The Account lockout duration, Account lockout threshold and Reset account lockout counter after settings are configured in the Default Domain Policy. These settings define what will happen if a user attempts to logon to the domain using the incorrect password multiple times. Attempting to logon to OWA with an incorrect password will also increase the bad password count (badPwdCount), which will eventually lock a user out of the domain until it is reset.
Important consideration: Attackers can also use this strategy to lock users out of the network as long as they obtain valid usernames. The default settings of these Default Domain attributes are as follows:
Value | Default | Recommended | |
Account lockout duration | Specifies the number of minutes a locked out account will remain unavailable before a user can attempt to log back in Note that such a configuration will likely increase the number of calls that the help desk receives to unlock accounts locked by mistake. | Windows Server 2008 - Not Defined Windows Server 2003 - Not Defined | Windows Server 2008 - 15 minutes Windows Server 2003 - 0 |
Account lockout threshold | This setting determines the number of failed logon attempts before a lockout occurs. | Windows Server 2008 - 0 Windows Server 2003 - 0 | Windows Server 2008 - 50 invalid logon attempts Windows Server 2003- 20 invalid logon attempts |
Reset account lockout counter after | This is the length of time before the Account lockout threshold setting resets to zero. | Windows Server 2008 - Not Defined Windows Server 2003 - Not Defined | Windows Server 2008 - 15 minutes Windows Server 2003 - 30 minutes |
When configuring per-user segmentation, selected OWA features are applied to specific user. Per-user segmentation requires the Active Directory user object to be modified using ADSI Edit. To configure per-user segmentation, refer to Microsoft's article below.
How to modify the appearance and the functionality of Outlook Web Access by using the segmentation feature in Exchange 2003
https://support.microsoft.com/kb/833340
Note: In a front-end / back-end environment, segmentation settings must be made on the back-end server.
For additional information about the segmentation attributes, refer to Microsoft's article below.https://support.microsoft.com/kb/833340.
Setting Up Outlook 2003 Cached Exchange Mode Accounts
https://office.microsoft.com/en-us/ork2003/HA011402591033.aspx
If you are interested I giving users access to shared calendars from within OWA, like they do in Outlook, there is a company called Messageware that offers shared calendaring in OWA.
Pasting images into messages is not an OWA feature. There are two workarounds to getting images into your message:
There is a Microsoft knowledgebase article, available below, which explains how to paste an image into the OWA signature. The workaround does not always seem to work and is not supported by Microsoft as an official solution.
How to get an image into the signature file in OWA
https://social.technet.microsoft.com/forums/en-US/exchangesvrclients/thread/1bb882b3-03dc-4085-ae06-a787fd76fd39/
When you open an attachment, rather than save it to a specified location, the attachment will always be saved to the temporary internet files folder on the local computer. This happens unknowingly to the user creating a real danger on computers where unauthorized people could get hold of confidential documents.
There are a few ways Administrators can secure attachments for all:
Disable access to all attachments
Although not practical, it is the safest way to make sure that attachments are never left behind.
Force Save for all file types
This is a good option if your company is okay with users saving files to local machine and possibly forgetting to permanently delete them. Another problem is that the save menu also has an open option!
Get third part help
Messageware (www.messageware.com) offers a product called AttachView which gives Administrators a wide variety of configuration options for securing attachments. Because AttachView support viewing over 300 file types as safe HTML pages, they really make it feasible to turn off the open and save attachment options for users while they are not in the office or on corporate devices.
The Exchange Forms Based Authentication login page settings are contained in the logon.asp page. The steps below describe how to remove the Public and Private options from the OWA login page. The difference between choosing Public and Private is the inactivity timeout configuration; removing this option will apply the Public timeout value for all users.
This is what the login page will look like after following the steps below:
To remove the Public and Private options,
For more information on customizing the login page, refer to the following Microsoft article: Customizing the Outlook Web Access Logon Page.
For information on customizing the inactivity timeout options, refer to Tweaking Outlook Web Access timeout options.
The Exchange Forms Based Authentication login page settings are contained in the logon.asp page. The steps below describe how to remove the option to choose a Premium or Basic experience from the OWA login page. This is what the login option will look like after following the steps below:
To remove the Premium and Basic options,
There are several ways to secure OWA. Microsoft's recommended approach is a cookie based solution called Exchange Forms-based authentication, this comes with Exchange Server 2003. For added security make sure that users connect to OWA via SSL only.
