Locking Down Outlook Object Model Security, Part 2

This is the second part of a guest commentary about the effect of the Outlook E-mail Security Update on the Outlook development environment. Several readers responded to my opinion in last week's Commentary that " . . . the default should be to distrust (and block) all programmatic access to the methods and properties that the object model guard blocks in the Outlook E-mail Security Update. The warning dialog box shouldn’t appear, and all programmatic address access or sending should fail silently." Interestingly enough, many readers' unhappiness with the Outlook E-mail Security Update relates to the Attachment Security component rather than the Object Model Guard.

Despite the continued spread of the SirCam worm (see http://www.windowsITsecurity.com/Panda/Index.cfm?FuseAction=Virus&VirusID=1104 ), many correspondents were disturbed that they can't open .exe attachments in Outlook with the Outlook E-mail Security Update installed! Those who need to circulate .exe attachments can try the following options:

  • Zip the .exe before you send it. Outlook treats .zip files as normal attachments that you can open and extract the contents to local or network storage. WinZip ( http://winzip.com ) can zip and email .exe files from the Explorer shortcut menu. ZipOut ( http://www.microeye.com/zipout ) checks the Level 1 file list and automatically inserts a Level 1 warning message into the .zip file as you send it. (Level 1 files are potentially harmful attachments that are blocked by the Outlook E-mail Security Update.) Needless to say, you should open .exe files only from well-known sources, and then after you've used your antivirus software to check the files.
  • Use the Administrative form (see http://www.microsoft.com/office/ork/xp/appndx/appa11.htm for details) to modify the settings for the default security group or an exception security group so that Outlook removes .exe files from the Level 1 list. I strongly recommend against using this solution for the default security group because it leaves a gaping hole for email worms and viruses that propagate by using .exe files.
  • Use one of the solutions listed at http://www.slipstick.com/outlook/esecup/getexe.htm to modify the Level 1 Remove key. Then remove the appropriate extensions from the Level 1 list. This option is available only to Outlook 2002 users.

If you use the Outlook E-mail Security Update, do you take advantage of the Administrative form to deploy default or custom programmatic security settings in your organization? In addition to the well-known problems with PDA synchronization, has the Outlook Object Model Guard disrupted any of your existing applications?

Outlook 2002 will ease your pain if you use the Trusted COM Add-ins feature of the Administrative form. Here’s how it works: You can "trust" a COM Add-in by adding it to the list of Trusted COM Add-ins, thus giving it unrestricted access to the entire Outlook Object Model, including properties and methods typically blocked by the Outlook Object Model Guard.

Be aware that you must use an Exchange Server mailbox to deploy Trusted COM Add-ins. If you use a Personal Folders (.pst) file for mail delivery, you can't use the trust mechanism for COM Add-ins.

If you have existing Outlook forms applications that make blocked Object Model calls, you must consider the costs and benefits of rewriting VBScript behind forms to take advantage of trusted COM Add-ins. Although rewriting this code can be an expensive proposition for companies that have deployed Outlook forms applications, your Trusted COM Add-in can expose public properties and methods that give your forms code trusted (unblocked) access to the Outlook Object Model.

Unfortunately, the trust mechanism works only for Outlook 2002. If you’re developing for Outlook 2000 and want to access blocked methods and properties of the Outlook Object Model or Collaboration Data Objects (CDO) (which has no trust mechanism for any version of Outlook), consider a third-party alternative such as Redemption.

Let me know what you think of these alternatives, and how you plan to deploy them in your organization.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.