Administrator information about the Outlook E-mail Security update: June 7, 2000 (263297)

MORE INFORMATION

Overview

The Microsoft Outlook E-mail Security Update provides many security features that are designed to prevent the spread of malicious attachments and custom code. If you are using Microsoft Exchange Server, administrators can control the behavior of these new features. However, for administrators to customize settings, users must have their mail delivered to an Exchange Server mailbox. Any configuration that has incoming mail delivered to a Personal Folders (.pst) file cannot use customized settings (for example, if you are using Outlook in Internet Mail Only (IMO) mode).

Using the tools described in this article you can customize the security update to meet your organization's needs. For example, you can control the types of attached files blocked by Outlook, modify the Outlook Object Model warning notifications, and specify user or group security levels.

Users cannot control any of the customizable settings because the administrator controls all of the settings. The settings are stored in a public folder on the Exchange Server computer, and only the administrator has full access to the folder; all other users are given read-only permissions. When a user starts Outlook, Outlook checks a Windows registry key to see if the administrator has specified that the user can use customized settings. If the registry key is not found, or the registry key is not set to enable customized settings, Outlook uses the default maximum security settings and all of the features of the security update are enabled. If the registry key exists, however, and it is set to enable custom settings, Outlook retrieves the user's settings from the public folder on the Exchange Server computer.

Once custom security settings are set up and work correctly, Outlook can automatically synchronize these custom security settings if users are working offline by using an offline folders file (.ost). To do this, users need to add the Outlook Security Settings public folder to the Favorites folder and then synchronize the folders. Once the folder is added to the Favorites, it may not be visible, but functions normally.

For additional information about offline folders and how to use them, click the following article number to view the article in the Microsoft Knowledge Base:

How to Obtain Administrator Information and Tools

The Microsoft Office Resource Kit (ORK) Web site contains information and files that administrators can download. General information about how to administer the security update is located at the following Microsoft Web site: In addition, you can download two files at the following Microsoft Web site: The Admpack.exe file contains the following files:

• A Readme.txt file that contains documentation for administrators.
• The Outlook Security Form template (OutlookSecurity.oft).
• A policy file (Outlk9.adm) for computers that are set up with system policies.

The O2ksec_a.exe file contains the OQFE7117_Admin.msp file that you can use to update an administrative installation of Microsoft Office.

How to Set Up the Outlook Security Settings Folder

NOTE: Using custom settings with the Outlook E-mail Security Update is only supported on Microsoft Exchange Server version 5.0 or later. Microsoft Exchange Server version 4.x is not supported.

An organization's Outlook security settings are stored in the Outlook Security Settings folder. An administrator configures the settings, and each individual client computer can optionally retrieve settings from this folder every time that Outlook starts. The Outlook Security Settings folder must be available to client computers at all times. Programs that rely on custom security settings may revert to the default security settings if the Outlook Security Settings folder becomes unavailable.

Section 2.2 of the Readme.txt file describes how to set up the public folder. You must name the folder "Outlook Security Settings" (without quotation marks) and it must be located in the All Public Folders folder.

How to Create the Folder

To create the Outlook Security Settings folder:

1. In the Folder List pane, right-click All Public Folders, and then click New Folder.
   
   If you do not see the Folder List pane, click Folder List on the View menu.
2. Type Outlook Security Settings as the name of the folder.
3. Keep the default settings in the Properties dialog box, and then click OK.

How to Set Permissions on the Outlook Security Settings Folder

After you create the Outlook Security Settings folder, you must set the proper permissions on the folder. As the folder's creator, you automatically have owner permissions on the folder. If you want to let other people set Outlook security settings, you can give other users owner permissions on the folder. Microsoft recommends that you do this with discretion. To change permissions on the folder:

1. In the Folder List pane, right-click the Outlook Security Settings folder, click Properties, and then click the Permissions tab.
2. In the list of permissions, click Default, and then change the role to Reviewer because users need only basic read permissions on the folder.
3. If you want to let other people administer the folder, click the Add button to add their names. Assign owner permissions to the users that you added.
4. Click OK.

All users can see the Outlook Security Settings folder in the list of public folders. In addition, users can open the items that contain the settings and therefore see how all of the other users are configured.

