Setting Consistent Outlook Cryptography Options for an Organization


You can control many aspects of Microsoft Office Outlook 2003 cryptography features to help configure more secure messaging and message encryption for your organization’s needs. To help control these features, you specify settings in the Windows registry or through policies. For example, you can set a policy to require a security label on all outgoing mail or a policy to disable publishing to the Global Address List.

Note

A number of Outlook cryptography registry settings have an equivalent setting on the Security tab in the Options dialog box (Tools menu) or other user setting. However, setting the value in the user interface does not create or set the equivalent setting in the Windows registry. You can use the Windows registry to change these settings.

The settings described in this chapter are not related to virus prevention. Virus prevention settings include options for trusted code or changes to the default list of e-mail attachment types that cannot be received or opened by your users. To find out more about configuring virus prevention features, see Chapter 12, “Customizing Outlook 2003 to Help Prevent Viruses.”

Tip

You can use group policies to set security levels in Outlook. In Group Policy, set the Required Certificate Authority, Minimum encryption settings, S/MIME interoperability with external clients, and Outlook Rich Text in S/MIME messages policies under Microsoft Office Outlook 2003\Tools | Options\Security\Cryptography. For more information about using Group Policy to lock down Microsoft Office 2003 settings, see “Managing Users’ Configurations by Policy” in Chapter 18, “Updating Users’ Office 2003 Configurations.”

Corresponding user interface options for Outlook security policies

Some of the security policies listed in this chapter correspond to user interface buttons or settings on user interface dialogs. This section lists the policies that correspond to these buttons or to options on one or more of these dialogs, grouped by the user interface button or dialog. Some policies affect settings in more than one area and appear on multiple lists.

For information about setting the policies, see the sections that follow this one. The specific setting that is affected by a policy is included for many policies in the “Corresponding UI option” column of the tables of policy settings.

Policies that affect settings on the Tools | Options | Security dialog:

  • AlwaysEncrypt

  • AlwaysSign

  • ClearSign

  • RequestSecurityEnhancedReceipt

  • PublishtoGalDisabled

  • EnrollPageURL

    Policies that affect settings on the Tools | Options | Security | Settings dialog:

  • FIPSMode

  • MinEncKey (restricts encryption algorithms available to users)

    Policies that affect settings on the Tools | Options | Security | Settings | Security labels dialog:

  • ForceSecurityLabel

  • ForceSecurityLabelX

    Policies that affect settings on the Options | Security | Settings dialog in a new e-mail message:

  • AlwaysEncrypt

  • AlwaysSign

  • ClearSign

  • RequestSecureReceipt

  • ForceSecurityLabel

  • ForceSecurityLabelX

    Policies that affect the toolbar buttons for encrypting and signing e-mail messages:

  • AlwaysEncrypt

  • AlwaysSign

Outlook security policies

The following table lists the Windows registry settings in the Policies tree that you can configure for your custom installation. You add these value entries in the following subkey:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\10.0\Outlook \Security

Value name

Value data (Data type)

Description

Corresponding UI option

AlwaysEncrypt

0, 1 (DWORD)

When you set the value to 1, all outgoing messages are encrypted. Default is 0.

Encrypt contents check box

AlwaysSign

0, 1 (DWORD)

When you set the value to 1, all outgoing messages are signed. Default is 0.

Add digital signature check box

ClearSign

0, 1 (DWORD)

When you set the value to 1, Clear Signed is used for all outgoing messages. Default is 0.

Send clear text signed message check box

Request SecureReceipt

0, 1 (DWORD)

When you set the value to 1, security-enhanced receipts are requested for all outgoing messages. Default is 0.

Request S/MIME receipt check box

Force SecurityLabel

0, 1 (DWORD)

When you set this value to 1, a label is required on all outgoing messages. (Note that the registry setting does not specify which label.) Default is 0.

None

Force Security LabelX

ASN encoded BLOB (Binary)

This value entry specifies whether a user-defined security label must be present on all outgoing signed messages. String can optionally include label, classification, and category. Default is no security label required.

None

SigStatus NoCRL

0, 1 (DWORD)

Set to 0 means a missing CRL during signature validation is a warning.

None

Set to 1 means a missing CRL is an error.

Default is 0.

SigStatus NoTrust Decision

0, 1, 2 (DWORD)

Set to 0 means that a No Trust decision is allowed.

None

Set to 1 means that a No Trust decision is a warning.

Set to 2 means that a No Trust decision is an error.

Default is 0.

PromoteErrors AsWarnings

0, 1 (DWORD)

Set to 0 to promote Error Level 2 errors as errors.

None

Set to 1 to promote Error Level 2 errors as warnings.

Default is 0.

Publishto GalDisabled

0, 1 (DWORD)

Set to 1 to disable the Publish to GAL button.

Publish to GAL button

Default is 0.

