Protecting Outlook 2010 with group policy security settings

Your Exchange servers may be secure, but neglecting to protect Outlook 2010 puts your company at risk. Learn some group policy security settings that prevent security disasters.

Although most Exchange Server administrators put a lot of effort into securing Exchange, many overlook Outlook...

security. Here’s a look at some security aspects to familiarize yourself with, as well as several settings you can use to protect Outlook 2010.

Centralized security
By default, Outlook maintains its security configuration locally. However, local configurations are ineffective in corporate environments because configuration changes must be applied manually. Thus, you’re better off centrally managing Outlook’s security. You have two options: You can use group policy settings, or store the security settings in designated public folders. Microsoft recommends using group policy settings as long as you don’t have any users on Outlook 2003 or earlier.

Group policy-based security
Active Directory does not contain any Outlook-related settings by default. To implement group policy settings for Outlook 2010 security, you must download the Office 2010 Administrative Template files and then add the templates to a domain controller’s central store.

There are two important things you should know about the Office 2010 Administrative Templates. First, the templates are version-specific. This means that if you still have users on Outlook 2007, any group policy settings implemented using the Office 2010 Administrative Templates won’t be applied to those users.

Similarly, there is a set of administrative templates for Office 2007. If you previously used the Office 2007 Administrative Templates to secure Outlook 2007, security settings will not be applied to Outlook 2010 users.

Outlook 2010 also ignores Outlook-related group policy settings by default. To modify this behavior, first make sure the Office 2010 Administrative Templates are installed. Next, configure the Outlook Security Mode Option group policy setting to use the Use Outlook Group Policy setting. This setting is found in the Group Policy Editor at User Configuration -> Policies -> Administrative Templates -> Microsoft Outlook 2010 -> Security -> Security Form Settings (Figure 1).

Enable the Outlook 2010 Security Mode setting.

Figure 1. After downloading the Office 2010 administrative template, enable the Outlook Security Mode setting.

You can see a description of the setting option in Figure 2.

Enable the Use Outlook Security Group Policy setting.

Figure 2. The Outlook Security Mode should be set to Use Outlook Security Group Policy.

Digital signatures
After installing the administrative templates, there are a number of security settings you can benefit from. For example, you can configure Outlook 2010 so that all outbound email messages are digitally signed. Digital signatures help prevent identity spoofing. To enable this setting, navigate through the Group Policy tree to User Configuration -> Policies -> Administrative Templates -> Microsoft Outlook 2010 -> Security -> Cryptography and enable the Sign All E-Mail Messages setting (Figure 3).

Configure Outlook 2010 mail to digitally sign all outbound email.

Figure 3. You can configure Outlook 2010 to require outbound email signatures.

In Figure 3, you can also see an Encrypt all e-mail messages setting. Because email messages are normally sent in clear text, encryption is a great way to ensure that messages are not intercepted and exposed during transit.

Though these two group policy settings are fairly simple, they depend on an underlying PKI infrastructure. This requires a public/private key pair that is based on X.509v3 certificates. These certificates can be generated using an enterprise certificate authority (CA) or can be acquired from a commercial CA. Office 2010 uses these certificates to create a digital identity for each user.

Although users can create and store a digital ID locally on their desktop, it’s better to store digital IDs centrally in corporate environments. You have three options for storing digital IDs.

The recommended method is to store digital IDs in the global address list (GAL). Any certificates generated by a CA or Active Directory Certificate Services are automatically published to the GAL. You can also manually publish externally generated certificates to the GAL.

To publish digital IDs to the GAL through Outlook 2010, click the File tab, then Trust Center. Next, click the Trust Center Settings button, then E-Mail Security. There you’ll find a button that publishes digital IDs to your GAL (Figure 4).

Publish digital IDs to your global address look through Outlook 2010.

Figure 4. You can publish a digital ID to the GAL directly through Outlook 2010.

Finally, you also have the option to either store certificates in an LDAP-based directory service or export the digital IDs and store them directly on your users’ desktops. I recommend publishing digital IDs to the GAL whenever possible.

Brien Posey
is an eight-time Microsoft MVP with two decades of IT experience. Before becoming a freelance technical writer, Brien worked as a CIO for a national chain of hospitals and healthcare facilities. He has also served as a network administrator for some of the nation’s largest insurance companies and for the Department of Defense at Fort Knox.

Dig Deeper on Outlook management