All Outlook 2010 Trust Center settings are not created equal

The Outlook 2010 Trust Center offers plenty of security settings to administrators. That doesn’t mean they’re all important though.

The Outlook 2010 Trust Center is a collection of settings designed to keep Microsoft Outlook 2010 secure and healthy....

And while Outlook security is important, there’s a fine line between security and usability. Let’s examine each of the Outlook 2010 Trust Center settings to determine those that are most important and those that might be overkill.

Accessing the Outlook Trust Center
If you’re unfamiliar with the Outlook 2010 Trust Center, you can access it by opening Outlook, then clicking the File menu, then Options. Next, click the Trust Center tab, followed by the Trust Center Settings link. These same settings can also be centrally controlled using the Office 2010 Group Policy Administrative Templates.

Outlook 2010 Trust Center’s Trusted Publishers tab
The Trusted Publishers tab contains the list of the trusted software vendors whose Outlook add-ons you currently employ (Figure 1). In my own organization, for example, I trust a publisher that offers a .pdf editor for Outlook. You can only add publishers to this list if they provide a valid digital certificate. You can also use the Trusted Publishers list to examine a trusted publisher or to remove it from the list.

Here’s a look at the Trusted Publishers section in the Outlook Trust Center.

Figure 1. The Trusted Publishers section tells Outlook which third-party add-ons you trust.

Outlook 2010 Trust Center’s Privacy Options tab
The Privacy Options tab controls how Outlook interacts with the Microsoft website (Figure 2). For example, there are options to connect to Office.com for updated content and to periodically download files to diagnose system problems. That said, the privacy settings here don’t really affect Outlook’s overall security and the settings you choose are a matter of personal preference.

The Outlook 2010 Trust Center’s security settings aren’t a big deal.

Figure 2. The Outlook 2010 Trust Center’s privacy options aren’t of much concern.

The Outlook 2010 Trust Center’s Email Security tab
The E-Mail Security tab is divided into several different sections. The first handles encrypted email (Figure 3). However, unless your organization is in the habit of emailing sensitive information, you probably don’t have to worry about message encryption.

The Outlook Trust Center lets you control email encryption.

Figure 3. Use the Outlook Trust Center to control whether or not users encrypt email.

As you can see in Figure 3, the Encrypted E-mail section also contains a setting you can use to add a digital signature to outgoing messages. Adding a digital signature is smart because the signature can be used to verify the authenticity of the email.

For example, people have spoofed my email account in the past and sent nasty letters to my editors posing as me. If I had configured Outlook to use digital signatures, my editors would have known that messages not bearing my digital signature were likely fraudulent.

Just beneath the Encrypted E-mail section is a section for importing, exporting and publishing digital IDs. A digital ID is essentially the same thing as a certificate. Users must have a valid digital ID to encrypt email messages or append digital signatures to their messages.

The next section gives you the option to read all messages as plain text. You can configure this setting for regular mail as well as for digitally signed mail. Some organizations use this setting to prevent HTML-based exploits. However, the risk of such an exploit is low, and considering the number of organizations that send HTML-based email, you’re probably fine leaving this setting alone.

The last section controls whether or not to allow scripts in folders. There are separate settings for both shared folders and public folders. Allowing scripts to remain in these folders poses a huge security risk, so be sure disable this setting.

Outlook 2010 Trust Center’s Attachment Handling tab
The Attachment Handling tab controls how Outlook behaves when users receive messages containing attachments (Figure 4). The first option lets users modify an attachment, then reply to the original message with the modified attachment. The benefit of enabling this option usually outweighs any perceived security risks.

Use the Outlook 2010 Trust Center to handle message attachments.

Figure 4. Attachment Handling in the Outlook 2010 Trust Center lets you configure how message attachments are handled.

The other option is to disable attachment previewing. However, rather than completely disabling attachment previews, it makes more sense to click on the Attachment and Document Previewers button and then disable any users that you deem a security risk. That said, I’ve never heard of a situation where previewing an attachment in Outlook 2010 caused a security problem.

Outlook 2010 Trust Center’s Automatic Downloads tab
The Automatic Downloads tab lets you control how Outlook downloads images (Figure 5). Some administrators disable automatic downloads completely in an effort to reduce spam, as some spammers embed images in email messages. When the message is opened, Outlook downloads the image from the spammer’s server. The spammer can use this attempted communication to verify that his message was both received and opened; this results in lots more spam.

Outlook automatically downloads images in messages from trusted sources by default. In most cases this behavior should be fine, but you do have the option to control which -- if any -- messages are permitted to automatically download images.

Use the Outlook 2010 Trust Center to control whether images are automatically downloaded or not.

Figure 5. Control whether or not Outlook automatically downloads images with the Outlook Trust Center.

Outlook Trust Center’s Macro Settings tab
The Macro Security tab lets you control how Outlook behaves if a user attempts to activate a macro (Figure 6). The user will receive a notification for signed macros, and all other macros will be disabled by default. All macros should be disabled regardless of whether or not they are signed. The only exception is if you have a pressing business need for them.

Disable macros in the Outlook Trust Center

Figure 6. It’s good practice to disable all macros through the Outlook 2010 Trust Center.

Outlook 2010 Trust Center’s Programmatic Activity tab
The Programmatic Activity tab controls how Outlook responds when it detects suspicious, automated activity (Figure 7). Outlook generates a warning if your antivirus software is inactive or outdated by default. But I think it’s better to always warn of suspicious activity unless you have an Outlook add-on that generates a lot of false positives.

Use the Outlook 2010 Trust Center to warn you about suspicious activity.

Figure 7. Set up the Outlook 2010 Trust Center to warn you about suspicious programmatic activity.

Brien Posey is an eight-time Microsoft MVP with two decades of IT experience. Before becoming a freelance technical writer, Brien worked as a CIO at a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the nation’s largest insurance companies and for the Department of Defense at Fort Knox.

Dig Deeper on Outlook management