Following a number of bad virus attacks propagated by Outlook 98 and 2000, Microsoft added email security features. The earliest updates locked Outlook down so much that I called it the HELL patch as it made automating Outlook very difficult. As time progressed so did the security, giving Outlook 2007 and up end-users (or administrators) better control the security. Users can modify the list of blocked attachments and loosen security using Group Policy or registry edits.
It is difficult to open program files in Outlook -- including VBScript .vbs files like those that spread viruses and is aimed at making it more difficult for a virus to use Outlook to transmit itself via e-mail. In some cases, a user may need to authorize access by outside programs, such as bulk mail applications.
Microsoft has provided two ways to customize the security settings:
- In Microsoft Exchange Server environments, administrators can customize the security settings by installing a special Outlook custom form in a public folder and configuring security options for individuals and groups.
- End users can allow access to particular file attachment types that the security features normally block, using the steps at "Opening .exe Attachments and Outlook E-mail Security" However, administrators can block this customization with the new security form for Outlook 2002.
- Administrative Options for the Microsoft Outlook E-mail Security Patch
- End users can allow access to particular file attachment types that the security features normally block.
- OL2000: Information About the Outlook E-mail Security Update
Outlook cannot open or save the files listed below if they are attached to an Outlook message. The attachments will still be in the messages, and other programs or Outlook add-ins may be able to access them, but they will be invisible to Outlook itself.
In addition to these "Level 1" attachments, as Microsoft calls them, there is a "Level 2" list, which warns users when they try to open a file attached to a message. End users can demote a file type from Level 1 to Level 2. Only administrators in an Exchange Server environment can customize the Level 2 list.
There are many ways to open these "dangerous" files. See "Opening .exe Attachments and Outlook E-mail Security"
Users will also see a warning if they try to send an e-mail message that contains any Level 1 file attachment. However, the attachment is not actually stripped. If the receiving user is not running Outlook or has the attachment extension unblocked, they will see the attachment as they normally do.
If you try to forward a message containing one of these files, even if Outlook has been customized to consider it as a Level 2 attachment (save before opening), Outlook strips the attachment from the forwarded copy.
It's recommended you use a file sharing service to share files, rather than sending them by email and paste the URL into the message body, While it's not safer than sending an attachment, as clicking a link to a document containing a virus or an exploit will still infect you, but users will see the link and, hopefully, think a little before clicking on it.
TIP: If you need to send a file from this list and want to avoid problems with recipients who may have installed the patch, you can simply change the file name before attaching the file -- for example, rename an .exe file to a .ex_ file -- and include instructions on how to save it and rename it in the body of your message.
Or use a zip utility to compress the file. Many Compression Tools are available to work automatically from within Outlook, though probably not all will be able to grab the .exe file, given the security surrounding attachments.
Note: the following list may not be complete, as Microsoft occasionally adds new extensions to the list.
|File extension||File type|
|.ade||Microsoft Access project extension|
|.adp||Microsoft Access project|
|.app||Microsoft Visual FoxPro application (blocked only in Outlook 2002 SP-2 and Outlook 2000 SP-3)|
|.asp||Active server page. (Blocked in Outlook 2002 SP3 and higher)|
|.asx||Windows Media Audio or Video shortcut (blocked only in Outlook 2002 builds earlier than 10.0.3005.x)|
|.bas||Visual Basic class module|
|.cer||(blocked only in Outlook 2003 and later)|
|.chm||Compiled HTML Help file|
|.cmd||Windows NT Command script|
|.cpl||Control Panel extension|
|.csh||KornShell script file (blocked only in Outlook 2002 SP-2 and Outlook 2000 SP-3 and later)|
|.fxp||Microsoft Visual FoxPro compiled program (blocked only in Outlook 2002 SP-2 and Outlook 2000 SP-3 and later)|
|.ins||Internet Naming Service|
|.isp||Internet Communication settings|
|.js||JScript Script file|
|.jse||Jscript Encoded Script file|
|.ksh||KornShell script file (blocked only in Outlook 2002 SP-2 and Outlook 2000 SP-3 and later)|
|.mda||Microsoft Access add-in program (blocked only in Outlook 2002 and a patched version of Outlook 2000)|
|.mdb||Microsoft Access program|
|.mdt||Microsoft Access workgroup information (blocked only in Outlook 2002 SP-1 and Outlook 2000 SP-3 and later)|
|.mdw||Microsoft Access workgroup information (blocked only in Outlook 2002 SP-1 and Outlook 2000 SP-3 and later)|
|.mde||Microsoft Access MDE database|
|.mdz||Microsoft Access wizard program (blocked only in Outlook 2002 and a patched version of Outlook 2000)|
|.msc||Microsoft Common Console document|
|.msi||Windows Installer package|
|.msp||Windows Installer patch|
|.mst||Visual Test source files|
|.ops||Office XP settings (blocked only in Outlook 2002 SP-1 and and Outlook 2000 SP-3 later)|
