• Outlook User
  • New Outlook app
  • Outlook.com
  • Outlook Mac
  • Outlook & iCloud
  • Developer
  • Microsoft 365 Admin
    • Common Problems
    • Microsoft 365
    • Outlook BCM
    • Utilities & Addins

Administrative Options for the E-mail Security Update

Slipstick Systems

› Outlook › Administrative Options for the E-mail Security Update

Last reviewed on February 15, 2021     No Comments

This content has been archived. It may no longer be relevant.

The Outlook E-mail Security Update, which disables many Outlook features that allow viruses to spread quickly, takes a unique approach to customization. Administrators can add or remove restrictions for particular users through a custom form they publish to an Exchange Server public folder and an entry in the user's Windows Registry that tells Outlook to look in that folder for either default or individual security settings. These settings affect both Outlook 2002 and systems with Outlook 98 or 2000 where the separate update or a service pack was applied.

Change Outlook 2007 or Outlook 2010’s Programmatic Access Options

The customized settings work even for a user working offline with an .ost file. However, because the settings depend on an Exchange Server public folder, you can't customize the settings for a standalone user or for a user who has a Personal Folders file or some other information store, rather than an Exchange mailbox, as the default information store.

You need to follow all the steps below to set up the server form, configure the client, and set security options.

Server Setup | Client Setup | Setting Default Security Options | Granting Security Overrides
Problems | Notes | More Information

Server Setup

The Admpack.exe download from the Office Resource Kit is the latest version. The kit, a self-extracting file, contains the Outlooksecurity.oft form template, a Readme file, and helper components. For versions localized into languages other than English, see Microsoft Office XP Resource Kit - Localized Tools. If you need the Outlook 2000 Outlk9.adm policy file, get the older version from the Microsoft Office 2000 Resource Kit.

You can use this kit to administer the security update for all versions of Outlook, but when running on 2002, it allows administrators to use Exchange 2000 security groups to specify the members of a security group and also allow "trusted" Outlook 2002 COM addins to run without triggering the prompts for the object model guard. However, trusting a COM addin suppresses only the Outlook object model guard prompts; it will still generate prompts for CDO methods and properties, unless the security group allows those, and only Outlook 2002 supports trusted COM addins. Also see:

  • Microsoft Office XP Resource Kit - Customizing the Outlook Security Features Administrative Package

After you download Admpack.exe, follow these steps to create the necessary public folder and install the form:

  1. Run Admpack.exe.
  2. Click Yes to accept the license agreement.
  3. Specify the system folder in which you want to place the extracted files, then click OK.
  4. Create a public folder called Outlook Security Settings as a top-level folder (i.e., in the root of the All Public Folders hierarchy). You must use this folder name and location for Outlook 98 and 2000. If you want separate settings for Outlook 2002 and previous versions, you can also create a folder named Outlook 10 Security Settings.
  5. In the system folder from Step 3, double-click Outlooksecurity.oft to open the template file.
  6. In the Select Folder dialog box, choose the Outlook Security Settings folder you created in Step 4.
  7. When the form opens, choose Tools| Forms | Publish Form to publish the form in the Outlook Security Settings folder. Give it the name Outlook Security Form. Close the form you opened from the .oft file.
  8. Right-click the Outlook Security Settings folder, then choose Properties.
  9. Under When posting from this folder, use, choose Outlook Security Form.
  10. On the Permissions tab on the folder's Properties dialog box, set the permissions on the folder so that the Default user has the Reviewer role. Give the Editor role only to people who administer Outlook security settings.
  11. Click OK to save the folder settings.

For German-language instructions, see Tipp 0009 Office XP und die Sicherheit.

Client Setup

Users won't use the settings in the Outlook Security Settings folder unless you make a change to their Windows Registry. The Registry setting is a new DWORD value named CheckAdminSettings, which you must create in HKEY_CURRENT_USER\Software\Policies\Microsoft\Security

If the CheckAdminSettings value is present and set to 0, or if it isn't present, Outlook will use the full locked-down settings of the Outlook E-mail Security Update. If the value is set to 1, Outlook will look in the Outlook Security Settings public folder both for a new set of default settings and for exception group settings for the current user. For Outlook 2002, setting the value to 2 causes Outlook to look in the Outlook 10 Security Settings public folder. (Note that the Outlook 2000 readme.txt file contains incorrect information about how the key works. The MSKB article OL2000: Administrator Information About the Outlook E-mail Security Update has the correct details.)

How you implement the Registry entry depends on the operating system and whether you've implemented system policies. Section 2.4 of the Readme.txt file included with the Outlook 2000 version of admpack.exe contains details for rolling out the Registry change using the Outlk9.adm policy file. Microsoft has not provided a new policy file for Outlook 98. For Outlook 2002, the necessary policy is included in the Custom Installation Wizard.

If a user is online but can't connect to the public folder containing the security settings, the full locked-down settings of the Outlook E-mail Security Update will apply.

If the user is using an offline folders .ost file and works offline at least some of the time, make sure the user synchronizes twice before going offline. The first sync will create the local replica of the Outlook Security Settings folder. The second sync will populate it with the individual settings items.

Setting Default Security Options

You can use the security form on any system, no matter whether that system has the Outlook E-mail Security Update. The first thing you'll probably want to do is establish the default security settings for everyone in the organization.

In the Outlook Security Settings folder, click New to bring up a new item using the Outlook Security Form. Select the Default Security Settings for All Users option. You can't change the Security Group Name. The item has the default options for the Outlook E-mail Security Update already set on the two pages of the form. For an explanation of each setting, see the Readme.txt file that you extracted when you ran the Admpack.exe download file.

Create only one Default Security Settings item in the Outlook Security Settings folder. If more than one item with default settings is present, Outlook clients will use the settings from the most recently saved item.

Granting Security Overrides

You can make the security settings for an individual or group of users either more or less restrictive than the default settings. To override the default settings, follow these steps:

  1. Create a new item in the Outlook Security Settings folder.
  2. On the Outlook Security form's Outlook Security Settings tab, select the Security Settings for Exception Group.
  3. Provide a Security Group Name.
  4. In the Members box, enter the names, separated by semicolons, of individual users to which this group of settings will apply. The form doesn't provide a button to let you pick names from the Global Address List (GAL); you must enter them yourself. (TIP: You can use the To button on a regular Outlook message item to help you select the names, then copy and paste into the security form item.
  5. Press Ctrl+K to resolve the names. If any name remains without an underline, that means Outlook couldn't match the name against a valid address book entry. Check your spelling, then press Ctrl+K to try again to resolve.
  6. Select your options on the two pages of the form. Refer to the Readme.txt file for details about each setting.
  7. Close the item, and choose Yes when Outlook asks whether you want to save changes.

IMPORTANT: Take care that each user is a member of only one Outlook security group -- in other words, that the user appears on only one item in the Outlook Security Settings folder. If a user is included in more than one group, the most recently saved set of security settings prevails, and Outlook ignores any others. The Outlook E-mail Security Update won't check to see whether the user is listed in additional Outlook security groups.

In Outlook 2002 and later, you can also use the security form to "trust" Outlook COM add-ins (but not external applications or form code). What is actually trusted is the Application object passed by the add-in's OnConnection event handler. All other Outlook objects need to be derived from this trusted object. Note that CDO is not trusted in this scenario.

Strategy

If your main goal is to administer attachment security and allow either broader or narrower access to particular types of files, then it's not too difficult to set up those options on the first page of the form.

Where it gets more complex is with automation security -- allowing access to parts of the object model that the patch restricts. Here, the same strategies you applied to make sure that all applications would work when the clock ticked over to the year 2000 will serve you well with this update. For a thorough analysis, you need

  • An inventory of all commercial, custom in-house, and ad hoc add-ons for Outlook in use in your organization
  • A list of everyone using each application

For each application, you need to analyze what object model features (the ones listed on the second page of the form) it uses. For each object model feature, you might want to automatically allow access or force the user to respond to a prompt.

If you have just one Outlook-related application, you can create a single exception group whose members consist of that application's users and whose Programmatic Settings tab reflects your object model analysis of the application.

This analysis becomes more complicated when users need to access more than one Outlook-related application and those programs use different levels of the object model. Because the Outlook E-mail Security Update looks only at the most recent security group settings, no easy answer exists other than painstaking work to test and double-check the settings.

Or, you could just take the easiest path and grant access to all automation features as part of the default security form.

Problems

The custom form turns off toolbars when it opens, but it doesn't restore them when it closes. You'll need to use the View | Toolbars command to turn your toolbars back on.

If users have delivery set to Personal Folders .pst files instead of their Exchange mailboxes, the administrative options won't work. Microsoft has a fix for this issue. See OL2000 Changes to the E-Mail Security Patch Do Not Apply When Messages Are Delivered to a PST File.

Notes

When the Outlook Email Security Update was originally released, Microsoft warned that the administrative options would not scale well, thus making many companies anxious about deploying the security settings folder. It turns out that the impact is minimal. The article Performance Implications of Outlook Security Settings in the Public Folder says that Outlook takes 16 extra remote procedure calls at startup to use the security settings information. If you have more than one public folder server, you will probably want to replicate the Outlook Security Settings folder to all servers, to minimize the impact of many Outlook clients starting up at once and all connecting to the same folder.

If you remove a file type from Level 1, it defaults to the Level 2 behavior, which requires the user to save the file to disk before opening it. If you want users to be able to open the file directly from the mail message, you must remove the file type from both Level 1 and Level 2. Note, also, that if you allow Outlook 2002 users to unblock file types with their local registry and the user has unblocked a file type that you have removed from Level 2, the user will be able to open the file directly from Outlook, without first saving to disk.

You can use a distribution list (DL) to simplify setting up the members for a security override item only if you are using Outlook 2002 as the client and Exchange 2000 as the server. In other scenarios, the Outlook E-mail Security Update doesn't parse the membership of DLs. Therefore, you must enter each individual user name.

Several of the options on the second page of the form refer to Collaboration Data Objects (CDO) and Simple Messaging API (MAPI). External programs can use either of these programming interfaces instead of the Outlook object model to automate messaging functions. The Outlook E-mail Security Update restricts access to Simple MAPI functions, but not to CDO. The CDO settings apply to systems updated with the separate CDO Security Update.

The Outlook E-mail Security Update supports offline users by creating a hidden folder in the Favorites hierarchy and automatically synchronizing it with the entries in the Outlook Security Settings folder. To initialize the security settings, after you create the Outlook Security Settings folder, each user needs to synchronize twice with the server (once to create the folder, the second time to synchronize its contents). Unlike setting up other public folders for offline access, the user doesn't need to connect online with the server, just synchronize twice.

The administrative options are also available on HP OpenMail for clients and servers running post-August 2000 updates, but only work with Outlook 98 and 2000, not Outlook 2002. See Outlook 98-2000 E-Mail Security Update & OpenMail MAPI [100-1575].

More Information

  • Outlook Email Security Update
  • Protecting Outlook against Viruses
  • OL2002 Administrator Information About E-Mail Security Features
  • OL2002 Access to Address Book by Using Outlook Object Model Does Not Honor Outlook Security Settings if Outlook is Not Running
Administrative Options for the E-mail Security Update was last modified: February 15th, 2021 by Diane Poremsky

Related Posts:

  • Outlook Email Security Update
  • Opening .exe Attachments and Outlook E-mail Security
  • Encryption and Message Security Tools
  • Sharing with Exchange Public and Mailbox Folders

About Diane Poremsky

A Microsoft Outlook Most Valuable Professional (MVP) since 1999, Diane is the author of several books, including Outlook 2013 Absolute Beginners Book. She also created video training CDs and online training classes for Microsoft Outlook. You can find her helping people online in Outlook Forums as well as in the Microsoft Answers and TechNet forums.

Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments

Visit Slipstick Forums.
What's New at Slipstick.com

Latest EMO: Vol. 28 Issue 27

Support Services

Do you need help setting up Outlook, moving your email to a new computer, migrating or configuring Office 365, or just need some one-on-one assistance?

Subscribe to Exchange Messaging Outlook






Our Sponsors

CompanionLink
ReliefJet
  • Popular
  • Latest
  • Week Month All
  • Outlook: Web Bugs & Blocked HTML Images
  • How to Remove the Primary Account from Outlook
  • Adjusting Outlook's Zoom Setting in Email
  • Move an Outlook Personal Folders .pst File
  • Save Sent Items in Shared Mailbox Sent Items folder
  • This operation has been cancelled due to restrictions
  • Remove a password from an Outlook *.pst File
  • Outlook Auto Account Setup: Encrypted Connection not available
  • Use PowerShell to get a list of Distribution Group members
  • Create rules that apply to an entire domain
  • How to Block Foreign Spam
  • Automatically Open New Outlook when Windows boots
  • Block External Content in New Outlook
  • Save Messages in New Outlook
  • Send Individual Messages when Sending Bulk Email
  • Centrally managed signatures in Office 365?
  • Create a rule to delete spam with no sender address
  • Open Outlook Folders using PowerShell or VBScript
  • Cannot add Recipients in To, CC, BCC fields on MacOS
  • Change Appointment Reminder Sounds
Ajax spinner