NOTE: For the registry change to work for the Admin Security Update on users machines that run Winnt/Windows 2000 they must have read/allow permissions. To check this for Winnt/Windows 2000:

1. Go to Start, Run.
2. Type regedt32 and click ok.
3. Navigate to HKEY_USERS and click on the Security Menu, then select Permissions.
4. The Everyone Group should be listed (if not add one) and make sure they have Read/Allow checked.
5. Also Check under the Advanced button to verify that Everyone has Read Permissions.
6. Also check "Allow inheritable permissions from parent to propagate to this object".
7. Then click ok and close the regedt32 to save changes.

This will allow users without having to logon as administrators to add the registry key for this KB.

How to Use the Outlook Security Form

When you use the Outlook Security form, you can change security settings for Outlook users. Section 2.3 of the Readme.txt file provides detailed steps about how to install the form. After the form is installed, it is the default form for the Outlook Security Settings folder, and you can click New to open the form and create a new security setting.

When you use the Outlook Security Form, you can create one item in the folder that stores the default security settings for the users. In addition, you can use the form to create additional items in the folder; each item is an exception to the default security settings. For example, you can create a "Power Users" item in the folder that contains a list of members in that group and the custom settings that they have. The form stores the user's name in the Members box of the form, and the settings are stored in a variety of Outlook user-defined fields in the item. Settings that you can configure include attachments, the Outlook object model, Simple Messaging Application Programming Interface (MAPI), Collaboration Data Objects (CDO), and the type of file extensions that are in the Level 1 or Level 2 lists. The Readme.txt file contains more detailed information about the individual settings.

When you use the Members box on the form, type resolvable e-mail addresses that are semicolon-delimited so that the entire list can be resolved, just as if you were typing the text in the To box of an e-mail message. The data from the Members box is actually stored in the To field of the item.

When you type file extensions on the form, as you are instructed to do in the Readme.txt file, make sure that each file extension does not include a period (.) before the file extension, that each extension is separated with a semicolon (;), and that you do not have spaces between the file extensions. For example: NOTE: The form includes settings for the CDO object model, but these settings do not function unless you install the CDO E-mail Security Update. For additional information, click the following article number to view the article in the Microsoft Knowledge Base: Note that the folder operates on a "most recently created item" basis. If you add a user to more than one group, when Outlook starts it finds and uses the most recently created item that contains that user. Outlook does not retrieve all of the items from the folder, and Outlook does not evaluate all of the permissions that the user has been granted over the folder's history. Therefore, it is important that you carefully plan the security settings groups and which users are members of each group.

How to Update an Administrative Installation Point

If the users in your organization are running Outlook or Microsoft Office from a server location the ORK provides details about how to apply the Outlook E-mail Security Update to a server-based installation (the "setup /a" command).

For information about how to update an Outlook 2000 administrative installation point, please see the following Microsoft Web site:

Information About the Windows Registry Key

When a user starts Outlook, Outlook checks to see if a registry key is set and configured to use custom security settings. If it is, Outlook retrieves the user's settings from the Outlook Security Settings public folder.

The registry key holds a DWORD value and is in the following location: HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Security\CheckAdminSettings The following list describes the Outlook behavior for the registry key and its value:

• No key: Outlook operates in lock-down mode.
• Value of 0 (zero): Outlook operates in lock-down mode.
• Value of 1 (one): Outlook looks for custom administrative settings.

IMPORTANT: The behavior that is described may seem different from the behavior that is described in section 2.4 of the Readme.txt file. The Readme.txt file implies that if you have no key or if the key has a value of zero, Outlook checks for settings on the server. This is not correct; the default Outlook "lock-down" settings are used, not the settings that are stored in the Default Security Settings folder in the public folder.

Section 2.4 of the Readme.txt file provides details about how to deploy the registry to the user's computers. The method that you use to deploy the registry varies depending on configuration and whether or not policies are in effect.

How to Manually Create the Registry Key

For information about how to create the registry key, see section 2.4.3 of the Readme.txt file.

How to Implement the Security Update on Third-Party Mail Servers

For additional information about implementing the security update on third-party mail servers, click the following article number to view the article in the Microsoft Knowledge Base: