Secure Outlook Web Access
If you are using Outlook Web Access in your organization, review attachment blocking and Internet Explorer security zone configuration.
Attachment Blocking in Outlook Web Access
In Exchange 2000 Service Pack 2 (SP2), Outlook Web Access introduced the ability to block attachments by file type and Multipurpose Internet Mail Extensions (MIME) type. By default, in Outlook Web Access 2003 and Outlook Web Access for Exchange 2000, attachment blocking is enabled. With this default configuration, users can send any attachment type, but they will not receive dangerous file types, such as .exe, .bat, and .vbs files. The default list of blocked file types in Outlook Web Access includes the default list that is used by Outlook 2003, plus XML files and specific MIME types.
Attachment blocking in Outlook Web Access is configured on the Exchange server through the registry. The configuration can be deployed as a Group Policy object (GPO) to ensure consistency.
If you allow access to mailboxes from the Internet through Outlook Web Access, you may not have administrative control of the computers that are accessing mail. In some cases, such as when users are accessing Outlook Web Access from the Internet, you may want to restrict users' ability to download any attachments from such computers. In this case, you can set a registry key on the Exchange front-end servers that will block all attachments in Outlook Web Access when the computer accesses Exchange through specific front-end servers.
Internet Explorer Security Zone Configuration
Because Outlook Web Access is an application running in Internet Explorer, it is important to consider the configuration of Internet Explorer in the context of fighting viruses. It is recommended that you configure the Internet Explorer security zones to be as restrictive as the functionality your clients' requirements will allow. At a minimum, deploy Internet Explorer 6.0 SP1 in its default configuration, which sets the Internet zone at a Medium level of security and the intranet zone at a Medium-Low level.
Outlook Web Access and Outlook Web Access with the S/MIME control have been designed and engineered with strict attention to Web-based vulnerabilities, such as cross-site scripting, IFRAME manipulation, and other known, malicious HTML-based activity. Specifically, Outlook Web Access runs and displays only known safe HTML elements, attributes, and style information, therefore blocking against the malicious use of HTML in previously unknown ways.
Running Outlook Web Access with the S/MIME control also adds an extra layer of security around message attachments. Mail attachments downloaded with the S/MIME control are deleted more thoroughly (memory address space is zeroed, or nulled, after deletion) than those that are downloaded with Outlook Web Access without the S/MIME control. The Exchange 2003 SP1 version of Outlook Web Access S/MIME control setup is a Microsoft Windows Installer file. Therefore, it can be deployed through Microsoft Systems Management Server (SMS) or another enterprise management program.
Note
Because the S/MIME control is an installable component, it may not be practical or possible to run it in all deployment scenarios, such as public kiosks and other scenarios where the client computer is not centrally administrable.
It is recommended that you run Outlook Web Access with the S/MIME control. The S/MIME control only runs on Internet Explorer 6 or later and on Windows 2000 or later. The S/MIME control does not run on other Web browsers or earlier operating systems. As mentioned previously, update management of all software running in your organization is an extremely important part of the fight against viruses and worms. Internet Explorer updates are managed through Windows Update. By keeping Windows up-to-date, you also have the latest updates for Internet Explorer.
Recommendations
Deploy the Exchange 2003 version of Outlook Web Access and the latest version of Internet Explorer.
The default file and MIME-type block list is likely sufficient for your organization. However, you may want to review, update, and deploy the blocked file and MIME types for Outlook Web Access. Maintain consistency between the blocked file types in Outlook Web Access with the file types that are blocked in Outlook.
In some cases, where you cannot control the computer accessing Outlook Web Access from the Internet, consider blocking all attachments.
Define the correct level of security for Internet Explorer in your organization, and deploy a standardized configuration to the desktops.
Deploy the Outlook Web Access S/MIME control to all clients that access mail through Outlook Web Access, even if your organization does not use S/MIME.
Resources
For more information about deploying and upgrading to Exchange 2003 and Outlook Web Access, see the Exchange Server 2003 Deployment Guide.
For more information about deploying Internet Explorer, see the "Microsoft Internet Explorer 6.0 Administrative Kit Service Pack 1" Web site, and then click "Redistributing Internet Explorer."
For more information about reviewing and updating blocked file and MIME types in Outlook Web Access, see the Exchange 2003 Security Hardening Guide.
For more information about blocking all attachments from front-end server connections in Outlook Web Access, see Microsoft Knowledge Base article 830827, "How to manage Outlook Web Access features in Exchange Server 2003."
For more information about understanding, configuring, and deploying security zones in Internet Explorer, see the "Microsoft Internet Explorer 6.0 Administration Kit Service Pack 1" Web site, and then click "Security."