OL2000: How to Enable the Digital Security Features for Outlook 2000 SR-1a

When you install Microsoft Outlook 2000 Service Release 1a (SR-1a), the digital security features in Microsoft Outlook are disabled, and the default encryption level is set to 40-bit.

To use the following features after you have installed Outlook 2000 SR-1a

• High Encryption (128-bit or higher)
• Certificate Revocation List checking
• Publish to GAL

edit the registry and download the appropriate updates as instructed in this article.

How to Enable Security Features

Follow these steps to enable the digital security options, including the Certificate Revocation List Checking and Publish to GAL features, in Outlook 2000 SR-1a.

Note For additional information about how to use the Publish to GAL feature, see the “How to use the Publish to GAL Feature” section of this article.

WARNING : If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

1. Click Start, click Run.
2. In the Open box, type regedit, and then click OK.
3. Locate the following subkey in the registry:
   HKEY_LOCAL_MACHINE\Software\Microsoft\Office\9.0\Outlook
4. On the Edit menu, click New, and then click Key.
5. Type Security to name the new subkey, and then press ENTER. The new subkey will be selected.
6. On the Edit menu, click Add Value, and then add the following registry value:
   
   
   Value Name : EnableSRFeatures
   Data Type : REG_DWORD
   Value : 1
7. Quit Registry Editor.

Note If the EnableSRFeatures value is set to 0, the new security features are not enabled or visible.

For additional information about the security features that are described in this article, click the following article number to view the article in the Microsoft Knowledge Base:

How to Enable High Encryption (128-Bit or Higher)

You must obtain the following updates to enable High Encryption.

Updated 128-Bit Encryption Provider for Outlook 2000 SR-1 (Required for All Versions of Microsoft Windows)

By default, Microsoft Outlook 2000 includes 40-bit encryption. Download and install the updated 128-bit Encryption Provider for Outlook 2000 SR-1a to enable High Encryption. To do this, follow the steps that are described in the following Microsoft Knowledge Base article:

High Encryption Pack

Note The Microsoft Windows XP systems include the High Encryption, and no additional downloads are required.

For Microsoft Windows Millennium (Me), Microsoft Windows 98, Microsoft Windows 98 SE, Microsoft Windows 95, and Microsoft Windows NT 4.0 users

Download and install the Microsoft Internet Explorer High Encryption Pack for your version of Microsoft Internet Explorer. To do so, visit the following Microsoft Web site, and search for the appropriate download for your version of Internet Explorer.

http://windowsupdate.microsoft.com (http://windowsupdate.microsoft.com)

For Microsoft Windows 2000 users

Download and install the Microsoft Windows 2000 High Encryption Pack (128-bit). To do this, visit the following Microsoft Web site.

http://www.microsoft.com/downloads/details.aspx?FamilyID=c10925a0-ac66-4c44-b5c3-9dcab4da1c63 (http://www.microsoft.com/downloads/details.aspx?FamilyID=c10925a0-ac66-4c44-b5c3-9dcab4da1c63)

How to Enable CRL Checking

To enable CRL checking, download the appropriate updates for your operating system, and then modify the registry.

Required Updates to Enable CRL Checking

• For Windows Millennium (Me), Windows 98, Windows 98 SE, Windows 95 users
  Download and install one of the following versions of Internet Explorer: Microsoft Internet Explorer 5.01 Service Pack 2, Microsoft Internet Explorer 5.5 Service Pack 2, or Microsoft Internet Explorer 6.0 Service Pack 1.
  
  For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
  267954  (http://support.microsoft.com/kb/267954/EN-US/ ) How to Obtain the Latest Internet Explorer 5.01 Service Pack
  276369  (http://support.microsoft.com/kb/276369/EN-US/ ) How to Obtain the Latest Service Pack for Internet Explorer 5.5
  328548  (http://support.microsoft.com/kb/328548/EN-US/ ) How to Obtain the Latest Service Pack for Internet Explorer 6
• For Windows NT 4.0 users
  Download and install one of the following versions of Internet Explorer: Internet Explorer 5.01 Service Pack 2, Internet Explorer 5.5 Service Pack 2, or Internet Explorer 6.0 Service Pack 1. For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
  267954  (http://support.microsoft.com/kb/267954/EN-US/ ) How to Obtain the Latest Internet Explorer 5.01 Service Pack
  276369  (http://support.microsoft.com/kb/276369/EN-US/ ) How to Obtain the Latest Service Pack for Internet Explorer 5.5
  328548  (http://support.microsoft.com/kb/328548/EN-US/ ) How to Obtain the Latest Service Pack for Internet Explorer 6
  Additionally, download and install the hotfix that is described in the following Microsoft Knowledge Base article:
  282935  (http://support.microsoft.com/kb/282935/EN-US/ ) "Certificate Revocation List Is Not Available" Error Message Appears
• For Windows 2000 users
  Download and install Microsoft Windows 2000 Service Pack 3.
  
  For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
  260910  (http://support.microsoft.com/kb/260910/EN-US/ ) How to Obtain the Latest Windows 2000 Service Pack
  Additionally, download and install the hotfix that is described in the following Microsoft Knowledge Base article:
  308707  (http://support.microsoft.com/kb/308707/EN-US/ ) "Certificate Revocation List Is Not Available" Error Message Appears

How to Edit the Registry to Enable CRL Checking

To edit the registry to enable CRL Checking, follow these steps.

WARNING : If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

1. Click Start, click Run.
2. In the Open box, type regedit, and then click OK.
3. Locate the following subkey in the registry:
   HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography
4. On the Edit menu, click New, and then click Key.
5. Type {7801ebd0-cf4b-11d0-851f-0060979387ea} to name the new subkey, and then press ENTER. The new subkey will be selected.
6. On the Edit menu, click New, click DWORD Value, and then add the following registry value:
   
   
   Value Name : PolicyFlags
   Data Type : REG_DWORD
   Value : 10000
7. Quit Registry Editor.

How to Use the Publish to GAL Feature

The Publish to GAL feature writes a user's public key to the Microsoft Active Directory or the Microsoft Exchange 5.5 Directory. This permits you to encrypt messages that are sent to recipients in the Global Address List without having to create a Microsoft Outlook contact. To publish your public key to the Global Address List, follow these steps:

1. Start Outlook.
2. On the Tools menu, click Options, and then click the Security tab.
3. Click Publish to GAL.
   
   Note If the Publish to GAL button is not visible, follow the steps in the “How to Enable Security Features” section of this article to create the EnableSRFeatures registry value.

When you use the Publish to GAL feature, the public key is written to the UserSMIMECertificate Active Directory object. When you are in an environment that uses a Certificate Server, your public key is automatically written to the UserCertificate object.

When you use the Publish to GAL feature, the public key is written to the Tagged-X-509-Cert Exchange 5.5 Directory object . When you are in an environment that uses a Certificate Server, the public key is automatically written to the X-509-Cert object.

You must use the Publish to GAL feature to send 128-bit or higher encrypted messages to Global Address List recipients in Outlook 2000.