When Outlook starts up and logs on to an Exchange server, it looks for a registry key (shown later in Table 13-2) that tells it which version of a special public folder to look for. This folder can be named either Outlook Security Settings (which applies to Outlook 98 and Outlook 2000) or Outlook 10 Security Settings (which applies to Outlook 2002 and Outlook 2003). Based on what Outlook finds in the folder, it might use security settings that vary from the default. The contents of those public folders determine which settings Outlook uses; you post messages to the public folder using a special form.
Installing the Microsoft Outlook security package
The administrative tools for the Outlook Security Update consist of several files (including documentation) that are normally packaged as a single executable, Admpack.exe, which can be installed from the Office Resource Kit CD or the Office product CD. You can also download it from the Office Resource Kit Toolbox site. You should probably download it to ensure that you're getting the most current version.
The two administrative files that you will work with are the following:
To install the Outlook security package, run Admpack.exe. When you run Admpack, it installs the necessary files to a location you specify. However, you still have to use those files to implement the necessary security settings.
Installing the Trusted Code control for Microsoft Outlook
Outlook allows you to write add-ins that are loaded into Outlook's process space; these add-ins use COM to communicate back and forth with Outlook. Because these add-ins run in-process, it's not a good idea to run add-ins from untrusted sources. When you install the security package, you gain the ability to create a list of trusted add-ins that clients can run without being prompted by Outlook security, provided you install the Trusted Code control. You only need this on your administrative machines; end users don't need it (and, in fact, shouldn't have it). Because the Hashctl.dll file is already installed on your machine, the only thing you really need to do is to register it, although Microsoft recommends moving the Hashctl.dll file to the \System32 folder in your Windows directory. To register the dynamic-link library (DLL), use this command: regsvr32 hashctl.dll
Creating a public folder for Microsoft Outlook security settings
Before you can create any settings, much less apply them, you'll need to create a top-level public folder to host the settings. The name of the folder is critical because Outlook is hardwired to look in that folder. You have three choices: if you create a folder named Outlook 10 Security Settings, Outlook 2003 (and Outlook 2002) uses the settings there, but Outlook 2000 won't see them. If you name the folder Outlook Security Settings, Outlook 2000, Outlook 2002, and Outlook 2003 use the same settings. If you create both folders, each version uses its own folder (assuming that you've properly set the client-side registry key discussed later). Once you've created the folder (or folders), give all users Read access. Users who are allowed to change security settings should have permission to create, edit, and delete items in the folder. Once you've created the folder, you're ready to publish the template and create an instance of the form. Do the following:
- Start Outlook.
- Open the OutlookSecurity.oft file. Outlook will prompt you for a location to save the new item you're creating from the template. The new item is never actually saved, so it doesn't matter which folder you choose.
- While the template is open, use the Tools | Forms | Publish Form command. Give the form a meaningful name; if you're replacing the Outlook 2000–specific version of the form, give this form the same name as the old one. Make sure you specify the security settings public folder you created as the target location for the published form! Click Publish to publish the form.
- Close the Default Security Settings template window. When Outlook asks if you want to save changes, make sure you do not do so.
- Switch to the General tab of the public folder Properties dialog box, then use the When Posting To The Folder, Use drop-down list to specify the published form as the default.
- After Outlook installs the template, open the public folder, then create a new item—name it Default Security Settings. You'll customize the default security settings by editing this item, and create new settings for different groups by creating copies of that default item or by creating new, blank entries and customizing them.
Filling out the Microsoft Outlook form template tabs
The Outlook security form template has three tabs, each of which has its own set of controls that govern how Outlook's security features work, as follows:
- The Outlook Security Settings tab controls general settings that are applied to Outlook clients.
- The Programmatic Settings tab controls what happens when outside applications try to use certain Outlook methods and properties, including sending mail, and retrieving address information.
- The Trusted Code tab lets you specify which Outlook COM add-ins you want to allow users to run without security prompts; note that these settings don't apply to other Office applications.
Note: You cannot create or update the security settings template when you're using an Outlook profies that's set to use cached Exchange mode; Outlook will complain and tell you to switch to online mode when you attempt to save your updated form.
The Microsoft Outlook Security Settings tab
The Outlook Security Settings tab allows you to configure default settings that apply to all users. You can also apply settings to individual users or groups of users. The normal way to accomplish this is to create multiple post items using the form: one for the default settings you want to apply and one for each individual or group that needs special settings. When you use Microsoft Exchange 2000 Server or Exchange Server 2003, Outlook lets you specify Windows 2000 Server distribution groups to indicate who you want settings to apply to. If you're still hosting the folder on Microsoft Exchange 5.5, you must enter the name of each individual mailbox in the group, separated by semicolons, up to the hard-coded limit of 1000 names. The tab itself is shown in Figure 13-2. The controls at the very top control who this copy of the form applies to. By default, the Default Security Settings For All Users option is selected, meaning that these settings apply to all Outlook users on this Exchange server. If you want to apply these settings to a subset of your users, select the Security Settings For Exception Group option, then fill in the Security Group Name and Members fields. Here's what the rest of the form's controls do:
Figure 13-2 The Outlook Security Settings tab gives you control over how Outlook handles attachments.
