Hosting Provided By

Re: Securing OWA on public computers.

From: Alexander <agtads(at)hotmail.com>
Date: Sun Nov 10 2002 - 10:04:45 EST

I've thought that context of the group preclude understanding of my message as lamer quesion about "Where is "Clean the cache" button located?". The question was really about securing corporate OWA deployment from the point of view of security consultant.
I'm looking to mitigate risks assocated with standard (not hostile) public computers and normal users using them, users who never clean cache yourself after use.
Sure keylogger, forensic drive recovery etc will obtain data, but this is beyond my risk range.
I know it's easy to say - "Don't use it", but reality is different.

Back to the problem. While connecting through HTTPS most browsers don't cache HTML, but cache attachments when they open. Solutions I see by now are:
1. Block attachments in OWA access (almost business prohibitable) 2. Convert attachment on server to HTML. In such case the risk of attachment disclosure will be downgraded to message text disclosure. While it's possible for me to code this (for major types of attachment) I'd like to know if any existing package provide this functionality. 3. Client side scripting to force on attachment click: Download file to disk a: only and open file from there.
Drawbacks are obvious and not clear how to code at least for IE and Netscape.
4. Some way to call into object model to clean cache on exit - I do have hope that users will close open windows :) 5. Legal disclaimers to transfer risk.

Any better ideas?

Regards

Original Message ----- From: "3APA3A" <3APA3A@SECURITY.NNOV.RU> To: "Alex T." <agtads@hotmail.com> Sent: Sunday, November 10, 2002 7:46 AM Subject: Re: Securing OWA on public computers.

> Dear Alex T.,
>
> try not to open attachment in Internet Explorer, because in this case
> attachment is saved in cache. Instead save attachment to secured
> location and open it from this location.
>
> --Thursday, November 7, 2002, 11:09:11 PM, you wrote to
bugtraq@securityfocus.com:
>
> AT> I've noticed that when accessing Outlook web access (through https)
and
> AT> opening word attachment the attachment remain in cache.
present
> AT> security risk.
Received on Sun Nov 10 10:52:44 2002

This message: [ Message body ]
Next message: Jonas Anden: "Re: When GET = POST?"
Previous message: Tony Welsh: "RE: When GET = POST?"
In reply to agtads(at)hotmail.com: "Securing OWA on public computers."

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:44 EDT