Skip navigation

Exchange & Outlook UPDATE, Outlook Edition--Outlook 2007 Security and Privacy--September 29, 2006

----| Exchange & Outlook UPDATE--Outlook Edition |----

*Commentary: Outlook 2007 Security and Privacy
*From the Community: Deleting the Hidden Delegate Rule in Outlook
*New and Improved: Send Email from Within Microsoft Office Applications



Try Symantec Backup Exec 10d for Windows

Making Information Work for SMBs

Clean Up Your Company's Email Act: Using Filters to Block Threats


Sponsor: Symantec

Try Symantec Backup Exec 10d for Windows
Symantec Backup Exec(TM) 10d for Windows Servers is designed for disk, delivering reliable, faster, and more efficient true continuous data protection for Windows servers. Backup Exec 10d revolutionizes data protection by eliminating backup windows and introducing the industry's first web-based file retrieval. Combined with its existing family of high performance agents and options to Microsoft Exchange, SQL, SharePoint Portal Server, and other database application data, as well as Linux/UNIX server data and desktops and laptops, Backup Exec 10d delivers the only comprehensive disk and tape based solution. Download the trialware now to see how fast and flexible this solution is.


***COMMENTARY: Outlook 2007 Security and Privacy
by Sue Mosher, News Editor, [email protected]

As I discussed in my column last month ("Outlook 2007: HTML Forms Are 'Out;' CSS Is 'In,'", one significant change in Microsoft Office Outlook 2007 is that scripts in HTML-formatted messages can't run at all. That's just one of many improvements in Outlook 2007 to make it more secure. With a more stable 2007 Microsoft Office system Beta 2 Technical Refresh (B2TR) now available, I thought this would be a good time to review Outlook 2007's security and privacy improvements.

Let's start with programmatic access and those intrusive security prompts that users see when external applications try to automate Outlook. By default, those won't appear in Outlook 2007 if the user is running an up-to-date antivirus application on Windows Vista or Windows XP. That's a big gain for corporations with older, inhouse applications that would be expensive to rewrite to use Outlook automation techniques that avoid security prompts. Furthermore, the programmatic access settings that formerly worked only in the Outlook Security Settings public folder can be managed in Outlook 2007 through a Group Policy Object (GPO), so that they can apply even in organizations that don't use Exchange Server for mail.

Another security setting that might affect existing custom applications is that Outlook 2007, by default, doesn't display folder home pages for folders other than the user's default information store and the Public Folders hierarchy. A folder home page is a Web page associated with a folder. Like any Web page, it can run code, but because it's running inside Outlook, it isn't blocked from performing Outlook automation as an external Web site page opened in Microsoft Internet Explorer would be. If a folder home page in another folder is essential to an organization, an administrator can change this behavior by using a GPO. After adding the Outlk12.adm administrative template (see URL below for the template download), go to User Configuration, Administrative Templates, Microsoft Office Outlook 2007, Tools | Options..., Other, Advanced and look for a setting named Do not allow folders in non-default stores to be set as folder home pages.

Outlook 2007 includes improved protection against spam and phishing, plus a more prominent warning on suspected phishing messages. Recognizing that users often need to send legitimate messages that might look like spam to some email clients, Microsoft has added a new Email Postmark feature to Outlook. When the user sends a message with spamlike characteristics, Outlook solves a computationally costly puzzle, hashes the solution, and puts information about the puzzle and solution into two fields in the message's SMTP header. The recipient of the message sees nothing special about the message, but if the receiving mail client is Outlook 2007, it can use the contents of those fields to determine that the message is valid and not junk. The sender won't notice the slight delay on an individual message, but Microsoft contends that the computational cost of the Email Postmark feature makes it impractical for spammers to take advantage of it.

Outlook 2007 plugs a number of potential privacy leaks that were present in earlier versions. Like Outlook 2003, the new version blocks images and other external content in HTML messages that could be used with so-called Web bugs to reveal information about the user. But it expands this feature to give the user a new option to block external content not just on reading a message but also during reply, forward, and print operations.

In earlier versions, a user could add a vCard .vcf file to any Outlook email signature, but it was all too easy for Exchange users to unwittingly include in that vCard personal information stored in the Global Address List (GAL). Outlook 2007 eliminates that possibility. The only type of vCard .vcf file that can be included with a signature is one created with the new Electronic Business Card feature. To create an Electronic Business Card, the user must specify exactly what information to include. Therefore, there's no risk of information leaking out from the GAL.

Another area where privacy is tightened is around free/busy information. This might be the ultimate feature for secretive bosses! In earlier versions of Outlook, users either saw free/busy information for other users or, if they had Reviewer access to other users' Calendar folders, the details of appointments in the other users' calendars. The only way to block a person from seeing any free/busy information for a user was to stop publishing free/busy information for that user completely. When used with Exchange 2007, Outlook 2007 expands the free/busy permission options to offer new options for "None" and "Free/Busy time, subject, and location." Thus, the secretive boss could set four different levels of free/busy access for four different sets of people in the organization: no access as the default; full details (i.e., Reviewer access) for the boss's assistant; for peers, free/busy time, subject, and location; and for direct reports, free/busy time only.

A good way to get to know some of the new settings in Outlook 2007 is to download the administrative template .adm files for B2TR and add them to Group Policy Editor (GPE) so that you can then browse through the available options. One welcome change in the Outlk12.adm file is the addition of explanatory text for most policy settings.

