You can control many aspects of Microsoft Office Outlook 2003 cryptography features to help configure more secure messaging and message encryption for your organization’s needs. To help control these features, you specify settings in the Windows registry or through policies. For example, you can set a policy to require a security label on all outgoing mail or a policy to disable publishing to the Global Address List.
Note | A number of Outlook cryptography registry settings have an equivalent setting on the Security tab in the Options dialog box (Tools menu) or other user setting. However, setting the value in the user interface does not create or set the equivalent setting in the Windows registry. You can use the Windows registry to change these settings. |
The settings described in this chapter are not related to virus prevention. Virus prevention settings include options for trusted code or changes to the default list of e-mail attachment types that cannot be received or opened by your users. To find out more about configuring virus prevention features, see Chapter 12, “Customizing Outlook 2003 to Help Prevent Viruses.”
Tip | You can use group policies to set security levels in Outlook. In Group Policy, set the Required Certificate Authority, Minimum encryption settings, S/MIME interoperability with external clients, and Outlook Rich Text in S/MIME messages policies under Microsoft Office Outlook 2003\Tools | Options\Security\Cryptography. For more information about using Group Policy to lock down Microsoft Office 2003 settings, see “Managing Users’ Configurations by Policy” in Chapter 18, “Updating Users’ Office 2003 Configurations.” |
Some of the security policies listed in this chapter correspond to user interface buttons or settings on user interface dialogs. This section lists the policies that correspond to these buttons or to options on one or more of these dialogs, grouped by the user interface button or dialog. Some policies affect settings in more than one area and appear on multiple lists.
For information about setting the policies, see the sections that follow this one. The specific setting that is affected by a policy is included for many policies in the “Corresponding UI option” column of the tables of policy settings.
Policies that affect settings on the Tools | Options | Security dialog:
AlwaysEncrypt
AlwaysSign
ClearSign
RequestSecurityEnhancedReceipt
PublishtoGalDisabled
EnrollPageURL
Policies that affect settings on the Tools | Options | Security | Settings dialog:
FIPSMode
MinEncKey (restricts encryption algorithms available to users)
Policies that affect settings on the Tools | Options | Security | Settings | Security labels dialog:
ForceSecurityLabel
ForceSecurityLabelX
Policies that affect settings on the Options | Security | Settings dialog in a new e-mail message:
AlwaysEncrypt
AlwaysSign
ClearSign
RequestSecureReceipt
ForceSecurityLabel
ForceSecurityLabelX
Policies that affect the toolbar buttons for encrypting and signing e-mail messages:
AlwaysEncrypt
AlwaysSign
The following table lists the Windows registry settings in the Policies tree that you can configure for your custom installation. You add these value entries in the following subkey:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\10.0\Outlook \Security
Value name | Value data (Data type) | Description | Corresponding UI option |
---|---|---|---|
AlwaysEncrypt | 0, 1 (DWORD) | When you set the value to 1, all outgoing messages are encrypted. Default is 0. | Encrypt contents check box |
AlwaysSign | 0, 1 (DWORD) | When you set the value to 1, all outgoing messages are signed. Default is 0. | Add digital signature check box |
ClearSign | 0, 1 (DWORD) | When you set the value to 1, Clear Signed is used for all outgoing messages. Default is 0. | Send clear text signed message check box |
Request SecureReceipt | 0, 1 (DWORD) | When you set the value to 1, security-enhanced receipts are requested for all outgoing messages. Default is 0. | Request S/MIME receipt check box |
Force SecurityLabel | 0, 1 (DWORD) | When you set this value to 1, a label is required on all outgoing messages. (Note that the registry setting does not specify which label.) Default is 0. | None |
Force Security LabelX | ASN encoded BLOB (Binary) | This value entry specifies whether a user-defined security label must be present on all outgoing signed messages. String can optionally include label, classification, and category. Default is no security label required. | None |
SigStatus NoCRL | 0, 1 (DWORD) | Set to 0 means a missing CRL during signature validation is a warning. | None |
Set to 1 means a missing CRL is an error. | |||
Default is 0. | |||
SigStatus NoTrust Decision | 0, 1, 2 (DWORD) | Set to 0 means that a No Trust decision is allowed. | None |
Set to 1 means that a No Trust decision is a warning. | |||
Set to 2 means that a No Trust decision is an error. | |||
Default is 0. | |||
PromoteErrors AsWarnings | 0, 1 (DWORD) | Set to 0 to promote Error Level 2 errors as errors. | None |
Set to 1 to promote Error Level 2 errors as warnings. | |||
Default is 0. | |||