Newest Code Samples

Delete Old Calendar Events using VBA

Use PowerShell or VBA to get Outlook folder creation date

Rename Outlook Attachments

Format Images in Outlook Email

Set Outlook Online or Offline using VBScript or PowerShell

List snoozed reminders and snooze-times

Search your Contacts using PowerShell

Filter mail when you are not the only recipient

Add Contact Information to a Task

Process Mail that was Auto Forwarded by a Rule

Recent Bugs List

Microsoft keeps a running list of issues affecting recently released updates at Fixes or workarounds for recent issues in Outlook for Windows.

Outlook for Mac Recent issues: Fixes or workarounds for recent issues in Outlook for Mac

Office Update History

Update history for supported Office versions is at Update history for Office

Outlook Suggestions and Feedback

Outlook Feedback covers Outlook as an email client, including Outlook Android, iOS, Mac, and Windows clients, as well as the browser extension (PWA) and Outlook on the web.

Use Outlook.com Feedback for suggestions or feedback about Outlook.com accounts.

Other Microsoft 365 applications and services




Windows 10 Issues

  • iCloud, Outlook 2016, and Windows 10
  • Outlook Links Won’t Open In Windows 10
  • Outlook can’t send mail in Windows 10: error Ox800CCC13
  • Missing Outlook data files after upgrading Windows?

Outlook Top Issues

  • The Windows Store Outlook App
  • The Signature or Stationery and Fonts button doesn’t work
  • Outlook’s New Account Setup Wizard
  • Outlook 2016: No BCM
  • Exchange Account Set-up Missing in Outlook 2016

Repair PST

Convert an OST to PST

Repair damaged PST file

Repair large PST File

Remove password from PST

Merge Two Data Files

Sync & Share Outlook Data

  • Share Calendar & Contacts
  • Synchronize two computers
  • Sync Calendar and Contacts Using Outlook.com
  • Sync Outlook & Android Devices
  • Sync Google Calendar with Outlook
  • Access Folders in Other Users Mailboxes

Contact Tools

Data Entry and Updating

Duplicate Checkers

Phone Number Updates

Contact Management Tools

Diane Poremsky [Outlook MVP]

Make a donation

Mail Tools

Sending and Retrieval Tools

Mass Mail Tools

Compose Tools

Duplicate Remover Tools

Mail Tools for Outlook

Online Services

Calendar Tools

Schedule Management

Calendar Printing Tools

Calendar Reminder Tools

Calendar Dates & Data

Time and Billing Tools

Meeting Productivity Tools

Duplicate Remover Tools

Productivity

Productivity Tools

Automatic Message Processing Tools

Special Function Automatic Processing Tools

Housekeeping and Message Management

Task Tools

Project and Business Management Tools

Choosing the Folder to Save a Sent Message In

Run Rules on messages after reading

Help & Suggestions

Submit Outlook Feature Requests

Slipstick Support Services

Buy Microsoft 365 Office Software and Services

Visit Slipstick Forums.

What's New at Slipstick.com

Home | Outlook User | Exchange Administrator | Office 365 | Outlook.com | Outlook Developer
Outlook for Mac | Common Problems | Utilities & Addins | Tutorials
Outlook & iCloud Issues | Outlook Apps
EMO Archives | About Slipstick | Slipstick Forums
Submit New or Updated Outlook and Exchange Server Utilities

Send comments using our Feedback page
Copyright © 2023 Slipstick Systems. All rights reserved.
Slipstick Systems is not affiliated with Microsoft Corporation.

wpDiscuz

Sign up for Exchange Messaging Outlook

Our weekly Outlook & Exchange newsletter (bi-weekly during the summer)






Please note: If you subscribed to Exchange Messaging Outlook before August 2019, please re-subscribe.

Never see this message again.

You are going to send email to

Move Comment