Chapter 12: Customizing Outlook 2003 to Help Prevent Viruses

Download CD Content

Microsoft Office Outlook 2003 includes security-related features that help guard against viruses that are spread via attachments to e-mail messages, as well as from worm viruses that replicate through Microsoft Outlook. These security-related features are installed by default with Outlook 2003, which means that a standard installation will contain the locked-down settings established by the Outlook security template. However, you can customize these settings to meet the needs of your organization.

Configuring Outlook Security Features to Help Prevent Viruses

The Microsoft Outlook security model includes a number of features to help protect users against viruses and worms that can be propagated through e-mail messages. The security-related features include object model blocks (such as limiting automated address book access), access to attachments, and so on. Security-related features are included in the product, but they can be customized. Most of the features relating to security can be customized by using the Outlook security template.

You customize options in the Outlook security template, then publish a form in a special public folder on your Microsoft Exchange server. The form creates items in the public folder to represent the settings. When you publish the form, the items are updated with the new security settings. Then Outlook can be directed (by a registry key setting) to reference the settings stored there. The settings can only be updated by an authorized administrator.

The settings that can be configured by the template can help to provide a high level of security. However, the higher the level of security, the more limitations there are to functionality in Outlook. Restrictions enforced by the Outlook security form include limits to specific types of attachments, heightened default security settings, and controlled access to the Outlook automation code.

Requirements for customized security settings

As an administrator, you can use the template to customize the Outlook security settings to help meet your organization’s needs. For example, you can help to control the types of attached files blocked by Outlook, modify the Outlook object model security and warning levels, and specify user or group security levels. However, to customize these settings, your users must have the appropriate Outlook configuration.

To enable custom security settings, your users must be using Outlook with Microsoft Exchange Server and have their mail delivered by default to either their Exchange mailbox or an Offline Folder file (OST file). You cannot modify most of these settings if a user is using a local Personal Folders file (PST file) for a mailbox, or if your organization is using Outlook with a third-party e-mail service. (The exception is for attachment-blocking settings, which can be configured with a local PST file or when using a third-party e-mail service.)

Enabling customized security settings for users

When you create custom security settings for Outlook by using the Outlook security template, the settings are stored in messages in a top-level folder in the Public Folders tree. Users who need these settings must have a special registry key set on their computers for the settings to apply.

When the key is present, Outlook will look on the Exchange server for custom security settings to apply to a user. If these settings are found, they are applied. Otherwise, the default security settings in Outlook are used.

Users without the special key will have the default Outlook security settings that are in the product.

Note that in some cases, administrator-defined security settings may interact with security settings defined by the user. Specifically, users can customize attachment-blocking behavior, if their administrator has given permission.

Installing the files required to customize security settings

The files you need to configure the security settings and publish the form to enforce the settings are included in a self-extracting executable available from the Office 2003 Resource Kit. This executable, Admpack.exe, is included in the Office Resource Kit tools available from the Toolbox of the Office 2003 Resource Kit Web site at http://www.microsoft.com/office/ork/2003. It is not installed by default from the Office Resource Kit Setup program. The four administrative files are as follows:

• OutlookSecurity.oft

  An Outlook template that enables you to customize Outlook client security settings that are saved in a public folder on the Microsoft Exchange server. The OFT is the form that you publish into the special public folder that Outlook can be directed to reference for client security settings.

• Hashctl.dll and Comdlg32.ocx

  Two controls used by the form.

• Readme.doc

  A document that provides information on the values and settings available in the template and describes how to deploy the new settings on the Exchange server.

Customized security settings caveats

There are a couple caveats to keep in mind when deploying customized security settings for Microsoft Office Outlook 2003:

• Outlook must be restarted to get the customized settings.

  The first time a user starts Outlook after the customized security settings have been applied, the user will see default administrative settings and not the exception or default form that has been set. The user needs to close Outlook and then restart Outlook again to get the correct security settings and permissions.

• No customized settings are applied in PIM-only mode.

  In PIM (Personal Information Manager) mode, Outlook uses the default security settings. No administrator settings are looked for or used in this mode.

Resources and related information

For more information about how administrator settings work with user settings, see “Administrator-Controlled Settings vs. User-Controlled Settings” later in this chapter.