Recipe8.2.Configuring Attachment Blocking for Outlook

Recipe 8.2. Configuring Attachment Blocking for Outlook

Problem

You want to control the attachment types available to Outlook users on your servers.

Solution

If you want to change attachment blocking settings on a single computer to allow additional attachment types to be viewed, the process is quite straightforward. To change attachment blocking settings for Outlook on one computer, do the following:

1. Quit Outlook 2003.

2. Open the Registry Editor (regedit.exe).

3. Navigate to the following registry key: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\.

4. If a subkey called Security exists, skip to step 7.

5. If not, select the key and choose New Key from the Edit menu; name the new key Security.

6. Select the Security key, then choose New String Value from the Edit menu.

7. Name the string value Level1Remove.

8. Right-click the Level1Remove key and choose Modify.

9. Enter the extensions of the file types you want to access through Outlook. You can type multiple extensions separated with semicolons, such as:

   .exe;.mdb;.bat

   
   

10. Quit the Registry Editor.

11. Restart Outlook 2003.

You can also use the Outlook Administrator Pack to apply attachment blocking settings to multiple computers. You do this by creating a public folder named Outlook Security Settings, then installing a custom form in it and using that form to edit the security settings you want applied to your Outlook clients. Settings you apply in this manner will override settings on individual client machines.

If you choose to use this method, the first step is installing the Outlook Administrator Pack:

1. Download the Outlook Administrator Pack from:

   http://www.microsoft.com/resources/documentation/office/2003/all/reskit/en-us/default_tools.mspx

   You can also find this utility in the Office Resource Kit Toolbox.

2. Find the Outlook Administrator Pack, Admpack.exe, from the Tools folder (C:\Program Files\ORKTOOLS\ORK11\TOOLS\Outlook Administrator Pack). This executable will extract four files: OutlookSecurity.oft, Hashctl.dll, Comdlg32.ocx, and Readme.doc.

3. Choose a computer that will serve as the administration point for your security settings. This computer should not be your Exchange Server.

4. Copy the file Hashctl.dll to the %systemroot%\system32 directory on your administrative workstation.

5. Register the hashing DLL by typing the following from the Start Run dialog or from a command line:

   > regsvr32.exe hashctl.dll

   
   

6. If it's not already on your machine, install the Comdlg32.ocx file:

   1. Copy the file Comdlg32.ocx to the %systemroot%\system32 directory.

   2. Register the hashing DLL by typing the following from the Start Run dialog or from a command line:

      > regsvr32.exe comdlg32.ocx

      
      

Once you've installed and registered the Outlook Administrator Pack's components, you have to create a public folder to hold the security settings:

1. Log in to Outlook and create a public folder in the root of the MAPI public folder tree (usually named All Public Folders). The new folder should be named according to what you want to do with it:

   • If you want the settings to apply only to Outlook XP, name it Outlook 10 Security Settings.

   • If you want the settings to apply only to Outlook 2003, name it Outlook 11 Security Settings.

   • If you want it to apply to all versions of Outlook (as you probably do), name it Outlook Security Settings.

2. Ensure all users have permissions to read items in your public folder.

3. Open the OutlookSecurity.oft form found in the folder you specified in step 2.

4. When Outlook asks where you want to instantiate the new form, choose the folder you just created.

5. Select the Tools menu and choose Forms, then Publish Form. Ensure the currently selected folder is your current folder.

6. Name your form Outlook Security Form, then click Publish.

7. Close the form and do not save changes.

After you've created the public folder, you can instantiate the settings form and use it to create some security settings:

1. Navigate to the newly created folder in Outlook and use the Actions menu to create a new copy of the form (see Figure 8-1).

   Figure 8-1. The Outlook security form

   
   
   

2. You can create a default security policy, or create customized policies for groups of users. By default, the Default Security Settings for All Users radio button will be active, meaning that these settings will apply to all Outlook users on this Exchange server. If you want to apply these settings to a subset of your users, select the Security Settings for Exception Group button, then fill in the Security Group Name and Members fields.

