Sign in
 
HomeOnline201020072003LibraryForumsPartnersEHLO Blog
Exchange Server TechCenter > Exchange Server Forums > Secure Messaging > Can OWA Cache-Control be forced to use "no-store HTTP 1.1 directive"?

Unanswered Can OWA Cache-Control be forced to use "no-store HTTP 1.1 directive"?

    •  
      Thursday, July 30, 2009 10:35 PM
       
       
      Sign In to Vote
      0
      Sign In to Vote

      Hi everyone,

      Please see the link below which mentions "Sensitive information that is viewed during an Outlook Web Access session may be stored to disk"

       http://www.kb.cert.org/vuls/id/829876 (Microsoft Outlook Web Access not may use correct HTTP directive)

      I did some searches but couldn't find any solution.

      Does anyone know if a solution which will force OWA to use "no-store HTTP 1.1 directive" exists or not and, if yes, what the impact of changing "on-cache" to "no-store" would be on Exchange users?

      Could anyone please let me know?

      Thanks in advance,

      Eric

       

    All Replies

    • Thursday, July 30, 2009 11:27 PM
       
       
      Sign In to Vote
      0
      Sign In to Vote
      Hi Eric,

      I had a check regarding the "no-store HTTP 1.1 directive" and found the details on the following link
      https://www.auscert.org.au/render.html?it=9268

      It seems that they are comparing Basic Authentication with FBA. The cookies that are created on the client machine can be configured to be deleted from the client machine when FBA is enabled.

      Have a check on the following article
      http://mcpmag.com/articles/2006/06/26/securing-owa-with-formsbased-authentication.aspx
      Harpreet Singh Khandiyal (http://support.microsoft.com/kb/555375)
       
    • Friday, July 31, 2009 5:22 PM
       
       
      Sign In to Vote
      0
      Sign In to Vote
      Thank you very much Harpreet.

      Please see http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.1 and http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.2

      I believe the "no-cache" and "no-store" are related to all files, including cookies, during the OWA sessions.  If this is right, securing-owa-with-FBA does not solve my problem.

      Thanks,

      Eric
      • Edited by Eric Z Friday, July 31, 2009 5:24 PM
      •  
       
    • Monday, August 03, 2009 7:30 AM
      Moderator
       
       
      Sign In to Vote
      0
      Sign In to Vote

      Hi,

       

      Base on our research that it should not to be a security vulnerability (meaning there is no exploitation of the OS or application).

       

      Essentially, the file being cached is being placed in the IE temp folder so it’s only available to an Admin and the current user.


      The issues or the security threat posed can come if the device is not being
      appropriately secured (for example, an Internet cafe scenario).

       

       

      Regards,

      Xiu

       

       
    • Tuesday, August 04, 2009 4:19 PM
       
       
      Sign In to Vote
      0
      Sign In to Vote

      Thank you very much Xiu.

      I agree with you.

      But the issue is that my users do use machines in public places, such as university library, logging on with default local user account of these machines.  The "no-cache" setting will put sensitive information in this account's IE temp folder and could be exposed to other users.

      I think the "no-store" setting will be more proper if users choose "This is a public or shared computer" option when using OWA.

      Is it possible to make this change?  Please let me know.

      Thanks again

      Eric