Exchange 5.5 SP4 with OWA

We have SSL (128 bit encryption) running on our OWA server which sits in a DMZ exposed to the Internet.

I, as the Exchange Administrator, would like our OWA users to be able to change their NT password using the functionality built in to OWA.

Our security staff says that to do so is to expose a security hole (access to the IIS server change NT password function).

Anyone out there have experience with this type of situation that they'd care to share?

Many thanks in advance!