Securing Outlook 2003

Exchange Server 2003 and Microsoft Office 2003 are very well integrated, and the teaming provides a formidable security front. Both new and improved features help provide a safe and reliable messaging environment and are described in the following sections.

Securely Accessing Exchange over the Internet

In previous versions of Exchange (and Outlook), Outlook users that needed to connect to Exchange over the Internet needed to establish a VPN connection prior to using Outlook. The only alternative solution was to open all sorts of RPC ports to the Internet or make a few Registry modifications to statically map RPC ports. Either way presents more of a security risk for the Exchange messaging environments than most are willing to afford.

Now, with Exchange Server 2003 and Outlook 2003, Outlook 2003 users can connect securely over the Internet via an HTTPS proxy connection. This feature reduces the need for VPN solutions and keeps the messaging environment as secure as possible. VPN solutions are still viable and can be used to provide a host of other services for mobile users.

To enable this type of secure connectivity, do the following:

1. Within Outlook 2003, select E-mail Accounts from the Tools menu.

2. Select View or change existing email accounts and then click Next to continue.

3. Click Change and, on the next screen, click the More Settings button.

4. Under the Connection tab, check Connect to my Exchange mailbox using HTTP and then click the Exchange Proxy Settings button.

5. Type the URL. This can be the same URL as the OWA or Outlook Mobile Access (OMA) URL, as shown in Figure 11.4.

   Figure 11.4. Configuring a secure Outlook 2003 connection to Exchange Server 2003 over the Internet.

   

6. Verify that Connect using SSL only is checked. If SSL is not used, the connection will use HTTP and will not be secure.

7. Optionally, select whether this SSL connection requires mutual authentication. Mutual authentication ensures that both parties (the server and the client) are who they say they are.

8. Choose whether to use NTLM or Basic proxy authentication (NTLM is the strongest of the two and is used by default). The best practice is to use only NTLM to keep security at its highest.

9. Click OK when done.

Encrypting Outlook 2003 and Exchange Server 2003 Communications

As a MAPI client, Outlook 2003 uses Remote Procedure Calls (RPCs) to communicate with Exchange Server 2003. RPCs are interprocess communications (IPC) mechanisms that, during the transfer of information, can either use or not use encryption. By default, Outlook 2003 does not use encrypted RPC communication. It is important to note that using this form of encryption is different from using RPC over HTTPS as described earlier in the section "Securely Accessing Exchange over the Internet Using Outlook." RPC over HTTPS is still required if the Outlook 2003 client needs to securely communicate over a public network such as the Internet.

In Figure 11.5, a user or administrator can enable encrypted RPC communication between Outlook 2003 and Exchange Server 2003 by simply checking the box within the Encryption section. To modify this setting, do the following:

1. In Outlook 2003, click on E-mail Accounts from the Tools menu.

2. Select View or change existing email accounts and then click Next.

3. Click the Change button and, on the next window, click the More Settings button.

4. Select the Security tab and then check Encrypt data between Microsoft Office Outlook and Microsoft Exchange Server.

5. Click OK to close the window.

6. Click Next and then Finish when done.

Because encryption requires additional processing overhead, it is important to thoroughly test this feature prior to deploying it in a production environment.

Authenticating Users

By default, Outlook 2003 uses the credentials of the user who is logged onto the local computer to access the Outlook 2003 profile and mailbox. It first tries to use Kerberos for the authentication process and then NT LAN Manager (NTLM). Administrators can also set Outlook 2003 to use Kerberos Password Authentication or NTLM solely, as illustrated in Figure 11.6.

Although the default setting is a secure method of authenticating users, some users might still be prone to leave their computers unattended and therefore leave open the opportunity for someone to gain unauthorized access to the user's email. For instance, a user leaves to run an errand and forgets to lock the computer or log off. Someone in the office can then simply open Outlook 2003 and have full access to the user's mailbox.

Many organizations do not necessarily think that this is either a high security risk or the organization's responsibility but Outlook 2003 can be configured nonetheless to mitigate the chances of this occurring. Outlook 2003 can be configured to always prompt for the user's username and password before accessing the mailbox on Exchange Server 2003. To increase this level of security, do the following:

1. Within Outlook 2003, select E-mail Accounts from the Tools menu and then select View or change existing email accounts. Click Next to continue.

2. Click the Change button and, in the next window, click More Settings.

3. Go to the Security tab and then in the User identification section, check Always prompt for username and password.

Blocking Attachments

A common and often effective way for viruses and malicious scripts to spread is through email. When a user receives a message with an attachment, all the user needs to do is to try opening the virus for the virus to infect the computer.

As a result of this threat, Microsoft has incorporated attachment blocking in Outlook, and Outlook Web Access (OWA), to help prevent such infections. By default, Outlook does not block attachments with common Microsoft Office file formatssuch as .doc, .xls, and .pptbut it does block executablessuch as .exe, .bat, and .vbs files. It is important to note that the common Microsoft Office file attachments that are not blocked by default can contain viruses. However, using an antivirus on the client computer can significantly reduce the chances of these types of attachments causing any harm.

Outlook does not provide any way for the end-user to unblock these attachments. If files with these file formats need to be shared, users must rename the file, zip the files in question, or place the files on a network share.