Understanding Security for Outlook Web Access

Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.

 

Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3

Microsoft Outlook Web Access for Microsoft Exchange Server 2007 offers a variety of security features that you can configure to suit your organization's security requirements. Because Outlook Web Access may be used to provide users access to their mailboxes from workstations that are not secure, security is a priority. By default, when you install the Client Access server role on an Exchange 2007 server, Outlook Web Access is configured to use Secure Sockets Layer (SSL) and forms-based authentication.

Authentication

Client Access servers in Exchange 2007 support more authentication methods than front-end servers in Microsoft Exchange Server 2003. You can configure the following types of authentication methods on the Exchange 2007 Client Access server:

• Standard authentication methods such as the following:

  • Basic authentication

  • Integrated Windows authentication

  • Digest authentication

• Forms-based authentication

For more information about authentication methods for Outlook Web Access, see Configuring Authentication for Outlook Web Access.

Segmentation

Segmentation lets you enable and disable features that are available to users in Exchange 2007 Outlook Web Access. By default, any mail-enabled user in your Exchange 2007 organization can access their mailbox by using Outlook Web Access. Depending on the needs of your organization, you can use segmentation to configure the following for user access:

• Restrict access to Outlook Web Access for specific users.

• Control access to certain Outlook Web Access features for specific users.

• Disable an Outlook Web Access feature completely.

For more information about segmentation in Outlook Web Access, see Configuring Segmentation for Outlook Web Access.

Web Beacons

A Web beacon is a file object, such as a transparent graphic or an image, which is put on a Web site or in an e-mail message. Web beacons are typically used together with HTML cookies to monitor user behavior on a Web site or to validate a recipient's e-mail address when an e-mail that contains a Web beacon is opened.

Note

By default, Outlook Web Access disables all potential Web beacon content in e-mail messages.

For more information about how to deal with Web beacons in Outlook Web Access, see Configuring Web Beacon and HTML Form Filtering in Outlook Web Access.

File and Data Access

There are a variety of features that enable users to access files and data in Outlook Web Access. Each of these features includes options for controlling access to files and data from Outlook Web Access.

WebReady Document Viewing

Microsoft Exchange Server 2007 includes a new feature named WebReady Document Viewing. WebReady Document Viewing lets users view common file types in the Outlook Web Access Web browser without having the applications that are associated with those file types installed on the computer they are using. Allowing files that are accessed through Outlook Web Access to be viewed only by using WebReady Document Viewing protects against the potential security risk that is caused when files that are opened from within Outlook Web Access are cached on the client computer. For more information about how to configure file and data access for Outlook Web Access, see Configuring File and Data Access for Outlook Web Access.

Direct File Access

Direct file access enables users to open attached files directly from inside Outlook Web Access. You can also configure how users interact with files by using the Allow, Block, or Force Save options for direct file access in the Exchange Management Console. This means that you can specify the types of files that users can access. More important, you can specify which types of files are prohibited.

For more information about how to configure file and data access for Outlook Web Access, see Configuring File and Data Access for Outlook Web Access.

Windows SharePoint Services and Windows File Share Integration

By using Outlook Web Access, users can access remote files that are stored on Windows SharePoint Services and Windows file share (also known as UNC) servers. You can configure how users interact with files on these servers by using the Allow and Block options in the Exchange Management Console. This means that you can specify which servers your users can access. You can also specify the behavior for Windows SharePoint Services and Windows file share servers that have not been specifically allowed or blocked when users try to access them by using Outlook Web Access.

For more information about how to configure file and data access for Outlook Web Access, see Configuring File and Data Access for Outlook Web Access.

Secure Sockets Layer

SSL is a method for securing communications between a client and a server. For a computer that is running Exchange 2007 that has the Client Access server role installed, SSL is used to help secure communications between the server and the clients. Clients include mobile devices, computers inside an organization's network, and computers outside an organization's network. These include clients that have and do not have virtual private network (VPN) connections.

For more information about SSL, see the following topics:

• Understanding SSL for Client Access

• Configuring SSL for Outlook Web Access