The article below from MSExchange.org has some more information on securing OWA. https://www.msexchange.org/tutorials/Securing-Exchange-Server-2003-Outlook-Web-Access-Chapter5.html
Some additional security implications include:
There is a third party, Messageware, that offers OWA security and enhancement solutions. It would be a good idea to check with them as well.
You will need to speak to your Exchange Administrator about setting up a VPN or RPC over HTTP connection for you. Refer to the Microsoft knowledgebase article below for more information.
The Outlook Web Access client does not provide a way to backup email folders; you will need to use Microsoft Outlook or Microsoft Outlook Express to create a PST / Data file that will be saved to your computer.
If you are working from a remote location your Exchange Administrator will need to provide you access to your mailbox via a VPN connection or RPC over HTTP. Once you set up your account using Microsoft Outlook, you can refer to the link below for more information on how to create an Outlook Personal Folder (.pst).
How to create a .pst file in Outlook 2003
Note: If you are using Microsoft Outlook 2007 you will use the File\Data File Management option.Once the PST is created, you can then set up and Outlook connection for your other email account and open the PST file. You can then simply drag the mail items out of the PST and into your mailbox.
Spell check options are set in the OWA Options page. Scroll down to the Spelling Options and put a check mark beside Always check spelling before sending.
The loading message can occur in a front-end back-end OWA environment when a service pack or update is applied on the back-end before it is applied on the front-end, refer to https://support.microsoft.com/kb/910119/en-us for details. Any OWA updates must first be applied on the front-end server to ensure compatibility with the back-end server.
If no updates were applied and you are experiencing this issue, refer to https://support.microsoft.com/kb/280823/en-us for more troubleshooting tips.
Microsoft has corrected an issue where the OWA forms-based filter leaked handles. For more information and to download the hotfix refer to https://support.microsoft.com/kb/897717/en-us
To set OWA as the default mail client, which lets you send messages from within Microsoft Office, respond via MailTo links on websites and send attachments by right-clicking on files on the desktop, you need to use a third party add-on, such as ActiveSend from Messageware (www.messageware.com)
ActiveSend also includes the ability to save an encrypted username and password, and toggle between mail accounts so you can change the default email from OWA to Outlook, for example, if you are using a notebook both in and out of the office.
The error message is the result of the Microsoft Exchange Information Store Service not starting because Oledb32.dll was not updated by the Windows upgrade. You can get the correct version of this file either from another installation of Windows Server 2003 or if you install Windows Server 2003 on another partition and copy the file over.
For more information, refer to https://support.microsoft.com/kb/837285/en-us
Microsoft ISA Forms-based authentication (FBA) provides users with two login options, "Public or shared computer" and "Private computer", as shown below:
Administrators can configure longer session inactivity timeouts for Private connections (e.g. laptop or home) and shorter ones for Public connections (e.g. airport kiosk, customer site). This ensures that if the OWA session is left open by accident, it will safely be logged off after a configured period of time, minimizing the risk that an unauthorized user will gain access to an active session.
The risk with this scenario is that companies have to rely on user education to ensure users choose the correct login option rather than the one that is more convenient for them. There is are security products available from a third-party, Messageware (www.messageware.com) that allow for configuration of security policies by the Exchange Adminstrator by user, gorup, IP address or corporate device.
When a user composes a message in OWA, the font looks homogenous but after sending the message the recipient sees the first paragraph in one font face and the remaining in another. This occurs because the sender's Internet Explorer browser setting is configured to use the default Internet Explorer font face. In OWA, the email editor only puts font tags around the first paragraph and the rest of the message uses the default Internet Explorer font face. Recipients with a different Internet Explorer default font will therefore see a different font being used after the first paragraph.
To ensure the font tags are applied to messages composed in OWA, set the Internet Explorer font face to another font than the default. For more information refer to https://support.microsoft.com/kb/817314/en-us
In environments where OWA is not installed on the Default Web Site, either the Davex.dll file or the Exprox.dll file intercepts the request and cause a 404 error. To correct this issue, you must remove the inherited file mappings from the IISADMPWD virtual directory properties.
For instructions on how to make this configuration change, refer to https://support.microsoft.com/kb/328242/en-us
In OWA 2003 the new mail notification briefly appears in the bottom right-hand corner of the screen and then disappears.
