A lot of companies use an OWA session security solution such as OWA Forms-based authentication, ISA Forms-based authentication, RSA SecurID, Messageware TimeGuard, or SafeWord from Secure Computing. These solutions all have an inactivity timeout feature which logs users off OWA users after an extended period of inactivity. Note that working on a new message is not seen as activity by OWA -- you have to be moving in the main OWA frame to be active.
Note: In a front-end / back-end environment, segmentation settings must be made on the back-end server.
For additional information about the segmentation attributes, refer to Microsoft's article below.https://support.microsoft.com/kb/833340.
Pasting images into messages is not an OWA feature. There are two workarounds to getting images into your message:
There is a Microsoft knowledgebase article, available below, which explains how to paste an image into the OWA signature. The workaround does not always seem to work and is not supported by Microsoft as an official solution.
How to get an image into the signature file in OWA
A Microsoft knowledgebase article suggests that there are two ways to change the OWA 2000 logon page;
For details on these configuration options, refer to https://support.microsoft.com/?kbid=321832
OWA on MAC browsers may cache OWA content since the last refresh, as a result, new mail arriving in the Inbox may not show the content in the preview pane until the Inbox is refreshed.
For more information refer to https://support.microsoft.com/kb/322217/en-usWhen viewing an OWA attachment on a client machine, a copy gets saved in the cache of that machine. If this computer is shared or a public terminal, (such as a kiosk, library etc) the attachment can be viewed, copied and saved by by unauthorized users.
There are third party add-ons, such as Messageware AttachView (www.messageware.com), which offer secure web access to OWA attachments by converting attachment files into secure web pages for over 300 file formats, providing secure access to attachments without the need of the application on the local computer.
When users login to OWA they may see the content of the last accessed folder as their Inbox content, this may cause confusion for the users. A workaround allows the Inbox folder to be set as the last accessed folder for all connections.
For more information refer to https://support.microsoft.com/kb/817203/en-us
To set OWA as the default mail client, you need to use a third party add-on, such as ActiveSend from Messageware (www.messageware.com). ActiveSend gives users the ability to set OWA as the default email within desktop applications, enabling the SendTo and MailTo functions, hyperlinks in web pages.
The below Microsoft article describes how to permit OWA users search address books based on multiple organizational units or specific address lists, rather than being restricted to just their organizational unit or one address list.
For more information refer to https://support.microsoft.com/kb/817218/en-us
To access Public Folders on Exchange 5.5, a Connection Agreement must be made with the Exchange 2000 computer and the Exchange Server 5.5 public folders must be replicated to the Exchange 2000 computer.
For more information refer to https://support.microsoft.com/kb/292019/en-usWrite mailbox folder access is not supported in OWA. Instead, full mailbox access must be given to a user to access and manage content in other user's mailboxes.
For more information refer to https://support.microsoft.com/kb/811646/en-us.
Using ADSIEdit Administrators can edit the msExchQueryBaseDN attribute to restrict users to either viewing either
a) A limited Global Address List that consists of users in the same Active Directory Organizational Unit; or
b) A custom Exchange Address List.
To make this configuration change, refer to https://support.microsoft.com/?kbid=272197
To set up OWA to accept UPN login names, the Exchange, Exchweb/bin and Public virtual directories must be configured to use Basic Authentication and the default domain must be configured to be "\", no quotes.
To step through the configuration, refer to https://support.microsoft.com/?kbid=267906.
In OWA 2000, users can download a Multimedia Control from the OWA Options page allowing them to insert audio and video content into messages. Some administrators may decide to disable access to multimedia files to prevent high use of server resources.
To disable the multimedia button in the OWA Options page, open the registry editor (regedit) and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeWEB. Create a key named DisableMultimedia and set the value to 1. Care should always be taken when making edits in the system registry.
For more information on this and other OWA registry keys, refer to https://support.microsoft.com/?kbid=311342.The reminder polling occurs every 9 minutes by default. To change this value, open the registry editor (regedit) and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeWEB\OWA. The key name is ReminderPollingInterval. Care should always be taken when making edits in the system registry.
For more information on this and other OWA registry keys, refer to https://support.microsoft.com/?kbid=311342.The new mail notification polling occurs every 2 minutes by default. To change this value, open the registry editor (regedit) and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeWEB\OWA. The key name is NewMailNotificationInterval. Care should always be taken when making edits in the system registry.
For more information on this and other OWA registry keys, refer to https://support.microsoft.com/?kbid=311342.
On a front-end server running Exchange Server 2003 or 2000 users are not logged of correctly due to a permission issue on the Logoff.asp page or the /exchweb/bin is configured for Integrated Windows Authentication instead of Basic.
For more details and for the instructions on how to correct these configuration issues, refer to https://support.microsoft.com/?kbid=927907.
The change password feature is not enabled by default in OWA 2000 because it is a feature of IIS, not Exchange 2000 Server. The IISADMPWD virtual directory must be created in IIS under the OWA website and the Change Password button must then be enabled from within the registry.
For more information refer to https://support.microsoft.com/?kbid=297121.
Additional login prompts are usually the result of a mismatch of IIS Authentication settings. The authentication settings for the Exchange, Public, and Exchweb\bin virtual directories must match to ensure users do not get additional login prompts.
It is best to check the Exchange and Public Authentication settings from the Exchange System Manager (ESM) and then compare them to the settings in the IIS Manager. This order is important since the ESM settings overwrite the IIS settings for the Exchange and Public virtual directories.
Compare the IIS authentication settings for the Exchange, Public, and Exchweb\bin virtual directories in Exchange System Manager (ESM) and the Internet Information Services Manager (IIS).
Refer to the summary tables of IIS authentication settings below.
Native OWA virtual directory authentication settings
Authentication | Virtual Directories | ||
Exchange | Public | Exchweb\bin | |
Basic | Basic | Basic | Basic |
Integrated | Basic and Integrated | Basic and Integrated | Basic and Integrated |
Exchange FBA | Basic | Basic | Basic |
ISAServer.org
This article, by ISA Firewall specialist Thomas Shinder, explains that earlier versions of ISA Firewall (2000 and 2004) included navigation protection. Navigation protection ensures that if a user goes to another website, such as Google, without logging off OWA, ISA automatically logs the user off. With navigation protection, administrators can rest assured that users are not leaving active OWA sessions behind.
ISA Firewall 2006 no longer includes navigation protection. This is explained in more detail in an ISA Security report published by Messageware Incorporated (ISA Security Report: OWA Security Issues Undetected by ISA Server) referenced in Thomas Shinder's article.
SearchExchange.com
The article gives an overview of an OWA attachment solution called AttachView by Messageware, which lets users safely view a wide array of attachments without ever downloading the file to the local computer. AttachView offers users secure access to attachments via an enhanced viewing window with features such as: view Microsoft Word Track Changes revisions, a hyperlinked table of contents, printer-friendly version, rotate and zoom buttons.
Administrators can set rules giving users access to users to open, save and print attachments based on criteria such as IP address, username, hostname and if they are connecting from a corporate device.
To view the full article, go to https://searchexchange.techtarget.com/tip/0,289483,sid43_gci1310616,00.html
MSExchange.org
This article walks step by step through the process of securing OWA 2000 using SSL. Includes helpful screenshots and links to more articles on OWA 2000.