July 15, 2013
Posted by on
When deploying an Office Web Apps Server (WAC/OWAS) the default allow list contains no domains, meaning OWAS will allow file requests to hosts in any domain.
This could allow unauthorized use of your server/farm if the Office Web Apps Server is accessible from the Internet (deployed in DMZ or Reverse Proxy to Internal). An external party could define the Office Web Apps Server pointing to your OWAS URL and start using your server for their workloads.
To lock down Office Web Apps Server, use the “new-officewebappshost” Cmdlet (http://technet.microsoft.com/en-us/library/jj219459.aspx) and set the domain parameter.
Any external party trying to leverage your Office Web Apps Server will get a server connectivity issue error.