Limit access to Office Web Apps Server (OWAS)

By | July 15, 2013

When deploying an Office Web Apps Server (WAC/OWAS) the default allow list contains no domains, meaning OWAS will allow file requests to hosts in any domain.


This could allow unauthorized use of your server/farm if the Office Web Apps Server is accessible from the Internet (deployed in DMZ or Reverse Proxy to Internal). An external party could define the Office Web Apps Server pointing to your OWAS URL and start using your server for their workloads.


To lock down Office Web Apps Server, use the “new-officewebappshost” Cmdlet ( ) and set the domain parameter.


Any external party trying to leverage your Office Web Apps Server will get a server connectivity issue error.

4 thoughts on “Limit access to Office Web Apps Server (OWAS)

  1. Pingback: Limit access to Office Web Apps Server (OWAS) | D(one) IT | JC's Blog-O-Gibberish

    1. MLamontagne

      In my testing, federated contacts (Lync or Lync Web App) and guests (Lync Web App) are able to present and view content via a restricted OWAS. The Lync Front End is involved during the upload/removal of content, this is where the allow list is is being checked. If a third party tried pointing their Lync topology, Sharepoint or Exchange to this OWAS url it wouldn’t match the allow list and would be blocked.

  2. Pingback: The UC Architects » Episode 32: Special Guest Jamie Stark of Microsoft

Leave a Comment