The Outlook E-mail Security Update, which disables many Outlook features that allow viruses to spread quickly, takes a unique approach to customization. Administrators can add or remove restrictions for particular users through a custom form they publish to an Exchange Server public folder and an entry in the user's Windows Registry that tells Outlook to look in that folder for either default or individual security settings. These settings affect both Outlook 2002 and systems with Outlook 98 or 2000 where the separate update or a service pack was applied.
The customized settings work even for a user working offline with an .ost file. However, because the settings depend on an Exchange Server public folder, you can't customize the settings for a standalone user or for a user who has a Personal Folders file or some other information store, rather than an Exchange mailbox, as the default information store.
You need to follow all the steps below to set up the server form, configure the client, and set security options.
The Admpack.exe download from the Office Resource Kit is the latest version. The kit, a self-extracting file, contains the Outlooksecurity.oft form template, a Readme file, and helper components. For versions localized into languages other than English, see Microsoft Office XP Resource Kit - Localized Tools. If you need the Outlook 2000 Outlk9.adm policy file, get the older version from the Microsoft Office 2000 Resource Kit.
You can use this kit to administer the security update for all versions of Outlook, but when running on 2002, it allows administrators to use Exchange 2000 security groups to specify the members of a security group and also allow "trusted" Outlook 2002 COM addins to run without triggering the prompts for the object model guard. However, trusting a COM addin suppresses only the Outlook object model guard prompts; it will still generate prompts for CDO methods and properties, unless the security group allows those, and only Outlook 2002 supports trusted COM addins. Also see:
- Microsoft Office XP Resource Kit - Customizing the Outlook Security Features Administrative Package
After you download Admpack.exe, follow these steps to create the necessary public folder and install the form:
- Run Admpack.exe.
- Click Yes to accept the license agreement.
- Specify the system folder in which you want to place the extracted files, then click OK.
- Create a public folder called Outlook Security Settings as a top-level folder (i.e., in the root of the All Public Folders hierarchy). You must use this folder name and location for Outlook 98 and 2000. If you want separate settings for Outlook 2002 and previous versions, you can also create a folder named Outlook 10 Security Settings.
- In the system folder from Step 3, double-click Outlooksecurity.oft to open the template file.
- In the Select Folder dialog box, choose the Outlook Security Settings folder you created in Step 4.
- When the form opens, choose Tools| Forms | Publish Form to publish the form in the Outlook Security Settings folder. Give it the name Outlook Security Form. Close the form you opened from the .oft file.
- Right-click the Outlook Security Settings folder, then choose Properties.
- Under When posting from this folder, use, choose Outlook Security Form.
- On the Permissions tab on the folder's Properties dialog box, set the permissions on the folder so that the Default user has the Reviewer role. Give the Editor role only to people who administer Outlook security settings.
- Click OK to save the folder settings.
For German-language instructions, see Tipp 0009 Office XP und die Sicherheit.
Users won't use the settings in the Outlook Security Settings folder unless you make a change to their Windows Registry. The Registry setting is a new DWORD value named CheckAdminSettings, which you must create in HKEY_CURRENT_USER\Software\Policies\Microsoft\Security
If the CheckAdminSettings value is present and set to 0, or if it isn't present, Outlook will use the full locked-down settings of the Outlook E-mail Security Update. If the value is set to 1, Outlook will look in the Outlook Security Settings public folder both for a new set of default settings and for exception group settings for the current user. For Outlook 2002, setting the value to 2 causes Outlook to look in the Outlook 10 Security Settings public folder. (Note that the Outlook 2000 readme.txt file contains incorrect information about how the key works. The MSKB article OL2000: Administrator Information About the Outlook E-mail Security Update has the correct details.)
How you implement the Registry entry depends on the operating system and whether you've implemented system policies. Section 2.4 of the Readme.txt file included with the Outlook 2000 version of admpack.exe contains details for rolling out the Registry change using the Outlk9.adm policy file. Microsoft has not provided a new policy file for Outlook 98. For Outlook 2002, the necessary policy is included in the Custom Installation Wizard.
If a user is online but can't connect to the public folder containing the security settings, the full locked-down settings of the Outlook E-mail Security Update will apply.
If the user is using an offline folders .ost file and works offline at least some of the time, make sure the user synchronizes twice before going offline. The first sync will create the local replica of the Outlook Security Settings folder. The second sync will populate it with the individual settings items.
Setting Default Security Options
You can use the security form on any system, no matter whether that system has the Outlook E-mail Security Update. The first thing you'll probably want to do is establish the default security settings for everyone in the organization.
In the Outlook Security Settings folder, click New to bring up a new item using the Outlook Security Form. Select the Default Security Settings for All Users option. You can't change the Security Group Name. The item has the default options for the Outlook E-mail Security Update already set on the two pages of the form. For an explanation of each setting, see the Readme.txt file that you extracted when you ran the Admpack.exe download file.
Create only one Default Security Settings item in the Outlook Security Settings folder. If more than one item with default settings is present, Outlook clients will use the settings from the most recently saved item.
