IMPORTANT: This article contains information about modifying the registry.
Before you modify the registry, make sure to back it up and make sure that you
understand how to restore the registry if a problem occurs. For information
about how to back up, restore, and edit the registry, click the following
article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry
: If you use Registry Editor incorrectly, you may cause serious
problems that may require you to reinstall your operating system. Microsoft
cannot guarantee that you can solve problems that result from using Registry
Editor incorrectly. Use Registry Editor at your own risk.
SUMMARY
When you install Microsoft Outlook 2000 Service Release 1a
(SR-1a), the digital security features in Microsoft Outlook are disabled, and
the default encryption level is set to 40-bit.
To use the following
features after you have installed Outlook 2000 SR-1a
- High Encryption (128-bit or higher)
- Certificate Revocation List checking
- Publish to GAL
edit the registry and download the appropriate updates as
instructed in this article.
MORE INFORMATION
How to Enable Security Features
Follow these steps to enable the digital security options,
including the Certificate Revocation List Checking and Publish to GAL features,
in Outlook 2000 SR-1a.
Note For additional information about how to use the Publish to GAL
feature, see the "How to use the Publish to GAL Feature" section of this
article.
WARNING : If you use Registry Editor incorrectly, you may cause serious
problems that may require you to reinstall your operating system. Microsoft
cannot guarantee that you can solve problems that result from using Registry
Editor incorrectly. Use Registry Editor at your own risk.
- Click Start, click
Run.
- In the Open box, type
regedit, and then click OK.
- Locate the following subkey in the registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Office\9.0\Outlook
- On the Edit menu, click
New, and then click Key.
- Type Security to name the new
subkey, and then press ENTER. The new subkey will be selected.
- On the Edit menu, click
Add Value, and then add the following registry value:
Value Name : EnableSRFeatures
Data Type : REG_DWORD
Value : 1
- Quit Registry Editor.
Note If the
EnableSRFeatures value is set to
0, the new security features are not enabled or visible.
For additional information about the security
features that are described in this article, click the following article number
to view the article in the Microsoft Knowledge Base:
249780
OL2000: XCLN: Updated Outlook Security Features
Installed with Office
How to Enable High Encryption (128-Bit or Higher)
You must obtain the following updates to enable High Encryption.
Updated 128-Bit Encryption Provider for Outlook 2000 SR-1 (Required for All Versions of Microsoft Windows)
By default, Microsoft Outlook 2000 includes 40-bit encryption.
Download and install the updated 128-bit Encryption Provider for Outlook 2000
SR-1a to enable High Encryption. To do this, follow the steps that are
described in the following Microsoft Knowledge Base
article:
324522 OL2000: Incorrect Cipher Strength Appears in Security Information Dialog Box
High Encryption Pack
Note The Microsoft Windows XP systems include the High Encryption, and
no additional downloads are required.
For Microsoft Windows Millennium (Me), Microsoft Windows 98, Microsoft Windows 98 SE, Microsoft Windows 95, and Microsoft Windows NT 4.0 usersDownload and install the Microsoft Internet Explorer
High Encryption Pack for your version of Microsoft Internet Explorer. To do
so, visit the following Microsoft Web site, and search for the appropriate
download for your version of Internet Explorer.
http://windowsupdate.microsoft.comFor Microsoft Windows 2000 usersDownload and
install the Microsoft Windows 2000 High Encryption Pack (128-bit). To do this,
visit the following Microsoft Web site.
http://www.microsoft.com/downloads/details.aspx?FamilyID=c10925a0-ac66-4c44-b5c3-9dcab4da1c63How to Enable CRL Checking
To enable CRL checking,
download the appropriate updates for your operating system, and then modify the
registry.
Required Updates to Enable CRL Checking
- For Windows Millennium (Me), Windows 98, Windows 98 SE, Windows 95 users
Download and install one of the following versions of
Internet Explorer: Microsoft Internet Explorer 5.01 Service Pack 2, Microsoft
Internet Explorer 5.5 Service Pack 2, or Microsoft Internet Explorer 6.0
Service Pack 1.
For additional information, click the following article
numbers to view the articles in the Microsoft Knowledge Base: 267954
How to Obtain the Latest Internet Explorer 5.01 Service Pack
276369 How to Obtain the Latest Service Pack for Internet Explorer 5.5
328548 How to Obtain the Latest Service Pack for Internet Explorer 6
- For Windows NT 4.0 users
Download and install one of the following versions of
Internet Explorer: Internet Explorer 5.01 Service Pack 2, Internet Explorer 5.5
Service Pack 2, or Internet Explorer 6.0 Service Pack 1.
For additional information, click the
following article numbers to view the articles in the Microsoft Knowledge Base:
267954
How to Obtain the Latest Internet Explorer 5.01 Service Pack
276369 How to Obtain the Latest Service Pack for Internet Explorer 5.5
328548 How to Obtain the Latest Service Pack for Internet Explorer 6
282935 "Certificate Revocation List Is Not Available" Error Message Appears
- For Windows 2000 users
Download and install Microsoft Windows 2000 Service Pack 3.
For additional information, click the following
article numbers to view the articles in the Microsoft Knowledge Base: 260910
How to Obtain the Latest Windows 2000 Service Pack
308707 "Certificate Revocation List Is Not Available" Error Message Appears
How to Edit the Registry to Enable CRL Checking
To edit the registry to enable CRL Checking, follow these
steps.
WARNING : If you use Registry Editor incorrectly, you may cause serious
problems that may require you to reinstall your operating system. Microsoft
cannot guarantee that you can solve problems that result from using Registry
Editor incorrectly. Use Registry Editor at your own risk.
- Click Start, click
Run.
- In the Open box, type
regedit, and then click OK.
- Locate the following subkey in the registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography
- On the Edit menu, click
New, and then click Key.
- Type
{7801ebd0-cf4b-11d0-851f-0060979387ea} to name the new
subkey, and then press ENTER. The new subkey will be selected.
- On the Edit menu, click
New, click DWORD Value, and then add
the following registry value:
Value Name : PolicyFlags
Data Type : REG_DWORD
Value : 10000
- Quit Registry Editor.
How to Use the Publish to GAL Feature
The Publish to GAL feature writes a user's public key to the
Microsoft Active Directory or the Microsoft Exchange 5.5 Directory. This
permits you to encrypt messages that are sent to recipients in the Global
Address List without having to create a Microsoft Outlook contact. To publish
your public key to the Global Address List, follow these steps:
- Start Outlook.
- On the Tools menu, click
Options, and then click the Security tab.
- Click Publish to GAL.
Note If the Publish to GAL button is not visible,
follow the steps in the "How to Enable Security Features" section of this
article to create the EnableSRFeatures registry value.
When you use the Publish to GAL feature, the public key is
written to the
UserSMIMECertificate Active Directory object. When you are in an environment that uses
a Certificate Server, your public key is automatically written to the
UserCertificate object.
When you use the Publish to GAL feature, the
public key is written to the
Tagged-X-509-Cert Exchange 5.5 Directory object . When you are in an environment
that uses a Certificate Server, the public key is automatically written to the
X-509-Cert object.
You must use the Publish to GAL feature to send
128-bit or higher encrypted messages to Global Address List recipients in
Outlook 2000.