Security Risks and Considerations with Outlook Web Access

If you’re a regular reader on our blog or website, you know that one of our mantras is “Make the user stop and think”. It’s behind so much of what we do at Titus – gently reminding users before they inadvertently disclose sensitive information to the wrong people.

So a recent Carnegie Mellon University research study about consumer behavior really piqued my interest. In the study, the researchers attempt to understand how consumers decide to reveal sensitive information online. The results are a bit surprising. It turns out that users are most likely to reveal sensitive information on websites that look informal, even unprofessional. Strangely, when users are asked sensitive questions on a website of this type, they see the questions as less intrusive than if they were on a more formal website.

This, of course, plays into the hands of phishing scams and the like. And it also explains why users are more likely to reveal personal information on informal social networking sites, like Facebook (which, interestingly enough, provides research funding to one of the authors of this study).

There was, however, one part of the study that did not surprise me. The researchers found that if users are prompted to consider privacy considerations before they are asked for sensitive information, they are less likely to reveal the information – regardless of whether the interface is formal or informal.

This study validates why so many of our customers at Titus use our products: users are much less likely to reveal sensitive information when they are prompted to stop and think about what they sending and who they are sending it to. This is particularly important when sharing information through informal methods, such as email. And it’s even more important when users are in an informal environment, such as using Outlook Web Access (OWA) to check email at a public kiosk or on a laptop in a public location.

Which brings me to today’s blog topic: Risks and Security Considerations with Outlook Web Access. In this two-part blog series, I’ll cover some of the security risks that all organizations should consider when configuring OWA. Some of these are technical issues, while others are more about user education. In the second blog entry, I’ll show how Titus Message Classification for OWA helps with some of these issues, especially with user education and behavior.

Outlook Web Access Security Risks
As most readers know, Outlook Web Access enables users to access their Microsoft Exchange Server mailbox from a web browser. It’s used primarily for remote access when not connected to Outlook, although some organizations have deployed it as their primary email client. With OWA, users can check their email from any location with an internet connection, including home computers and public kiosks shared by multiple users.

This “anytime, anywhere” capability of OWA obviously introduces numerous security risks for organizations. These risks can be broken down into three main categories:

  • Risks associated with authentication
  • Risks associated with attachments
  • Risks associated with user behavior when working in informal environments

Let’s take a look at each of these categories.

Risks Associated with Authentication
OWA provides several different methods for authenticating to Exchange, ranging from basic username and password, to forms-based authentication. Forms-based authentication is more secure because it stores the username and password in a cookie, which is deleted when the user logs out or after a certain amount of time has passed. However, if the user does not log out or close the browser, another user can access the cached credentials until the session times out. To help address this problem, organizations can lower the timeout value for client computers not owned by the organization (i.e. “public” computers).

Another risk with authentication is the possibility of password attacks. As described in this article, it’s actually not that difficult to determine the usernames and likely passwords of an organization’s OWA users. Simply download documents off the organization’s website, look for usernames in the metadata, and then create a password list based on minimal research about the company (business name, local sports teams, addresses, etc.) Then use a brute-force script to run your password attack. The moral of the story? Force your users to select strong passwords.

Risks Associated with Attachments
Attachments are one of the biggest security risks with OWA. Many users do not realize that when they view an attachment through OWA, they are creating a local copy in their Temporary Internet Files. This copy can be viewed by anyone who has access to the computer, which is a big concern especially with public computers.

There are several ways that Exchange administrators can limit the risk:

  • Control the types of attachments that can be downloaded through OWA
  • Use the WebReady Document Reading feature introduced in OWA 2007
  • Turn off the ability to access Windows File Shares and Windows SharePoint Services
  • Use Microsoft Active Directory Rights Management Services (introduced in OWA 2010)

The first three options are configured through the OWA Properties dialog in Exchange, as shown below.

Figure 1: File Access settings for private computers (the same options appear under the Public tab)

The Direct File Access option enables administrators to control the type of attachments that users can download in OWA. Within this section, administrators can define the attachment file types that are allowed and not allowed. For example, users can be blocked from downloading executable files (.exe), but not Word documents (.doc, .docx). The drawback with this option is that it’s “all or nothing” – users can either download Word documents (for example) or they can’t. And if they can, it means those Word documents are going to stay in the Temporary Internet Files folder until they’re manually deleted.

A more secure option is to use WebReady Document Viewing. This feature converts documents to HTML and displays the information in a browser window without launching the associated application. It’s more secure than downloading an attachment, because the information is encrypted (assuming you’re using SSL) and the page is not stored in the browser cache (assuming you’re using default Internet Explorer settings for encrypted files).

The drawback with WebReady Document Viewing is that it supports a limited number of file types. The feature, which was introduced in Exchange 2007, originally supported only 5 file types. Exchange 2007 SP1 increased the number to 10.

Another security option to consider is turning off file access to remote file servers, specifically Windows File Shares and Windows SharePoint Services. Exchange administrators should be aware that these options are enabled by default, so if file server access is a concern, make sure to turn these two options off.

For organizations that want to add an extra layer of security to their email, Outlook Web Access 2010 now provides native support for Microsoft Active Directory Rights Management Services (AD RMS). AD RMS is an Information Rights Management solution. This means that users can now compose, read, and reply to rights-protected email natively in OWA. The latest version also supports the use of AD RMS with Office file attachments, including attached Word, Excel, and PowerPoint files. Of the options listed above, AD RMS provides the most security for attachments in OWA, although it does work only with a limited set of file types.

One final feature I’d like to mention, even though it’s not really related to file attachments, is OWA Segmentation. This feature lets administrators block access to specific OWA features for some or all users. For example, if you’d prefer to not let your users access Public folders over OWA, you can block that.

Risks Associated with User Behavior in Informal Environments

The previous two sections were mostly about addressing technical security issues with Outlook Web Access. But what about the user side – that part of human nature that makes users disclose sensitive information in environments where they should know better? As noted in the study described at the beginning of this blog entry, the more informal the environment, the more likely users are to disclose sensitive information. And what’s more informal than sending email from your browser while working from home or on the road? Even the title of the study – “Strangers on a Plane: Context-Dependent Willingness to Divulge Sensitive Information” – reflects this reality.

Just like on a plane, users are more likely to lower their guard when surrounded by anonymous people in an informal environment. How many times have you watched someone work on sensitive documents in plain view of the people around them in an airport or hotel lounge? How about the quick OWA emails you fire off while checking your email at an off-site meeting? Are you more concerned with answering as many emails as you can during your break than you are with the security risks of what you’re sending?

As the Carnegie Mellon researchers found, if you can just alert users to security risks before they send that information, they will be much less willing to disclose sensitive data. An up-front warning is the solution to the problem of users revealing too much information in situations that they perceive as informal.  And fortunately, there are some simple, low cost ways to do this in Outlook Web Access. That is the topic of my next blog post, which I will post next week.

Tags: , , , ,

Leave a Reply