|.pcd||Photo CD image|
|.pif||Shortcut to MS-DOS program|
|.prf||Microsoft Outlook profile settings (blocked only in Outlook 2002)|
|.prg||Microsoft Visual FoxPro program (blocked only in Outlook 2002 SP-2 and Outlook 2000 SP-3)|
|.pst||Microsoft Outlook Personal Folders file (blocked only in Outlook 2000 SP-3)|
|.scf||Windows Explorer command (blocked only in Outlook 2002)|
|.sct||Windows Script Component|
|.shb||Shell Scrap Object|
|.shs||Shell Scrap Object|
|.tmp||Temporary file. (Blocked in Outlook 2002 SP3 and higher)|
|.vbe||VBScript encoded script file|
|.vbs||Visual Basic Script file|
|.vsmacros||Visual Studio .NET macro project file. (Blocked in Outlook 2002 SP3 and higher)|
|.vss||Visio shapes and Visio stencils (Blocked in Outlook 2002 SP3 and higher)|
|.vst||Visio template (Blocked in Outlook 2002 SP3 and higher)|
|.vsw||Visio workspace (Blocked in Outlook 2002 SP3 and higher)|
|.ws||Windows script file (Blocked in Outlook 2002 SP3 and higher)|
|.wsc||Windows Script Component|
|.wsf||Windows Script file|
|.wsh||Windows Script Host Settings file|
A "properly written" add-in should not trigger the security warnings in Outlook 2007 and newer versions, but you can use a registry to prevent the dialog.
If you don’t find Office and the following keys under Microsoft, you can add the keys manually in the same order and then continue from Step 3.
Press Windows Key + R to open the Run command. Type regedit and press Enter to open the Registry Editor.
- Navigate to HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\nn.0\Outlook\Security, where nn is your version of Outlook. If this key does not exist, you need to create it. For many users, this means creating each level from Microsoft down to Security.
- Right click on Security and choose New, DWORD. Name it PromptSimpleMAPISend (copy and paste works well as this DWORD is case sensitive).
- Right click on PromptSimpleMAPISend and choose Modify.
- Enter a value of 2.
- Restart Outlook. (You may need to restart the computer.)
Object Model Guard
The "object model guard" feature of the patch imposes two extreme restrictions on automating Outlook from add-ins that use either the Outlook object model or Simple MAPI:
- If an add-in tries to send an Outlook message, the user gets a notification pop-up and must explicitly authorize or deny each attempt to send. The user must wait 5 seconds before the Yes button becomes available to click.
- If an add-in tries to access address information in an Outlook item or the address book or to save an Outlook item as a file, the user gets a notification pop-up and can deny access, authorize a one-time access or extend access for a period of several minutes. PDA sync utilities are an example of the kind of application that will be affected by this restriction.
The object model guard applies even if your code is digitally signed or running from a published Outlook form. The only way to turn it off is via the administrative options. Because of these restrictions, some Outlook features become virtually unusable, because of the number of times the user has to confirm the dialog boxes:
- Sequential routing from Word
- Mail merge to e-mail in Word
- Automated mailing programs that use the Outlook Send method
To avoid the prompts in applications that you develop, you can use one of these programming interfaces:
Extended MAPI Language for programming Outlook/Exchange with C++ or Delphi only.
Outlook Redemption Provides a COM interface to Outlook objects that avoids the "object model guard" of the Outlook E-mail Security Update and exposes properties and methods not available through the Outlook model, such as sender address and Internet message headers. Several security features protect it from being used by malicious programs to send Outlook mail. For the redistributable version, it adds a Profman.dll component with the ability to enumerate, add, delete, and modify Outlook profiles using VB or VBScript.
Visit Outlookcode.com for more information on programming issues.
Also see Reinforcing Dialog-Based Security, a paper by two U.S. Air Force Academy professors that demonstrates how to get around the object model guard prompts using VBScript code and the SendKeys method to, in effect, click the buttons on the prompts. For utilities that takes a similar approach, see the tools listed below.
Automation Security Tools
Outlook Forms Security
With the patch applied, script on unpublished or one-off Outlook forms will not run. Users will no longer see an Enable/Disable Macros prompt.
You should never check the Send form definition with item box on the Properties page of a message form, since this will cause the form to one-off. Instead, you should make sure that the recipient has access to the published form.
Outlook Security Zone
Outlook runs in the Restricted Sites security zone and disables scripting for the Restricted Sites zone. For more information, see Internet Explorer security zones registry entries for advanced users
The main problem is, of course, that users decide they need the blocked attachments after they've applied the patch. See Opening .exe Attachments with the Microsoft Outlook E-mail Security Patch.
- Administrative Options for the Microsoft Outlook E-mail Security Patch
- Protecting Microsoft Outlook against Viruses
- Attachment Security Update for Microsoft Outlook
- Administrator information about the Outlook E-mail Security update: June 7, 2000
- Administrator information about the Outlook e-mail security update