We're investigating an advanced authentication solution for Microsoft Outlook Web Access (OWA) in a Microsoft Exchange 2000 Server environment. Most of our OWA users are roaming and access their mailbox from an Internet kiosk. What solution would you recommend?
A: Consider integrating an RSA Security's RSA SecurID–based authentication solution with OWA. Because RSA SecurID authentication provides strong authentication without the need for extra client software or hardware (although users must have their own card or key fob to access the server), it has an advantage over smart card–based authentication solutions and is ideal for kiosk environments. RSA SecurID uses two authentication factors: a personalized PIN and a RSA SecurID token code that the RSA SecurID card or key fob generates (the token code changes every 60 seconds).
To set up RSA SecurID for use with OWA, you need to install the RSA ACE/Agent for Windows software on your OWA front-end Microsoft IIS Web server. The ACE/Agent software contains the Web Access Authentication (Server) component, which intercepts attempts to access an IIS Web site (in this case, the OWA Web site) and enforces RSA SecurID authentication before a user can access the site. This solution also requires an operational RSA SecurID authentication server known as the RSA ACE/Server. Be aware that using RSA SecurID authentication doesn't eliminate the need for users to perform a basic authentication sequence before accessing their Exchange mailbox. Therefore, users must get through the RSA SecurID challenge-response first, then provide their basic authentication credentials to the Windows 2000 authentication authority.
To make this solution more secure, I suggest setting up a Secure Sockets Layer (SSL) tunnel between the user’s browser and the OWA Web server to secure the transport of RSA SecurID and basic authentication credentials across the HTTP connection. Besides data confidentiality protection, the SSL connection also provides server-side authentication. The Web browser and server put the SSL tunnel in place before the RSA SecurID and basic authentication exchanges take place so that it can secure the transport of both types of credentials.
You might also consider investing in software that provides secure and automatic OWA logoff functionality—a feature that is, by default, not available in OWA. This extra precaution will automatically log off a user from OWA after a certain period of time (as determined by the administrator) and delete the user’s basic authentication credentials from the kiosk's cache. One software package that provides this functionality is Messageware’s SecureLogoff for Outlook Web Access 2000.