In last month's column, I reviewed the many different security settings and patches for Outlook. This time, I take a closer look at the administrative options for the new Outlook E-mail Security Update, which restricts access to certain types of files attached to email messages and to features that other applications use to automate Outlook. As I wrote last month, I recommend that you delay installing this update until you work out the administrative details for your organization. Please refer to last month's column for caveats about the patch and for references for more information.
How do I control the settings for the update?
The Outlook E-mail Security Update takes a unique approach to customization. Administrators add or remove restrictions for particular users through a custom form they publish to an Exchange Server public folder and an entry in the user's Windows Registry that tells Outlook to look in that folder for either default or individual security settings.
The customized settings work even for a user working offline with an .ost file. However, because the settings depend on an Exchange Server public folder, you can't customize the settings for a standalone user or for a user who has a Personal Folders file, rather than an Exchange mailbox, as the default Information Store (IS).
How do I install the security settings form?
Download admpack.exe from http://www.microsoft.com/office/ork/ 2000/appndx/toolbox.htm#secupd. This self-extracting file contains the outlooksecurity.oft form template, a readme.txt file, and a system policy file for Outlook 2000. After you download admpack.exe, follow these steps:
- Run admpack.exe.
- Click Yes to accept the license agreement.
- Specify the system folder in which you want to place the extracted files, then click OK.
- Create a public folder called Outlook Security Settings as a top-level folder (i.e., in the root of the All Public Folders hierarchy). You must use this folder name and location.
- In the system folder from Step 3, double-click outlooksecurity.oft to open the template file.
- In the Select Folder dialog box, choose the Outlook Security Settings folder you created in Step 4.
- When the form opens, choose Tools, Forms, Public Form to publish the form in the Outlook Security Settings folder. Give it the name Outlook Security Form. Close the form you opened from the .oft file.
- Right-click the Outlook Security Settings folder, then choose Properties.
- Under When posting from this folder, use, choose Outlook Security Form.
- On the Permissions tab on the folder's Properties dialog box, set the permissions on the folder so that the Default user has the Reviewer role. Give the Editor role to people who administer Outlook security settings.
- Click OK to save the folder settings.
How do I use the form to customize the security settings?
You can perform two operations with the Outlook Security Form:
- Change the default security settings for everyone in the organization.
- Override the default settings for specific groups of users.
In either case, users won't use the settings in the Outlook Security Settings folder unless you make a change to their Windows Registry, as I describe later. You can use the security form on any system, even if that system doesn't have the Outlook E-mail Security Update.
How do I change the default settings?
In the Outlook Security Settings folder, click New to bring up a new item using the Outlook Security Form. Select the Default Security Settings for All Users option. You can't change the Security Group Name.
The item opens with the default options for the Outlook E-mail Security Update already set. Figure 1 and Figure 2 show the default settings for the Outlook Security Form. For an explanation of each setting, see the readme.txt file that you extracted when you ran the admpack.exe download file.
Note that several of the options in Figure 2 refer to Collaboration Data Objects (CDO) and Simple Messaging API (MAPI). External programs can use either of these programming interfaces instead of the Outlook object model to automate messaging functions. The Outlook E-mail Security Update restricts access to Simple MAPI functions, but not to CDO. The CDO settings apply to systems updated with the separate CDO Security Update from http://officeupdate.microsoft.com/ 2000/downloaddetails/cdo2k.htm.
Create only one Default Security Settings item in the Outlook Security Settings folder. If more than one item with default settings is present, Outlook clients will use the settings from the most recently saved item.
How do I override the default security settings?
You can make the security settings for an individual or group of users either more or less restrictive than the default settings. To override the default settings, follow these steps:
- Create a new item in the Outlook Security Settings folder.
- On the Outlook Security Form's Outlook Security Settings tab, which Figure 1 shows, select the Security Settings for Exception Group option.
- Provide a Security Group Name.
- In the Members text box, enter the names, separated by semicolons, of individual users to which this group of settings will apply. The form doesn't provide a button to let you pick names from the Global Address List (GAL); you must enter them yourself.
- Press Ctrl+K to resolve the names. If any name remains without an underline, that means Outlook couldn't resolve the name. Check your spelling, then press Ctrl+K to try again to resolve.
- Select your options on the two pages of the form. Refer to the readme .txt file for details about each setting.
- Close the form, and choose Yes when Outlook asks whether you want to save changes.
You can't use a distribution list (DL) to simplify setting up the members in Step 4. The Outlook E-mail Security Update doesn't parse the membership of DLs. Therefore, you must enter each individual username.
Also, you must take care that each user is a member of only one Outlook security group—in other words, the user appears on only one item in the Outlook Security Settings folder. If a user is included in more than one group, the most recently saved set of security settings prevails, and Outlook ignores any others. The Outlook E-mail Security Update won't check to see whether the user is listed in additional Outlook security groups.
How do I set up a user to use the Outlook Security Settings folder?
