IMPORTANT: This article does not include general information about the security update. Before you read this article, Microsoft recommends that you become familiar with the information in the following Microsoft Knowledge Base article:
OverviewThe Microsoft Outlook E-mail Security Update provides many security features that are designed to prevent the spread of malicious attachments and custom code. If you are using Microsoft Exchange Server, administrators can control the behavior of these new features. However, for administrators to customize settings, users must have their mail delivered to an Exchange Server mailbox. Any configuration that has incoming mail delivered to a Personal Folders (.pst) file cannot use customized settings (for example, if you are using Outlook in Internet Mail Only (IMO) mode).
Using the tools described in this article you can customize the security update to meet your organization's needs. For example, you can control the types of attached files blocked by Outlook, modify the Outlook Object Model warning notifications, and specify user or group security levels.
Users cannot control any of the customizable settings because the administrator controls all of the settings. The settings are stored in a public folder on the Exchange Server computer, and only the administrator has full access to the folder; all other users are given read-only permissions. When a user starts Outlook, Outlook checks a Windows registry key to see if the administrator has specified that the user can use customized settings. If the registry key is not found, or the registry key is not set to enable customized settings, Outlook uses the default maximum security settings and all of the features of the security update are enabled. If the registry key exists, however, and it is set to enable custom settings, Outlook retrieves the user's settings from the public folder on the Exchange Server computer.
Once custom security settings are set up and work correctly, Outlook can automatically synchronize these custom security settings if users are working offline by using an offline folders file (.ost). To do this, users need to add the Outlook Security Settings public folder to the Favorites folder and then synchronize the folders. Once the folder is added to the Favorites, it may not be visible, but functions normally.
For additional information about offline folders and how to use them, click the following article number to view the article in the Microsoft Knowledge Base:
How to Obtain Administrator Information and ToolsThe Microsoft Office Resource Kit (ORK) Web site contains information and files that administrators can download. General information about how to administer the security update is located at the following Microsoft Web site:
- A Readme.txt file that contains documentation for administrators.
- The Outlook Security Form template (OutlookSecurity.oft).
- A policy file (Outlk9.adm) for computers that are set up with system policies.
How to Set Up the Outlook Security Settings FolderNOTE: Using custom settings with the Outlook E-mail Security Update is only supported on Microsoft Exchange Server version 5.0 or later. Microsoft Exchange Server version 4.x is not supported.
An organization's Outlook security settings are stored in the Outlook Security Settings folder. An administrator configures the settings, and each individual client computer can optionally retrieve settings from this folder every time that Outlook starts. The Outlook Security Settings folder must be available to client computers at all times. Programs that rely on custom security settings may revert to the default security settings if the Outlook Security Settings folder becomes unavailable.
Section 2.2 of the Readme.txt file describes how to set up the public folder. You must name the folder "Outlook Security Settings" (without quotation marks) and it must be located in the All Public Folders folder.
How to Create the FolderTo create the Outlook Security Settings folder:
- In the Folder List pane, right-click All Public Folders, and then click New Folder.
If you do not see the Folder List pane, click Folder List on the View menu.
- Type Outlook Security Settings as the name of the folder.
- Keep the default settings in the Properties dialog box, and then click OK.
How to Set Permissions on the Outlook Security Settings FolderAfter you create the Outlook Security Settings folder, you must set the proper permissions on the folder. As the folder's creator, you automatically have owner permissions on the folder. If you want to let other people set Outlook security settings, you can give other users owner permissions on the folder. Microsoft recommends that you do this with discretion. To change permissions on the folder:
- In the Folder List pane, right-click the Outlook Security Settings folder, click Properties, and then click the Permissions tab.
- In the list of permissions, click Default, and then change the role to Reviewer because users need only basic read permissions on the folder.
- If you want to let other people administer the folder, click the Add button to add their names. Assign owner permissions to the users that you added.
- Click OK.
NOTE: For the registry change to work for the Admin Security Update on users machines that run Winnt/Windows 2000 they must have read/allow permissions. To check this for Winnt/Windows 2000:
- Go to Start, Run.
- Type regedt32 and click ok.
- Navigate to HKEY_USERS and click on the Security Menu, then select Permissions.
- The Everyone Group should be listed (if not add one) and make sure they have Read/Allow checked.
- Also Check under the Advanced button to verify that Everyone has Read Permissions.
- Also check "Allow inheritable permissions from parent to propagate to this object".
- Then click ok and close the regedt32 to save changes.
How to Use the Outlook Security FormWhen you use the Outlook Security form, you can change security settings for Outlook users. Section 2.3 of the Readme.txt file provides detailed steps about how to install the form. After the form is installed, it is the default form for the Outlook Security Settings folder, and you can click
New to open the form and create a new security setting.
When you use the Outlook Security Form, you can create one item in the folder that stores the default security settings for the users. In addition, you can use the form to create additional items in the folder; each item is an exception to the default security settings. For example, you can create a "Power Users" item in the folder that contains a list of members in that group and the custom settings that they have. The form stores the user's name in the Members box of the form, and the settings are stored in a variety of Outlook user-defined fields in the item. Settings that you can configure include attachments, the Outlook object model, Simple Messaging Application Programming Interface (MAPI), Collaboration Data Objects (CDO), and the type of file extensions that are in the Level 1 or Level 2 lists. The Readme.txt file contains more detailed information about the individual settings.
When you use the Members box on the form, type resolvable e-mail addresses that are semicolon-delimited so that the entire list can be resolved, just as if you were typing the text in the To box of an e-mail message. The data from the Members box is actually stored in the To field of the item.
When you type file extensions on the form, as you are instructed to do in the Readme.txt file, make sure that each file extension does not include a period (.) before the file extension, that each extension is separated with a semicolon (;), and that you do not have spaces between the file extensions. For example:
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
Information About the Windows Registry KeyWhen a user starts Outlook, Outlook checks to see if a registry key is set and configured to use custom security settings. If it is, Outlook retrieves the user's settings from the Outlook Security Settings public folder.
The registry key holds a DWORD value and is in the following location:
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Security\CheckAdminSettings The following list describes the Outlook behavior for the registry key and its value:
- No key: Outlook operates in lock-downmode.
- Value of 0 (zero): Outlook operates in
- Value of 1 (one): Outlook looks for custom administrative settings.
Section 2.4 of the Readme.txt file provides details about how to deploy the registry to the user's computers. The method that you use to deploy the registry varies depending on configuration and whether or not policies are in effect.
How to Manually Create the Registry KeyFor information about how to create the registry key, see section 2.4.3 of the Readme.txt file.
How to Implement the Security Update on Third-Party Mail ServersFor additional information about implementing the security update on third-party mail servers, click the following article number to view the article in the Microsoft Knowledge Base:
Artikelnummer: 263297 – Letzte Überarbeitung: 31.07.2012 – Revision: 1