FIPSMode

0, 1 (DWORD)

Set to 1 to put Outlook into FIPS 140-1 mode.

None

Default is 0.

Warn AboutInvalid

0, 1, 2 (DWORD)

Set to 0 to display the Show and Ask check box (Secure E-mail Problem pont dialog box).

Secure E-mail Problem pont dialog box

Set to 1 to always show the dialog box.

Set to 2 to never show the dialog box.

Default is 2.

Disable Continue Encryption

0, 1 (DWORD)

Set to 0 to show the Continue Encrypting button on the final Encryption Errors dialog box.
Set to 1 to hide the button.
Default is 0.

Continue Encrypting button on final Encryption Errors dialog box. This dialog box appears when a user tries to send a message to someone who cannot receive encrypted messages. This policy disables the button that allows users to send the message regardless. (The recipient cannot open encrypted mail messages sent by overriding the error.)

Respondto ReceiptRequest

0, 1, 2, 3 (DWORD)

Set to 0 to always send a receipt response and prompt for a password, if needed.

None

Set to 1 to prompt for a password when sending a receipt response.

Set to 2 to never send a receipt response.

Set to 3 to enforce sending a receipt response.

Default is 0.

Need Encryption String

String

Displays the specified string when the user tries unsuccessfully to open an encrypted message. Can provide information about where to enroll in security.

Default string

Default string is used unless the value is set to another string.

Options

0, 1 (DWORD)

Set to 0 to show a warning dialog box when a user attempts to read a signed message with an invalid signature.

None

Set to 1 to never show the warning.

Default is 0.

MinEncKey

40, 64, 128, 168 (DWORD)

Set to the minimum key length for an encrypted e-mail message.

None

RequiredCA

String

Set to the name of the required certificate authority. When a value is set, Outlook disallows users from signing mail using a certificate from a different CA.

None

EnrollPageURL

String

URL for the default certificate authority (internal or external) from which you wish your users to obtain new digital IDs.

Get Digital ID button

Note: Set in HKEY_CURRENT_USER\ Software\Microsoft\Office\9.0\ Outlook\Security subkey if you do not have administrator privileges on the user’s computer.

When you specify a value for PromoteErrorsAsWarnings, note that potential Error Level 2 conditions include the following:

  • Unknown Signature Algorithm

  • No Signing Certification Found

  • Bad Attribute Sets

  • No Issuer Certificate Found

  • No CRL Found

  • Out of Date CRL

  • Root Trust Problem

  • Out of Date CTL

When you specify a value for EnrollPageURL, use the following parameters to send information about the user to the enrollment Web page.

Parameter

Placeholder in URL string

User display name

%1

SMTP e-mail name

%2

User interface language ID

%3

For example, to send user information to the Microsoft enrollment Web page, set the EnrollPageURL entry to the following value, including the parameters:

www.microsoft.com/ie/certpage.htm?name=%1&email=%2&helplcid=%3

If the user’s name is Jeff Smith, his e-mail address is someone@example.com, and his user interface language ID is 1033, then the placeholders are resolved as follows:

www.microsoft.com/ie/certpage.htm?name=Jeff%20Smith&email=someone@example.com&helplcid=1033

Security policies for general cryptography

The following table lists additional Windows registry settings that you can use for your custom configuration. These settings are contained in the following subkey:

HKEY_CURRENT_USER\Software\Microsoft\Cryptography\SMIME\SecurityPolicies\Default

Value name

Value data (Data type)

Description

Correspond-ing UI option

ShowWithMulti
Labels

0, 1, (DWORD)

Set to 0 to attempt to display a message when the signature layer has different labels set in different signatures.

None

Set to 1 to prevent display of message.

Default is 0.

CertErrorWith
Label

0, 1, 2 (DWORD)

Set to 0 to process a message with a certificate error when the message has a label.

None

Set to 1 to deny access to a message with a certificate error.

Set to 2 to ignore the message label and grant access to the message. (The user still sees a certificate error.)

Default is 0.

Security policies for KMS-issued certificates

The values below only apply to KMS-issued certificates. The following table lists additional Windows registry settings that you can use for your custom configuration. These settings are contained in the following subkey:

HKEY_CURRENT_USER\Software\Microsoft\Cryptography\Defaults\Provider

Value name

Value data
(Data type)

Description

Corresponding UI option

MaxPWDTime

0, number (DWORD)

Set to 0 to remove user’s ability to save a password (user is required to enter a password each time a key set is required).

None

Set to a positive number to specify a maximum password time in minutes.

Default is 999.

DefPWDTime

Number (DWORD)

Set to the default value for the amount of time a password is saved.

None




Microsoft Office 2003 Resource Kit 2003
Microsoft Office 2003 Editions Resource Kit (Pro-Resource Kit)
ISBN: 0735618801
EAN: 2147483647
Year: 2004
Pages: 196

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net