1

I've got a new installation of Exchange 2013 (on Server 2008 R2) and I've come across an issue that I'd like to get some feedback on. My users often receive emails with .html files on them and they are forced to save the .html file to the desktop and then manaually open it up. Back in the Exchange 2007 days, all that needed to happen was that the users had to log into OWA using the private computer option. I understand it that OWA 2013 assumes that you are using this option but my users are still being prompted to save to disk.

Error: This type of attachment must be saved to disk. Right-click the link, and then click 'Save target as...' to save the attachment.

Does anyone know how I can get it so that my users can have direct access into the .html file?

Thank you.

Shawn Farmer
  • 11
  • 2

2 Answers2

2

It's also the case in Exchange 2010. While I can't comment on the actual logic behind it being configured this way by default my assumption would be that it's to prevent a breach in security either on the local client or on the server which will be rendering the page.

Anyways it's probably worth checking the configuration settings of OWA Mailbox Policy Get-OwaMailboxPolicy and Set-OwaMailboxPolicy will help you out with that. Check the settings of DirectFileAccessOnPrivateComputersEnabled, ForceSaveAttachmentFilteringEnabled, ForceSaveFileTypes and ForceSaveMimeTypes

chunkyb2002
  • 688
  • 3
  • 9
1

This is propably related to the fact, that direct "execution" of the file may offer several ways to be affected by serious security vulnerabilities.

A sender may send some special contents that could result in information disclosure. Even if this is embedded in an iframe on owa (which can limit contents to some sort of sandbox).

You may disable this via owa configuration - i just advice to not do this. Seriously, it's not worth the risk.

Daniel Nachtrub
  • 1,022
  • 7
  • 12