange Server 2007 Service Pack 1 (SP1).

  6. Allow users to access the contents of Microsoft Windows file shares or SharePoint Server shares directly.

Configure OWA file-attachment security settings

Exchange Server 2007 makes a distinction between public and private computer use. The OWA sign-on screen contains options that let users specify whether they're using a public or a private computer. Exchange allows you to configure separate file access limitations based on the type of computer being used.

It is assumed that private computers are more secure than public computers; many companies give users a higher level of file access when they use a private computer. But Exchange Server doesn't detect whether or not a user is accessing OWA on a public computer.

More on OWA attachments and security:
Accessing Microsoft Outlook mailbox from multiple machines

Protecting OWA from keystroke loggers

How to configure attachment blocking in Outlook Web Access

If you give users different levels of access to attachments based on whether or not they're using a public computer, users could circumvent your security measures by selecting the private computer option from the OWA sign-on screen.

To configure OWA file-attachment security:

  1. Open the Exchange Management Console and navigate through the console tree to: Server Configuration -> Client Access.
  2. Select the server that you want to configure from the console's top pane, and then select the OWA option from the bottom pane, as shown in Figure 17.

    Set up file-attachment security in Exchange 2007 OWA Figure 17. To set up OWA's file-attachment security, select the server you want to configure, and then the OWA option. (Click on image for enlarged view.)

  3. Right click on OWA (Default Web Site), and choose Properties from the menu. Your computer will display the OWA properties sheet, which contains separate tabs: Public Computer File Access and Private Computer File Access. These two tabs are identical, but allow you to configure OWA's behavior, depending on whether a user is accessing a public or private computer (Figure 18).

    Exchange Server 2007 OWA public and private computer access Figure 18. Public Computer File Access and Private Computer File Access tabs are identical. (Click on image for enlarged view.)

  4. Direct file access is enabled by default, but I recommend configuring various options in this setting as well. To do so, click Configure to view the screen shown in Figure 19.

    Exchange Server 2007 OWA direct file access setting Figure 19. You can customize several direct file access settings. (Click on image for enlarged view.)

You can control which file attachment types users can and cannot access through OWA.

  • The Always Allow option lets you inform Exchange Server 2007 which file types users must access.

  • The Block option prevents users from opening potentially malicious file types. This option also lets you specify which file types must be saved to a disk before opening.

There is no way to populate the Allow, Block and Force Save lists with every file type. But you can use the Unknown Files option to choose how OWA should behave if someone receives an unspecified attachment type. Public computer and Private computer options both default to a forced save of unknown file types. I recommend blocking access to unknown file types altogether.

In the Direct File Access settings, the Always Allow, Always Block and Force Save lists are pre-populated with Microsoft's recommendations. If your goal is to strictly control OWA file access, you should go through these lists and make required changes. For example, Microsoft allows users to open AVI files in OWA. While there is nothing malicious about an AVI file, users may not need to play video files. Therefore, you may want to add this file type to the blocked list.

TUTORIAL: Customizing Outlook Web Access in Exchange Server 2007

 Home: Introduction
 Part 1: Modifying the look of OWA in Exchange Server 2007
 Part 2: Using cascading style sheets to change a color in OWA
 Part 3: How to handle file attachment access in OWA
 Part 4: Control how users access files with WebReady Document Viewing
 Part 5: Enable user-level segmentation to control OWA components

Brien M. Posey, MCSE
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Exchange Server, and has previously received Microsoft's MVP award for Windows Server and Internet Information Server (IIS). Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at

Dig Deeper on Outlook management