There is a third-party product called Plus Pack from Messageware (www.messageware.com) which will keep the new mail notification on the screen until the user chooses to open or ignore the message.
The OWA Admin tool is a small tool which should be installed on a client machine for the purpose of remotely setting the OWA options. The MSI can be downloaded from the Microsoft Support website. To run the install, double click on the unzipped file. Once installed, use the following URL to access the Administrative options: https://Servername/OWAAdmin
For more information, refer to https://download.microsoft.com/download/7/9/a/79a3c251-2ca1-44e3-865b-44488f97ad55/readme.htm
By default, the OWA 2003 the new mail notification polls every 2 minutes and the reminder notification polls every 9 minutes. User options are not available to customize the new mail polling interval without a third-party add-on, such as Plus Pack from Messageware (www.messageware.com).
Embedded messages sent by Outlook users cannot be opened in OWA when connecting view SSL. To access the embedded messages either ask the sender to resent the file as an attachment or disable the "Do not save encrypted pages to disk" option in Internet Explorer.
For more information refer to https://support.microsoft.com/kb/820845/en-us
This issue is likely caused by a miss-configured authentication setting on the exchweb/bin folder in IIS. On a front-end server the Exchange, Public and exchweb/bin folders should be configured for Basic Windows authentication. A misconfiguration can cause multiple login prompts.
For more information refer to https://support.microsoft.com/kb/325906/en-us
The OWA spell check searches a default dictionary which cannot be updated by the user.
To add a legal dictionary, a third-party add-on is required such as the one from Messageware (www.messageware.com). The Messageware Plus Pack includes Medical, Legal and Corporate dictionaries and allows users to add common terms, such as their last name to their personal roaming dictionary.
The OWA address book does not show additional Personal Contact folders. You can access the folders by navigating through the folder tree.
There is a third party add-on from Messageware (www.messageware.com) which lets users add custom Personal Contact folders to their OWA address book. Additionally, the Messageware address book lets users add Public Folder address lists and displays all Exchange Address Lists created server-side.
The OWA Find Names address book is not customizable and users will always see the Personal Contacts folder after the Global Address Book.
There is a third party add-on from Messageware (www.messageware.com) which gives users the ability to configure their OWA Address Book to display their personal contact list above the Global Address List.
The first time a user logs on to OWA the names of the Inbox, Calendar, Contacts and other default folders are localized using the "Accept-Language" header. For example, if the browser language is German the first time the user logs on to OWA then the default folder names will be in German no matter if the browser language is change in future sessions. The language can be hardcoded from the server-side by creating an ISAPI filter in IIS. The filter intercepts all requests and updates the "Accept-Language" value before Exchange receives it.
For more details on this configuration refer to https://support.microsoft.com/kb/310599/en-us.
User on Internet Explorer 5.0 may get a message asking them to set their time zone settings if the local machine and the OWA time zone settings are different. To correct the "Please use the Options shortcut to set your current local time zone" error, upgrade the browser to Internet Explorer 6.0 since 5.0 cannot differentiate between time zone offsets. For more information refer to https://support.microsoft.com/kb/255457/en-us.
The Find Names address book dialog does not display Personal Distribution lists. (Refer to https://support.microsoft.com/kb/820280/en-us for details).
There is a third party add-on from Messageware (www.messageware.com) which gives users the ability to see personal and corporate distribution lists, Public Folder contact lists, as well as custom Exchange Address Lists.
If you are running Exchange 2003 SP2 on Windows 2003 SP1, an image file can be added the OWA Signature after the S/MIME control is installed on the client machine. Refer to the following Microsoft knowledgebase article for details https://social.technet.microsoft.com/Forums/en-US/exchangesvrclients/thread/1bb882b3-03dc-4085-ae06-a787fd76fd39/
A thesaurus is not available as a feature in Outlook Web Access 2003 or 2003. You require a third party product called Messageware Plus Pack (www.messageware.com) to add the Thesaurus to OWA for your users.
Outlook Web Access does not give users the ability to mark appointments as private. Appointments marked as Private in Outlook, however, do appear as private appointments when viewed in OWA.
To mark an appointment or Meeting request as Private using OWA you would need to get a third-party add-on, such as the Plus Pack from Messageware Incorporated (www.messageware.com) which adds a private checkbox at the bottom of appointment, meeting request and contact forms.
The Find Names address book dialog does not display Personal Distribution lists. (Refer to https://support.microsoft.com/kb/820280/en-us for details).