Publishto GalDisabled | 0, 1 (DWORD) | Set to 1 to disable the Publish to GAL button. | Publish to GAL button |
Default is 0. | |||
FIPSMode | 0, 1 (DWORD) | Set to 1 to put Outlook into FIPS 140-1 mode. | None |
Default is 0. | |||
Warn AboutInvalid | 0, 1, 2 (DWORD) | Set to 0 to display the Show and Ask check box (Secure E-mail Problem pont dialog box). | Secure E-mail Problem pont dialog box |
Set to 1 to always show the dialog box. | |||
Set to 2 to never show the dialog box. | |||
Default is 2. | |||
Disable Continue Encryption | 0, 1 (DWORD) | Set to 0 to show the Continue Encrypting button on the final Encryption Errors dialog box. | Continue Encrypting button on final Encryption Errors dialog box. This dialog box appears when a user tries to send a message to someone who cannot receive encrypted messages. This policy disables the button that allows users to send the message regardless. (The recipient cannot open encrypted mail messages sent by overriding the error.) |
Respondto ReceiptRequest | 0, 1, 2, 3 (DWORD) | Set to 0 to always send a receipt response and prompt for a password, if needed. | None |
Set to 1 to prompt for a password when sending a receipt response. | |||
Set to 2 to never send a receipt response. | |||
Set to 3 to enforce sending a receipt response. | |||
Default is 0. | |||
Need Encryption String | String | Displays the specified string when the user tries unsuccessfully to open an encrypted message. Can provide information about where to enroll in security. | Default string |
Default string is used unless the value is set to another string. | |||
Options | 0, 1 (DWORD) | Set to 0 to show a warning dialog box when a user attempts to read a signed message with an invalid signature. | None |
Set to 1 to never show the warning. | |||
Default is 0. | |||
MinEncKey | 40, 64, 128, 168 (DWORD) | Set to the minimum key length for an encrypted e-mail message. | None |
RequiredCA | String | Set to the name of the required certificate authority. When a value is set, Outlook disallows users from signing mail using a certificate from a different CA. | None |
EnrollPageURL | String | URL for the default certificate authority (internal or external) from which you wish your users to obtain new digital IDs. | Get Digital ID button |
Note: Set in HKEY_CURRENT_USER\ Software\Microsoft\Office\9.0\ Outlook\Security subkey if you do not have administrator privileges on the user’s computer. |
When you specify a value for PromoteErrorsAsWarnings, note that potential Error Level 2 conditions include the following:
Unknown Signature Algorithm
No Signing Certification Found
Bad Attribute Sets
No Issuer Certificate Found
No CRL Found
Out of Date CRL
Root Trust Problem
Out of Date CTL
When you specify a value for EnrollPageURL, use the following parameters to send information about the user to the enrollment Web page.
Parameter | Placeholder in URL string |
---|---|
User display name | %1 |
SMTP e-mail name | %2 |
User interface language ID | %3 |
For example, to send user information to the Microsoft enrollment Web page, set the EnrollPageURL entry to the following value, including the parameters:
www.microsoft.com/ie/certpage.htm?name=%1&email=%2&helplcid=%3
If the user’s name is Jeff Smith, his e-mail address is someone@example.com, and his user interface language ID is 1033, then the placeholders are resolved as follows:
www.microsoft.com/ie/certpage.htm?name=Jeff%20Smith&email=someone@example.com&helplcid=1033
The following table lists additional Windows registry settings that you can use for your custom configuration. These settings are contained in the following subkey:
HKEY_CURRENT_USER\Software\Microsoft\Cryptography\SMIME\SecurityPolicies\Default
Value name | Value data (Data type) | Description | Correspond-ing UI option |
---|---|---|---|
ShowWithMulti | 0, 1, (DWORD) | Set to 0 to attempt to display a message when the signature layer has different labels set in different signatures. | None |
Set to 1 to prevent display of message. | |||
Default is 0. | |||
CertErrorWith | 0, 1, 2 (DWORD) | Set to 0 to process a message with a certificate error when the message has a label. | None |
Set to 1 to deny access to a message with a certificate error. | |||
Set to 2 to ignore the message label and grant access to the message. (The user still sees a certificate error.) | |||
Default is 0. |
The values below only apply to KMS-issued certificates. The following table lists additional Windows registry settings that you can use for your custom configuration. These settings are contained in the following subkey:
HKEY_CURRENT_USER\Software\Microsoft\Cryptography\Defaults\Provider
Value name | Value data | Description | Corresponding UI option |
---|---|---|---|
MaxPWDTime | 0, number (DWORD) | Set to 0 to remove user’s ability to save a password (user is required to enter a password each time a key set is required). | None |
Set to a positive number to specify a maximum password time in minutes. | |||
Default is 999. | |||
DefPWDTime | Number (DWORD) | Set to the default value for the amount of time a password is saved. | None |