- The Prompt User option causes Outlook to display a dialog box prompting the user to choose whether to allow access or not.
- The Automatically Approve option tells Outlook to allow all access without displaying a warning.
- The Automatically Deny option tells Outlook to deny all requests without asking.
The Microsoft Outlook Programmatic Settings tab
The Programmatic Settings tab, shown in Figure 13-3, features an impressive set of options. Fortunately, these break down into a fairly simple taxonomy; you use this form to specify which actions various types of code can take, according both to the requested action and the type of interface used to make the request. Applications, macros, add-ins, and other executables can use three different interfaces to request services from Outlook, as follows:
Figure 13-3 Control programs' access to the Outlook object model and address book with the Programmatic Settings tab.
Each potential action (sending items using CDO, looking up address book items with Simple MAPI, and so on) is independently controlled. When any third-party software on the client attempts to do something, the behavior you specify takes effect: the client either approves the request automatically (which is what happens in Outlook 2000 without the security update), automatically denies it, or prompts the user (the default behavior in Outlook with the security update).
The Microsoft Outlook Trusted Code tab
The Trusted Code tab is visually uninteresting, so I don't show it here. It contains a list box and two buttons: Add and Remove. You use the buttons to add or remove COM add-ins to the list; Outlook clients trust (that is, allow to run) any COM Outlook add-in on the list. However, remember that specifying an add-in on this tab doesn't make it run, nor does it install it on the client. Specifying an add- in here just means that the add-in has permission to call the Outlook object model without triggering the object model guards; add-ins that call CDO are still subject to the guards. There are a few nuances to using this tab. First of all, you can only specify Outlook add-ins, not, for example, a Microsoft Word add-in that happens to call Outlook object model functions. Second, if you later replace a trusted add-in with a newer version, you'll need to remove the old version from the list and add the new one, even if they have the same file name.
Deploying Microsoft Outlook security settings
After you configure the settings you want by creating items on the Exchange server, you still have to force Outlook to use those settings. To enable this behavior, you'll need to deploy a new registry key to the client computers; that's why this is best done during your initial rollout of Office or Outlook.
The simplest way to do this is to use the Custom Installation Wizard to include the registry key in a transform when you deploy the Office System. If you've already deployed Office, you can use the Custom Maintenance Wizard to add the registry key information to the client. However, neither of these methods is enforced, so clients can manually change their local settings. If you want the new registry key to be enforced, you'll need to deploy it with a system or group policy.
If you're managing your Office installation with policies, adding this behavior is simple. Just add the correct policy template (.adm file) so that your policy object includes the necessary key, then set the policy to apply to the target users. If you use the System Policy Editor provided with the Office Resource Kit Toolbox, the correct templates are already loaded. If you use the Active Directory Group Policy Object snap-in, you'll need to add the templates manually. The policy file automatically passes your customized security settings to client computers each time users log on to the system.
So, what's the magic key you have to modify? The registry value is a DWORD named CheckAdminSettings and located under HKEY_CURRENT_USER\Software\Policies\Microsoft\Security\. The value you put here determines where Outlook searches for security settings. Table 13-2 shows which values do what.
Note: You can't save this registry key to a file and mail it out because .reg files are blocked by the security update, and they're also blocked by the default Outlook settings that apply when no security settings are present on the server. Besides, the best way to ensure that users don't change these settings is to force their application using Group Policy Objects (GPOs), so that's what Microsoft recommends (although you can certainly add a .reg files that runs as part of a user logon script as an alternative).
Table 13-2: CheckAdminSettings Values
|Value||What Outlook 2003 Does|
|Key not present||Uses its default settings.|
|0||Uses its default settings.|
|1||Looks for settings in the Outlook Security Settings folder, applying them according to the defaults and specific users you've specified.|
|2||For Outlook 2002 and Outlook 2003 only: Looks for settings in the Outlook 10 Security Settings folder, ignoring any settings in the Outlook Security Settings folder. Use this value when you want Outlook 2002 or Outlook 2003 and Outlook 2000 to use different settings.|
|Anything else||Uses its default settings.|
8 tips in 8 minutes: A Microsoft Outlook email security tutorial
Tip 1: An overview of Microsoft Outlook email security features
Tip 2: Customizing the Microsoft Outlook Security Update
Tip 3: Customizing Outlook email security settings for end users
Tip 4: Setting up RPC over HTTP for Microsoft Outlook
Tip 5: Using S/MIME in Microsoft Outlook
Tip 6: Using Information Rights Management in Microsoft Outlook
Tip 7: Reaching into Microsoft Outlook's email security toolbox
Tip 8: Related resources on Microsoft Outlook email security
|This chapter is an excerpt from Secure Messaging with Microsoft Exchange 2003 by Paul Robichaux, copyright 2004, published by Microsoft Press.|