We have looked at allowing users to change their password through OWA's 'Change Password' option. Currently users have access to OWA via any internet accessible system, VPN connectivity is not required. What I am wondering is what security concerns should I be considering before implementing this change? What additional risks are we looking at by enabling this feature? Currently running Exch 2003. Any advice/experiences would be appreciated.

users are already entering a domain password to access OWA in the first place, so i don't see much if any additional risk other than any vulnerabilities that could be found in the webdav components of the change password function.

i think it should not have any additional risk for using OWA to change password. if you haven't concern of connect the OWA directly from internetto check mail. However, Please remember only SSL connections to change password by change the "passwordchangeflags".it would not allow the password disclose by network sniffer. Note http://support.microsoft.com/kb/297121 Regards Billy