Administrators have long asked for an option to completely disable the Outlook reading pane (even though it hasn't been a source of vulnerability for years). Outlook 2007 has this option, although it's a little hard to find in GPE. After you add the Outlk12.adm administrative template, look under User Configuration, Administrative Templates, Microsoft Office Outlook 2007, Tools | Options..., Other for an option named Do not display the reading pane.

One final security note: What about the Vector Markup Language vulnerability reported last week by Sunbelt Software (see According to Sunbelt, Outlook 2007 B2TR is not vulnerable to this exploit.

Office 2007 Beta 2

2007 Microsoft Office system Beta 2 Technical Refresh

2007 Office System Beta 2 Technical Refresh Administrative Templates (ADM)


Sponsor: EMC

Making Information Work for SMBs
Help your small- or medium-sized business protect one of its most valuable assets--business information. Easily store, manage, protect and share information with hardware designed with the needs of your business in mind. Manage IT without the large staff and extensive training--learn how today!


***From the Community

Deleting the Hidden Delegate Rule in Outlook
Are your former delegates still receiving meeting requests that are sent to you? The Microsoft Exchange Server MAPI Editor can help you fix the problem.

Have a question? Got answers? Join your peers in the Exchange and Outlook discussion forums:
Current Threads:
OWA in SBS 2003
Enable response in Outlook 2002
ActiveX in body of message

Don't forget to sound off in our Instant Poll. This month's question is "In a typical work week, how much time do you spend managing SharePoint?"

~~~~ Hot Spot: ~~~~

Clean Up Your Company's Email Act: Using Filters to Block Threats
Do you want to block unwanted or undesirable email? Download this free whitepaper to learn how to manage the content of information crossing your network.


by Blake Eno, [email protected]

Send Email From Within Microsoft Office Applications
DS Development announced updates to its email productivity software, Bells and Whistles for Outlook 3.0. The product helps you quickly reply to emails by automatically inserting personalized email reply greetings, email templates, signatures, or side email notes. You can configure Bells and Whistles for predefined reply message formats or specify email addresses for the automatic CC, BCC, Forward, or Reply-to features that will be applied to every outgoing email. Bells and Whistles now provides advanced automatic reply greetings, attachment archiving, full HTML support for email templates, and more than 30 predefined email templates. An electronic-only version of Bells and Whistles costs $29.95. Site licenses are also available.

------ Wanted: your reviews of products you've tested and used in production. Share your experiences and ratings of products to "[email protected]" and get a Best Buy gift certificate.


These Windows-related events, papers, and resources will help you keep your knowledge and skills up to date and help you deploy, secure, and maintain the latest Exchange- and Windows-related technologies. For more Exchange related resources, visit

Exchange & Office 2007 Roadshow Coming to EMEA!
Get the facts about deploying Exchange and Office 2007! You'll come away with a clear understanding of how to implement a best-practices migration to Exchange Server 2007 and how you and your end users can get the most out of Office 2007, and you'll learn more about Windows Vista.

Enterprises on average store identity information in 63 places. Learn about provisioning, synchronization, single sign-on, identity and access management, LDAP, and directory interop solutions from independent expert Gil Kirkpatrick at TechX World in Washington DC, Chicago, Dallas, and San Francisco next month. Three other content tracks cover OS interoperability, data integration/interoperability, and virtualization.

Whether you're an outsourced IT provider, part of an in-house IT service staff, or simply provide remote support, this can't-miss Web seminar will help you discover how the right technologies can expand your services. You'll learn how to tap into a $30 billion market for IT services and expand your geographic reach. Live Web seminar: Tuesday, October 17

Dramatically simplify Exchange troubleshooting with an in-depth look at built-in troubleshooting tools and third-party applications. Join us as we analyze a typical troubleshooting process, address the problems faced while using standard tools, and learn how automated troubleshooting can address these challenges. View this free Web seminar now!

Mark Joseph Edwards discusses emerging spyware threats, including rootkits, keyloggers, and distribution methods. On-demand Web seminar



Branch offices need flexibility and autonomy in implementing IT solutions; corporate requirements require centralized management, security, and compliance initiatives. Learn to resolve these conflicts and reduce your operational costs for branch offices with limited IT resources. Download the free white paper today!



Special Invitation for VIP Access
Become a VIP subscriber and get continuous, inside access to ALL the content published in Windows IT Pro, SQL Server Magazine, and the Exchange and Outlook Administrator, Windows Scripting Solutions, and Windows IT Security newsletters. Subscribe now and SAVE $100:

Get the Windows IT Pro Utility Kit FREE
SAVE up to $30 on Windows IT Pro and get an exclusive Windows IT Pro Utility Kit CD FREE with your paid order! You'll also get unlimited access to the entire online article archive, which houses more than 9000 helpful Windows IT articles. This is a limited-time offer, so order now:

~~~~ Contact Us ~~~~

About the newsletter -- [email protected]
About technical questions --
About product news -- [email protected]
About your subscription -- [email protected]
About sponsoring UPDATE -- [email protected]


This email newsletter is brought to you by Exchange & Outlook Administrator, the leading publication for IT professionals managing, securing, optimizing, and migrating Exchange and Outlook. Subscribe today!

View the Windows IT Pro Privacy policy at

Windows IT Pro a division of Penton Media Inc.
221 East 29th Street, Loveland, CO 80538,
Attention: Customer Service Department

Copyright 2006, Penton Media, Inc. All Rights Reserved.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.