There is a third party add-on from Messageware (www.messageware.com) which gives users the ability to see personal and corporate distribution lists, Public Folder contact lists, as well as custom Exchange Address Lists.
Some companies choose to secure block attachment access for all OWA users but this is not practical for most companies. If you cannot disable attachment access, there is a third party add-on called AttachView (www.messageware.com) which gives users the ability to view attachments in OWA without caching them on the client machine. AttachView secures attachments in email messages, contact folders, calendar appointments and public folders.
The error my occur when the HELP files are not copied to the Systemroot\Program Files\Exchsrvr\Exchweb\Help folder during installation. To resolve this issue, copy the help files from the Exchange Server 2003 CD (SETUP\I386\EXCHANGE\EXCHWEB\HELP) to the corresponding folder on the server.
For more information refer to https://support.microsoft.com/kb/555265/en-us
The below Microsoft Article explains that S/MIME installs a component which is restricted by Windows XP SP2. Microsoft has created a correction which can be downloaded via the following article: https://support.microsoft.com/kb/883543/en-us
The below Microsoft article explains that the issue may be related to using SSL, using Gzip compression or using Netscape Navigator 6.x or Netscape Navigator 7.x.
For more information refer to https://support.microsoft.com/kb/822584/en-us
The below Microsoft article explains that when using validation methods such as RSA SecurID with the OWA Forms-based Authentication, users do not receive the OWA logon form.
For more information and to find out how to correct this issue, refer to https://support.microsoft.com/kb/935206/en-us
The below Microsoft article explains how to correct the following errors when connecting to the root of OWA and the requests are automatically redirect users to the Exchange folder:
The below Microsoft article explains that ISA 2004's RADIUS authentication cannot be used when OWA Forms-Based Authentication is used on the published site.
For more information refer to https://support.microsoft.com/kb/884560/en-us
On a front-end server running Exchange Server 2003 or 2000 users are not logged of correctly due to a permission issue on the Logoff.asp page or the /exchweb/bin is configured for Integrated Windows Authentication instead of Basic. For more details and for the instructions on how to correct these configuration issues, refer to https://support.microsoft.com/?kbid=927907.
If you are using Microsoft ISA 2004 or ISA 2006 to publish OWA you can set up Forms-based Authentication (FBA) to configure different attachment access for Public and Private connections. If you are not using ISA, you will need to look at a third-party add-on such as Messageware AttachView (www.messageware.com). AttachView gives Exchange Administrators the ability to customize security settings by IP address, user groups, or corporate device recognition, controlling the user's ability to view, open, print and save documents.
When the S/MIME control is not installed, the Forms-based Authentication logoff program in ISA 2004 causes 2 unnecessary HTTP POST requests to run, slowing down the user's logoff process. This Microsoft article provides information on how to correct this issue.
For more information refer to https://support.microsoft.com/kb/920139/en-us
The below Microsoft article explains that dialog text sizes are predefined. The settings can be overwritten by checking the "Ignore font sizes specified on Web Pages" in Internet Explorer's Accessibility menu. options.
For more information refer to https://support.microsoft.com/kb/818483/en-us
The below Microsoft article explains that write mailbox folder access is not supported in OWA. Instead, full mailbox access must be given to a user to access and manage content in other user's mailboxes.
For more information refer to https://support.microsoft.com/kb/811646/en-us
The below Microsoft knowledgebase article provides information on how to Install Windows Server 2003 Certification Authority, request a Certificate, install the OWA S/MIME Control and Test Encryption and Signing.
For more information refer to https://support.microsoft.com/kb/823568/en-us
Outlook Web Access users who access their mail on Vista clients get a Red X in the compose message form body. To resolve this issue, apply the below Microsoft updates on the Exchange server/s:
KB 912945: Internet Explorer ActiveX update - Changes the way in which Internet Explorer handles some Web pages that use ActiveX controls and Java applets.
KB 911829: You receive an error message when you try to perform any editing tasks, or you must click to enable the compose frame in Outlook Web Access - Enables a new editor for Internet Explorer. The new editor uses an Internet Explorer "iframe" instead of an ActiveX control.
Note: Applying the hotfixes causes a focus issue in the compose message form; pressing the space bar in the message body brings up the Address Book since the focus is on the "To.." button. For a free correction and details, refer to the following knowledgebase article by Messageware Incorporated: Pressing the space bar in the compose message window brings up the Address book.