3. To control attachment blocking, use the check boxes under Miscellaneous Attachment Settings. You can disable blocking completely as well as allow users to move attachments from Level 1 to Level 2.

   • The Show level 1 attachments checkbox tells Outlook whether or not you want the names of level 1 attachments to be visible in the InfoBar.

   • The Do not prompt about level 1 attachments when sending an item and Do not prompt about level 1 attachments when closing an item checkboxes govern whether Outlook warns you when you include a forbidden attachment in a message you're composing.

   • The Allow in-place activation of embedded OLE objects checkbox controls whether Outlook will allow in-place activation or not. In-place activation actually turns on an embedded application, making its menus and toolbars visible and active within the MDI frame of an existing application. Since this actually cedes control of the current application to the automation server for the embedded object, it poses a small security risk, so Microsoft lets you turn it off.

   • The Show OLE package objects option controls whether Outlook will show OLE binder objects; again, this represents a small security risk.

4. To control access to specific attachment types, add file extensions to either the Add or Remove boxes under the Level 1 File Extensions and Level 2 File Extensions headings.

5. The Enable scripts in one-off Outlook forms checkbox controls whether individual Outlook forms may run scripts or not; the remaining radio buttons regulate what happens when external code attempts to use the Outlook object model to execute actions or access properties of a form item. The radio buttons give you three options:

   • The Prompt user radio button causes Outlook to display a dialog box prompting the user to choose whether to allow access or not.

   • The Automatically approve radio button tells Outlook to allow all access without displaying a warning.

   • The Automatically deny radio button tells Outlook to deny all requests without asking.

6. When you're finished setting policies for users, scroll to the bottom of the form and click the Close button.

Discussion

As a technical solution to what is largely a behavioral problem,^[1] Outlook 2000 SP1 and later checks the file type of each message attachment against an internal list of file types. A default list is included with the product; you can override or customize this list using an Exchange public folder or local registry settings. There are two types of blocked files:

^[1] "There are seldom good technical solutions to behavioral problems."Ed Crowley

Level 1

These file types (including .bat, .exe, .vbs, .lnk, and .js) are blocked by Outlook. Recipients get a warning InfoBar listing the blocked files when they open or preview a message with a level 1 attachment, but they can't see or access the attachment themselves. Table 8-2 lists the level 1 attachment types.

Level 2

This includes most other file types. With level 2 attachments, you can see the icon for the attachment, and when you double-click it, you are prompted to save the attachment to your hard disk, but you can't run it directly from its current location. After you have saved the attachment, you can decide how to handle it. This is supposed to make users think before blindly double-clicking every collection of bits that land in their Inbox. Note that no level 2 attachment types are blocked by default in Outlook 2003.

When you attach a file to an outgoing message, Outlook checks the file type against the level 1 list. If you've attached any level 1 files, you'll get a dialog that warns you that the recipients may not be able to open the attachment. Clicking Yes in this dialog sends the message as is.

When you receive a message that contains a level 1 attachment, your Inbox displays the paperclip in the attachment column to let you know that the message has an attachment. When you open an email message containing an attachment, the attachment is blocked, and the Outlook InfoBar warns you that the attachment is untouchable. The File Save Attachments command (as well as the View Attachments command on the shortcut menu you see when you right-click) will show only those attachments that aren't blocked, rendering them completely inaccessible. When you open the message itself, you'll see the same warning, but you can still get to all attachments whose extensions aren't on the banned list. If you receive a message containing a level 2 file as an attachment, the attachment will appear normally. However, when you try to open it, you'll get a warning dialog telling you that it's a bad idea to run the attachment directly and offering to let you save it to disk.

See Also

Recipe 8.4 for blocking attachments in OWA, MS KB 837388 (How to configure Outlook to block additional file name extensions), MS KB 829982 (Cannot open attachments in Microsoft Outlook), MS KB 284414 (The recipient receives an "Outlook blocked access to the following unsafe attachments" error message when you send an e-mail message that contains a shortcut to a file in Outlook 2002 and Outlook 2003). Microsoft's web site shows a longer list of Level 1 default file types (http://office.microsoft.com/en-us/assistance/HA011402971033.aspx)