One thing for sure that all users have to know is to make sure they close the browser window besides just logging off. Most do not even though a setting will tell the user to close the browser window. So maybe a product like Messageware would be OK. Also I would install some type of SSL security if OWA is going to be a major access point. Also if there are going to be many users using this type of access a Front-end/Backend solution is in order.
----- Original Message ----- From: "Martin, Jon" <[EMAIL PROTECTED]> To: "Exchange Discussions" <[EMAIL PROTECTED]> Sent: Thursday, December 12, 2002 1:50 PM Subject: RE: Securing the OWA Kiosk > On the common practice follow-up question, I should have been a bit more > concise by indicating that my question relates to users who are connecting > to our corporate email system via the Internet, not internal users. > > Jon > > -----Original Message----- > From: Martin, Jon > Sent: Thursday, December 12, 2002 10:38 AM > To: Exchange Discussions > Subject: RE: Securing the OWA Kiosk > > Mark, > > Thanks - interesting audit. If we decide to go forward with allowing non-VPN > clients access to Outlook we will take a closer look at the product. Is > anyone aware of similar products? > > A question for the group on a related topic: is it common practice to allow > non-VPN clients to access Outlook via OWA, or do most companies require at > least a VPN connection? > > Jon > > -----Original Message----- > From: Mark Rotman [mailto:[EMAIL PROTECTED]] > Sent: Thursday, December 12, 2002 9:52 AM > To: Exchange Discussions > Subject: RE: Securing the OWA Kiosk > > Jon, > > You could have a look at this OWA audit for some more details. Be aware that > the document is useful, but the issues in it (as well as your #1) are > handled by Messageware's SecureLogoff product. > > http://www.messageware.net/audits/owa.html > > -----Original Message----- > From: Martin, Jon [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, December 11, 2002 3:22 PM > To: Exchange Discussions > Subject: Securing the OWA Kiosk > > > How are folks handling the following potential security risks using OWA from > unsecured workstations, such as a kiosk or library environment? > > 1. Cached web pages, etc. on the workstation. User walks away without > closing the browser, the next user has access to the previous users' email. > > 2. Stealth keyboard capture program grabs userids and passwords. > > It seems like there is a common train of thought about remote OWA that 'It > is only email, what is the worst that could happen?' My take is someone who > has unauthorized access to email can potentially: > > - Get people fired; > - Get people arrested; > - Get companies/people sued; > - Cost companies/people money. > > Thanks . . . > > Jon Martin > Systems Programmer > East Bay Municipal Utility District (EBMUD) > Oakland, CA > > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
