Article ID: 263297 - View products that this article applies to.
This article was previously published under Q263297
For a Microsoft Outlook 98 version of this article, see 263296
This article provides information for Information Technology (IT) professionals and administrators about the Microsoft Outlook E-mail Security Update that was released on June 7, 2000.
IMPORTANT: This article does not include general information about the security update. Before you read this article, Microsoft recommends that you become familiar with the information in the following Microsoft Knowledge Base article:
(http://support.microsoft.com/kb/262631/ )Information about the Outlook E-mail Security update
OverviewThe Microsoft Outlook E-mail Security Update provides many security features that are designed to prevent the spread of malicious attachments and custom code. If you are using Microsoft Exchange Server, administrators can control the behavior of these new features. However, for administrators to customize settings, users must have their mail delivered to an Exchange Server mailbox. Any configuration that has incoming mail delivered to a Personal Folders (.pst) file cannot use customized settings (for example, if you are using Outlook in Internet Mail Only (IMO) mode).
Using the tools described in this article you can customize the security update to meet your organization's needs. For example, you can control the types of attached files blocked by Outlook, modify the Outlook Object Model warning notifications, and specify user or group security levels.
Users cannot control any of the customizable settings because the administrator controls all of the settings. The settings are stored in a public folder on the Exchange Server computer, and only the administrator has full access to the folder; all other users are given read-only permissions. When a user starts Outlook, Outlook checks a Windows registry key to see if the administrator has specified that the user can use customized settings. If the registry key is not found, or the registry key is not set to enable customized settings, Outlook uses the default maximum security settings and all of the features of the security update are enabled. If the registry key exists, however, and it is set to enable custom settings, Outlook retrieves the user's settings from the public folder on the Exchange Server computer.
Once custom security settings are set up and work correctly, Outlook can automatically synchronize these custom security settings if users are working offline by using an offline folders file (.ost). To do this, users need to add the Outlook Security Settings public folder to the Favorites folder and then synchronize the folders. Once the folder is added to the Favorites, it may not be visible, but functions normally.
For additional information about offline folders and how to use them, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/195435/ )What are Offline folders and how do you use them?
How to Obtain Administrator Information and ToolsThe Microsoft Office Resource Kit (ORK) Web site contains information and files that administrators can download. General information about how to administer the security update is located at the following Microsoft Web site:
Office 2000 Outlook 98/2000 E-mail Security Update White PaperThe Admpack.exe file contains the following files:
How to Set Up the Outlook Security Settings FolderNOTE: Using custom settings with the Outlook E-mail Security Update is only supported on Microsoft Exchange Server version 5.0 or later. Microsoft Exchange Server version 4.x is not supported.
An organization's Outlook security settings are stored in the Outlook Security Settings folder. An administrator configures the settings, and each individual client computer can optionally retrieve settings from this folder every time that Outlook starts. The Outlook Security Settings folder must be available to client computers at all times. Programs that rely on custom security settings may revert to the default security settings if the Outlook Security Settings folder becomes unavailable.
Section 2.2 of the Readme.txt file describes how to set up the public folder. You must name the folder "Outlook Security Settings" (without quotation marks) and it must be located in the All Public Folders folder.
How to Create the FolderTo create the Outlook Security Settings folder:
How to Set Permissions on the Outlook Security Settings FolderAfter you create the Outlook Security Settings folder, you must set the proper permissions on the folder. As the folder's creator, you automatically have owner permissions on the folder. If you want to let other people set Outlook security settings, you can give other users owner permissions on the folder. Microsoft recommends that you do this with discretion. To change permissions on the folder:
NOTE: For the registry change to work for the Admin Security Update on users machines that run Winnt/Windows 2000 they must have read/allow permissions. To check this for Winnt/Windows 2000:
How to Use the Outlook Security FormWhen you use the Outlook Security form, you can change security settings for Outlook users. Section 2.3 of the Readme.txt file provides detailed steps about how to install the form. After the form is installed, it is the default form for the Outlook Security Settings folder, and you can click New to open the form and create a new security setting.
When you use the Outlook Security Form, you can create one item in the folder that stores the default security settings for the users. In addition, you can use the form to create additional items in the folder; each item is an exception to the default security settings. For example, you can create a "Power Users" item in the folder that contains a list of members in that group and the custom settings that they have. The form stores the user's name in the Members box of the form, and the settings are stored in a variety of Outlook user-defined fields in the item. Settings that you can configure include attachments, the Outlook object model, Simple Messaging Application Programming Interface (MAPI), Collaboration Data Objects (CDO), and the type of file extensions that are in the Level 1 or Level 2 lists. The Readme.txt file contains more detailed information about the individual settings.
When you use the Members box on the form, type resolvable e-mail addresses that are semicolon-delimited so that the entire list can be resolved, just as if you were typing the text in the To box of an e-mail message. The data from the Members box is actually stored in the To field of the item.
When you type file extensions on the form, as you are instructed to do in the Readme.txt file, make sure that each file extension does not include a period (.) before the file extension, that each extension is separated with a semicolon (;), and that you do not have spaces between the file extensions. For example:
xyz;yxz;zyxNOTE: The form includes settings for the CDO object model, but these settings do not function unless you install the CDO E-mail Security Update. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
268279Note that the folder operates on a "most recently created item" basis. If you add a user to more than one group, when Outlook starts it finds and uses the most recently created item that contains that user. Outlook does not retrieve all of the items from the folder, and Outlook does not evaluate all of the permissions that the user has been granted over the folder's history. Therefore, it is important that you carefully plan the security settings groups and which users are members of each group.
(http://support.microsoft.com/kb/268279/ )Information about the CDO E-mail Security update
Information About the Windows Registry KeyWhen a user starts Outlook, Outlook checks to see if a registry key is set and configured to use custom security settings. If it is, Outlook retrieves the user's settings from the Outlook Security Settings public folder.
The registry key holds a DWORD value and is in the following location:
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Security\CheckAdminSettingsThe following list describes the Outlook behavior for the registry key and its value:
Section 2.4 of the Readme.txt file provides details about how to deploy the registry to the user's computers. The method that you use to deploy the registry varies depending on configuration and whether or not policies are in effect.
How to Manually Create the Registry KeyFor information about how to create the registry key, see section 2.4.3 of the Readme.txt file.
How to Implement the Security Update on Third-Party Mail ServersFor additional information about implementing the security update on third-party mail servers, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/265719/ )How to implement the Outlook E-mail Security update on other mail servers
For additional information about the Outlook E-mail Security Update, click the following article numbers to view the articles in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/262631/ )Information about the Outlook E-mail Security update
(http://support.microsoft.com/kb/262701/ )Developer information about the Outlook E-mail Security update
(http://support.microsoft.com/kb/263297/ )Administrator information about the Outlook E-mail Security update
(http://support.microsoft.com/kb/262634/ )Known issues with the Outlook E-mail Security update
(http://support.microsoft.com/kb/264567/ )Known setup issues with the Outlook E-mail Security update
(http://support.microsoft.com/kb/264128/ )Known interoperability issues with the Outlook E-mail Security update
(http://support.microsoft.com/kb/264130/ )Known third-party issues with the Outlook E-mail Security update