Outlook Web Access (OWA) is a terrific tool for giving users remote access to their mailboxes. However, when users open attachments from computers that you don't control, they run the risk of accidentally disclosing sensitive information. You should teach OWA users not to open OWA attachments on public machines, but just in case users open attachments despite your warnings, OWA 2003 includes several security features to help mitigate the risk. First, be aware that if a user saves an attachment (by using either the Save Target As or Save option), OWA has no way to override or control the action, which is browser-based. But when a user simply opens an attachment, OWA emits an expiration header with the previous day's date. This header prevents the browser from permanently caching the document.
However, depending on the attachment's content type, the browser might need to write the attachment to disk so that a helper application can open it. To help counteract this problem, Microsoft has added some OWA features that provide server-side blocking of attachments. For example, the DisableAttachments REG_DWORD value in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeWeb\OWA registry subkey lets you control attachment access in three ways:
- When you set the value to 0 (which is the default), all users can access all attachments.
- When you set the value to 1, OWA blocks all access to all attachments.
- When you set the value to 2, OWA blocks attachment access for sessions that originate on a front-end server but permits access for users who connect directly to the mailbox server. This option lets you give attachment access to users on your network while blocking access for Internet users.
If you want to permit access from some, but not all, front-end servers, set DisableAttachments to 2, then create a new REG_SZ value (under the same subkey) named AcceptedAttachmentFrontEnds. Specify a comma-delimited list of front-end server host names. Users who connect to those servers will be able to access attachments through OWA. Of course, OWA 2003 also implements the same kind of attachment-blocking code that's in Outlook 2000 Service Release 1a (SR1a) and later to block the same list of Level 1 and Level 2 file attachments that the desktop version of Outlook blocks. OWA blocks these attachments before applying the DisableAttachments value, so an attachment of a blocked file type won't be available under any circumstances.