OWA has some security issues that should worry Exchange Administrators:  First, an OWA user’s cached credentials can easily be used to gain unauthorized access to Exchange; and second, because an OWA session does not time out if the user forgets to logout and close the browser window, an intruder can gain access to Exchange simply by browsing to the open OWA session.

Most organizations know to use SSL to encrypt data transferred to and from the OWA client and the Exchange server, thus making it impossible to snoop the contents of a user’s email. What most organizations do not know, however, is SSL will not prevent an intruder from gaining access to Exchange via an OWA session, even if SSL is used in conjunction with other security products such as a firewall. This is because OWA relies on the Web browser for credentials, which are cached. 

SessionGuard monitors authentication and prevents cached credentials from being used for authentication. By blocking and clearing cached credentials, SessionGuard forces OWA users to enter their User IDs and passwords to access the Exchange server. If users are using OWA over Internet Explorer (either Windows or Macintosh), they will enter their User IDs and Passwords once. If users are using another type of browser, such as Netscape Communicator or Mozilla, they will be required to authenticate and then verify their IDs and passwords. If a browser has its default setting of ‘Enable session cookies’ (which are stored in memory and not on the hard drive) disabled, SessionGuard will redirect users to an error page advising them that OWA is only accessible if session cookies are enabled. 

In short, SessionGuard eliminates the security risk of users unwittingly exposing Exchange to unauthorized access by blocking and clearing cached credentials and by allowing an Administrator to define a session time out.  

Copyright © 2001 Messageware Incorporated.  All rights reserved.