I have a security concern with OWA in Exchange 2010. With the advent of tabbed browsing and all of the Major web browsers supporting tabs a security issue has appeared. When users at public kiosk access OWA they logoff of the session in most cases within a web browser tab. Exchange 2010 and 2010 SP1 both exhibit this odd behavior... I logoff and close the tab for my OWA session. Next I walk away leaving the web browser open, but my OWA tab closed. Now someone else walks up to the computer and opens a new tab. They type in the OWA url and uh oh they can see my mailbox! Has anyone seen where Microsoft has released a KB for this security vunerablity? Because we use UAG 2010 internal OWA users are using basic authentication. Has anyone using FBA seen this issue? Strange, Jon

When you logoff as mentioned I´m not able to reproduce it. bur when I only close the tab i get the same behavior. regards Thomas Paetzold visit my blog on: http://susu42.wordpress.com

This is what forms based authentication deals with. If you aren't using FBA then that is the problem. This has been an issue with all versions of Exchange when you don't use FBA. Nothing new here. So internally users should connect to a FBA enabled web site. Externally you should be using FBA on the UAG server. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources

Its an IE problem/bug/feature, an encrypted cookie is created that's used to track user activity. When the user closes the Internet browser or clicks Sign Out to sign out of their Outlook Web App session, the cookie is cleared.But if they dont do either one of those, as your users are doing, then IE will keep that cookie in tact and make it available for use. I have never seen it re-open a session when you click sign-outDJ Grijalva | MCITP: EMA 2007/2010 | www.persistentcerebro.com

Sembee, Thanks for clarifiing that for me. Since UAG does not support running FBA on my OWA Vdir and all internal users use the Client Access Servers configured with Basic Auth for UAG. Would this not still qualifiy as a known vurnerbility? Has anyone seen where MS has addressed handling internal OWA connections in a UAG supported enviroment?

You are not going to get Microsoft writing about everything, and it could be argued that this isn't a security vulnerability. It is user stupidity. If you don't close down all browser sessions then the session remains active. As for a scenario for OWA use inside the TMG, I haven't seen Microsoft document that exact scenario either. Multiple web sites would be the usual route, and have the DNS resolve accordingly. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources

Sembee, Thanks for clarifing that for me. Since UAG does not support running FBA on my OWA Vdir and all internal users use the Client Access Servers configured with Basic Auth for UAG. Would this not still qualifiy as a known vurnerbility? Has anyone seen where MS has addressed handling internal OWA connections in a UAG supported enviroment?