Additional login prompts are usually the result of a mismatch of IIS Authentication settings. The authentication settings for the Exchange, Public, and Exchweb\bin virtual directories must match to ensure users do not get additional login prompts.
It is best to check the Exchange and Public Authentication settings from the Exchange System Manager (ESM) and then compare them to the settings in the IIS Manager. This order is important since the ESM settings overwrite the IIS settings for the Exchange and Public virtual directories.
Compare the IIS authentication settings for the Exchange, Public, and Exchweb\bin virtual directories in Exchange System Manager (ESM) and the Internet Information Services Manager (IIS).
Refer to the summary tables of IIS authentication settings below.
Native OWA virtual directory authentication settings
Authentication | Virtual Directories | ||
| Exchange | Public | Exchweb\bin |
Basic | Basic | Basic | Basic |
Integrated | Basic and Integrated | Basic and Integrated | Basic and Integrated |
Exchange FBA | Basic | Basic | Basic |
Based on a Microsoft knowledgebase article, there are several causes for receiving a HTTP 500 Internal Server Error. Some situations in which you might receive the error message are as follows:
For more information and steps on how to resolve this error, refer to https://support.microsoft.com/?kbid=894965.
ISAServer.org
This article, by ISA Firewall specialist Thomas Shinder, explains that earlier versions of ISA Firewall (2000 and 2004) included navigation protection. Navigation protection ensures that if a user goes to another website, such as Google, without logging off OWA, ISA automatically logs the user off. With navigation protection, administrators can rest assured that users are not leaving active OWA sessions behind.
ISA Firewall 2006 no longer includes navigation protection. This is explained in more detail in an ISA Security report published by Messageware Incorporated (ISA Security Report: OWA Security Issues Undetected by ISA Server) referenced in Thomas Shinder's article.
To read the full article, go to:
Microsoft Exchange Team
The article points out 11 timesaving features available in Outlook and Outlook Web Access. These features discussed include:
To view the full article, go to https://msexchangeteam.com/archive/2005/10/27/413172.aspx
SearchExchange.com
The article gives an overview of an OWA attachment solution called AttachView by Messageware, which lets users safely view a wide array of attachments without ever downloading the file to the local computer. AttachView offers users secure access to attachments via an enhanced viewing window with features such as: view Microsoft Word Track Changes revisions, a hyperlinked table of contents, printer-friendly version, rotate and zoom buttons.
Administrators can set rules giving users access to users to open, save and print attachments based on criteria such as IP address, username, hostname and if they are connecting from a corporate device.
To view the full article, go to https://searchexchange.techtarget.com/tip/0,289483,sid43_gci1310616,00.html
Messageware
Many companies who have Microsoft Exchange with the update Q911829 (released in March and April, 2006) installed and are using Outlook Web Access have been experiencing a problem addressing messages. In some environments, when the spacebar is pressed after addressing a message the address dialog box re-appears and in some cases, while typing the message body, entering a space suddenly activates the addressing dialog box.
Upon hearing about this problem from Exchange administrators who were concerned about the productivity of their users, Messageware researched the problem, found the cause, and has released a free fix. This patch is now available to companies and Exchange administrators who are running any version of Exchange or OWA. It can be downloaded at https://www.messageware.com/downloads/fixQ911829.php.
The Microsoft Exchange Team Blog
January 28, 2008 - This article describes how to alleviate problems encountered with OWA calendar delegates in Exchange 2003 when Exchange 2003 SP2 has been installed.
Source: Messageware Incorporated
July 19, 2007, Toronto, Canada - Microsoft Office Outlook Web Access (OWA) is the corporate web mail solution of choice for the overwhelming majority of companies today and most of these companies secure their OWA environment with a Microsoft Internet Security & Acceleration (ISA) firewall server. A new white paper released today by Messageware (www.messageware.com), the world's leading provider of enterprise productivity and security solutions for Microsoft Office Outlook Web Access, highlights often overlooked security risks for organizations running OWA with ISA Server. In addition, it offers effective solutions for securing OWA against those risks.
Download the white paper at https://messageware.com/OWA-white-papers/white_papers.php.
Source: Petri IT Knowledgebase
This article steps though the benefits of installing the S/MIME control on a client machine. The S/MIME control adds drag-and-drop message and attachment capability, enables users to read and send encrypted messages.