The Registry setting is a new DWORD value named CheckAdminSettings, which you must create in the HKEY_CURRENT_USER\Software\Policies\Microsoft key. If the value is present and set to zero, or if it isn't present, Outlook will use the full locked-down settings of the Outlook E-mail Security Update. If you set the value to any number other than zero, Outlook will look in the Outlook Security Settings public folder both for a new set of default settings and for exception group settings for the current user. (Note that the readme.txt file contains incorrect information about how the key works. The Microsoft article "OL2000: Administrator Information About the Outlook E-mail Security Update" at http://support.microsoft .com/support/kb/articles/q263/2/97 .asp at has the correct details.)
How you implement the Registry entry depends on the OS and whether you've implemented system policies. Section 2.4 of the readme.txt file included with admpack.exe contains details for rolling out the Registry change to Outlook 2000 by using the outlk9. adm policy file, which is also part of admpack.exe. At the time of publication, Microsoft had not provided a new policy file for Outlook 98.
Do the security settings work for offline users?
The Outlook E-mail Security Update supports offline users by creating a hidden folder in the Favorites hierarchy and automatically synchronizing it with the entries in the Outlook Security Settings folder. To initialize the security settings, after you create the Outlook Security Settings folder, each user needs to synchronize twice with the server. Unlike setting up other public folders for offline access, the user doesn't need to connect online with the server, just synchronize.
What happens if the Outlook Security Settings public folder isn't available?
If a user is online but can't connect to the public folder containing the security settings, the full locked-down settings of the Outlook E-mail Security Update will apply.
What is the best way to build an Outlook E-mail Security Update strategy?
Remember Y2K? The same strategies you applied to make sure that all applications would work when the clock ticked over will serve you well with this update. For a thorough analysis, you need
- An inventory of all commercial, custom inhouse, and ad hoc add-ons for Outlook in use in your organization
- A list of everyone using each application
For each application, you need to analyze what object model features it uses. For each object model feature, you might want to automatically allow access or force the user to respond to a prompt. If you have just one Outlook-related application, you can create a single exception group whose members consist of that application's users and whose Programmatic Settings tab reflects your object model analysis of the application.
This analysis becomes more complicated when users need to access more than one Outlook-related application and those programs use different levels of the object model. Because the Outlook E-mail Security Update looks only at the most recent security group settings, no easy answer exists other than painstaking work to test and double-check the settings.
Will this security customization method work for large numbers of users?
Probably not. Microsoft explicitly states, "Customized security settings are not designed to be deployed to a large number of users. For performance reasons, customized settings should be used only for the minimal number of accounts that require modifications to the default security settings." Because you can have only one Outlook Security Settings folder in the Public Folders hierarchy, you can implement security overrides only at the organization level, not by site or by server.
Why can't I see my toolbars after I use the Outlook Security Form?
The form turns off toolbars when it opens, but it doesn't restore them when it closes. You'll need to use the View, Toolbars command to turn your toolbars back on.
Does Microsoft provide any other tools or information to help deploy the Outlook E-mail Security Update?
For Outlook 2000, you can download an administrative update (o2k sec_a.exe) from http://www.micro soft.com/office/ork/2000/appndx/tool box.htm#secupd and use it to update an administrative installation point. See the Microsoft article "Deploying the Outlook 98/2000 E-mail Security Update" (http://www.microsoft.com/ office/ork/2000/journ/outsdep.htm) for more details. This article also has information about how to use the Outlook 98 Deployment Kit (ODK) to update an Outlook 98 administrative installation point.
If I receive an important .exe file in an email message, how can I get around the Outlook patch's blocking and open it?
Many people use self-extracting .exe files to send various types of documents. (For example, instead of sending a fax, I often use a free program that "prints" a document to a file and wraps it with a viewer in an .exe file, ready for me to email.) Even when you install the Outlook update and make these files invisible in Outlook, you can access them in several ways:
- Open the message with Outlook Web Access. OWA doesn't block access to attachments. (Perhaps OWA will be the next target for Microsoft's security-tightening effort.)
- Copy the message to an empty Outlook folder, then use Outlook Express to import the items in that folder. Outlook Express doesn't have a security patch like Outlook's ... yet.
- Use Chilton Preview from http://www.slipstick.com/addins/gallery/index.htm#preview. Chilton Preview is a free alternative preview pane that works with all versions of Outlook and lets you see and open all attachments.
- Use CaSaveAtt or ExLife from http://www.ornic.com/. CaSaveAtt is a custom action that works with the Outlook Rules Wizard. The action lets you create rules to save attachments to disk. With Outlook 2000, you can create a rule to save attachments, then run it on demand. (Earlier versions of Outlook don't support running rules on demand.) ExLife is a full Rules Wizard replacement that also lets you run rules on demand.
If I need to send .exe and other files that the Outlook patch might block, what can I do to make sure other people can open the files?
Probably the easiest step you can take is to send the file compressed inside a .zip attachment. The update doesn't block files that use the .zip extension, although some systems administrators might choose to use the Outlook Security Settings folder as previously described to impose a restriction on .zip files. Several applications can automatically compress attachments into a .zip file when you send an Outlook message. See http://www.slipstick.com/addins/compression.htm for a list of applications.
Another approach is simply to rename the file so that it uses a different file extension, such as .ex_ instead of .exe. In your cover note, instruct the recipient to save the file to disk, then rename and run it.