Granting Security Overrides
You can make the security settings for an individual or group of users either more or less restrictive than the default settings. To override the default settings, follow these steps:
- Create a new item in the Outlook Security Settings folder.
- On the Outlook Security form's Outlook Security Settings tab, select the Security Settings for Exception Group.
- Provide a Security Group Name.
- In the Members box, enter the names, separated by semicolons, of individual users to which this group of settings will apply. The form doesn't provide a button to let you pick names from the Global Address List (GAL); you must enter them yourself. (TIP: You can use the To button on a regular Outlook message item to help you select the names, then copy and paste into the security form item.
- Press Ctrl+K to resolve the names. If any name remains without an underline, that means Outlook couldn't match the name against a valid address book entry. Check your spelling, then press Ctrl+K to try again to resolve.
- Select your options on the two pages of the form. Refer to the Readme.txt file for details about each setting.
- Close the item, and choose Yes when Outlook asks whether you want to save changes.
IMPORTANT: Take care that each user is a member of only one Outlook security group -- in other words, that the user appears on only one item in the Outlook Security Settings folder. If a user is included in more than one group, the most recently saved set of security settings prevails, and Outlook ignores any others. The Outlook E-mail Security Update won't check to see whether the user is listed in additional Outlook security groups.
In Outlook 2002 and later, you can also use the security form to "trust" Outlook COM add-ins (but not external applications or form code). What is actually trusted is the Application object passed by the add-in's OnConnection event handler. All other Outlook objects need to be derived from this trusted object. Note that CDO is not trusted in this scenario.
If your main goal is to administer attachment security and allow either broader or narrower access to particular types of files, then it's not too difficult to set up those options on the first page of the form.
Where it gets more complex is with automation security -- allowing access to parts of the object model that the patch restricts. Here, the same strategies you applied to make sure that all applications would work when the clock ticked over to the year 2000 will serve you well with this update. For a thorough analysis, you need
- An inventory of all commercial, custom in-house, and ad hoc add-ons for Outlook in use in your organization
- A list of everyone using each application
For each application, you need to analyze what object model features (the ones listed on the second page of the form) it uses. For each object model feature, you might want to automatically allow access or force the user to respond to a prompt.
If you have just one Outlook-related application, you can create a single exception group whose members consist of that application's users and whose Programmatic Settings tab reflects your object model analysis of the application.
This analysis becomes more complicated when users need to access more than one Outlook-related application and those programs use different levels of the object model. Because the Outlook E-mail Security Update looks only at the most recent security group settings, no easy answer exists other than painstaking work to test and double-check the settings.
Or, you could just take the easiest path and grant access to all automation features as part of the default security form.
The custom form turns off toolbars when it opens, but it doesn't restore them when it closes. You'll need to use the View | Toolbars command to turn your toolbars back on.
If users have delivery set to Personal Folders .pst files instead of their Exchange mailboxes, the administrative options won't work. Microsoft has a fix for this issue. See OL2000 Changes to the E-Mail Security Patch Do Not Apply When Messages Are Delivered to a PST File.
When the Outlook Email Security Update was originally released, Microsoft warned that the administrative options would not scale well, thus making many companies anxious about deploying the security settings folder. It turns out that the impact is minimal. The article Performance Implications of Outlook Security Settings in the Public Folder says that Outlook takes 16 extra remote procedure calls at startup to use the security settings information. If you have more than one public folder server, you will probably want to replicate the Outlook Security Settings folder to all servers, to minimize the impact of many Outlook clients starting up at once and all connecting to the same folder.
If you remove a file type from Level 1, it defaults to the Level 2 behavior, which requires the user to save the file to disk before opening it. If you want users to be able to open the file directly from the mail message, you must remove the file type from both Level 1 and Level 2. Note, also, that if you allow Outlook 2002 users to unblock file types with their local registry and the user has unblocked a file type that you have removed from Level 2, the user will be able to open the file directly from Outlook, without first saving to disk.
You can use a distribution list (DL) to simplify setting up the members for a security override item only if you are using Outlook 2002 as the client and Exchange 2000 as the server. In other scenarios, the Outlook E-mail Security Update doesn't parse the membership of DLs. Therefore, you must enter each individual user name.
Several of the options on the second page of the form refer to Collaboration Data Objects (CDO) and Simple Messaging API (MAPI). External programs can use either of these programming interfaces instead of the Outlook object model to automate messaging functions. The Outlook E-mail Security Update restricts access to Simple MAPI functions, but not to CDO. The CDO settings apply to systems updated with the separate CDO Security Update.
The Outlook E-mail Security Update supports offline users by creating a hidden folder in the Favorites hierarchy and automatically synchronizing it with the entries in the Outlook Security Settings folder. To initialize the security settings, after you create the Outlook Security Settings folder, each user needs to synchronize twice with the server (once to create the folder, the second time to synchronize its contents). Unlike setting up other public folders for offline access, the user doesn't need to connect online with the server, just synchronize twice.
The administrative options are also available on HP OpenMail for clients and servers running post-August 2000 updates, but only work with Outlook 98 and 2000, not Outlook 2002. See Outlook 98-2000 E-Mail Security Update & OpenMail MAPI [100-1575].