Think enabling OWA for a few users is safe?

Think Outlook Web Access is secure since you only have it enabled for the users that keep strong passwords?

Think again.

There's this little thing called WebDAV. It's how Entourage connects to Exchange, and is used by the AJAX in OWA. Now, it is true that OWA will say "Microsoft Outlook Web Access is currently disabled for user X" if you try to access OWA through your web browser directly. However, the actual underlying WebDav methods aren't similarly restricted. Even if a user has OWA specifically disabled, he can still connect using Entourage/WebDav remotely!

So, as long as you have OWA published, you're only as secure as your weakest password. You can't stop employees from connecting remotely, and you can't stop hackers from accessing mailboxes with weak passwords. And if you haven't disabled the new "Remote File Access" feature of Exchange 2007, now would be a good time. Your company-wide shares can be viewed if just one user has a weak password.

Bottom-line: If you have been relying upon mailbox-level OWA control to protect those users who refuse to remember long passwords - you're in trouble.

Note: I called Microsoft Support to confirm this behavior, and their tests had the same results - Disabling OWA access doesn't affect remote WebDav/Entourage access.

Published on

About Nathanael

Nathanael Jones is a software engineer, father, consultant, and computer linguist with unreasonably high expectations of inanimate objects. He refines .NET, ruby, and javascript libraries full-time at Imazen, but can often be found on stack overflow or participating in W3C community groups.


If you develop websites, and those websites have images, ImageResizer can make your life much eaiser. Find out more at


I run Imazen, a tiny software company that specializes in web-based image processing and other difficult engineering problems. I spend most of my time writing image-processing code in C#, web apps in Ruby, and documentation in Markdown. Check out some of my current projects.

More articles