The Microsoft Outlook E-mail Security Update provides many security features that are designed to prevent the spread of malicious attachments and custom code. If you are using Microsoft Exchange Server, administrators can control the behavior of these new features. However, for administrators to customize settings, users must have their mail delivered to an Exchange Server mailbox. Any configuration that has incoming mail delivered to a Personal Folders (.pst) file cannot use customized settings (for example, if you are using Outlook in Internet Mail Only (IMO) mode).
Users cannot control any of the customizable settings because the administrator controls all of the settings. The settings are stored in a public folder on the Exchange Server computer, and only the administrator has full access to the folder; all other users are given read-only permissions. When a user starts Outlook, Outlook checks a Windows registry key to see if the administrator has specified that the user can use customized settings. If the registry key is not found, or the registry key is not set to enable customized settings, Outlook uses the default maximum security settings and all of the features of the security update are enabled. If the registry key exists, however, and it is set to enable custom settings, Outlook retrieves the user's settings from the public folder on the Exchange Server computer.
Once custom security settings are set up and work correctly, Outlook can automatically synchronize these custom security settings if users are working offline by using an offline folders file (.ost). To do this, users need to add the Outlook Security Settings public folder to the Favorites folder and then synchronize the folders.
For more information about offline folders and how to use them, click the following article number to view the article in the Microsoft Knowledge Base:
(CW) What are offline folders and how do you use them?
How to Obtain Administrator Information and Tools
The Microsoft Office Resource Kit (ORK) Web site contains information and files that administrators can download. General information about how to administer the security update is located at the following Microsoft Web site:
The Admpack.exe file contains the following files:
- A Readme.txt file that contains documentation for administrators.
- The Outlook Security Form template (OutlookSecurity.oft).
- A policy file (Outlk9.adm) for computers that are set up with system policies. This file is for use with Microsoft Outlook 2000 and should not be used with Outlook 98.
How to Set Up the Outlook Security Settings FolderNOTE
: Using custom settings with the Outlook E-mail Security Update is only supported on Microsoft Exchange Server version 5.0 or later. Microsoft Exchange Server version 4.x is not supported.
An organization's Outlook security settings are stored in the Outlook Security Settings folder. The settings are configured by an administrator, and each individual client computer can optionally retrieve settings from this folder every time that Outlook starts.
Section 2.2 of the Readme.txt file describes how to set up the public folder. You must name the folder "Outlook Security Settings" (without quotation marks) and it must be located in the All Public Folders folder.
How to Create the Folder
To create the Outlook Security Settings folder:
- In the Folder List pane, right-click All Public Folders, and then click New Folder.
NOTE: If you do not see the Folder List pane, click Folder List on the View menu.
- Type Outlook Security Settings as the name of the folder.
- Keep the default settings in the Properties dialog box, and then click OK.
How to Set Permissions on the Outlook Security Settings Folder
After you create the Outlook Security Settings folder, you must set the proper permissions on the folder. As the folder's creator, you automatically have owner permissions on the folder. If you want to let other people set Outlook security settings, you can give other users owner permissions on the folder. Microsoft recommends that you do this with discretion. To change permissions on the folder:
- In the Folder List pane, right-click the Outlook Security Settings folder, click Properties, and then click the Permissions tab.
- In the list of permissions, click Default, and then change the role to Reviewer because users need only basic read permissions on the folder.
- If you want to let other people administer the folder, click the Add button to add their names. Assign owner permissions to the users that you added.
- Click OK.
All users can see the Outlook Security Settings folder in the list of public folders. In addition, users can open the items that contain the settings and therefore see how all of the other users are configured.
How to Use the Outlook Security Form
When you use the Outlook Security form, you can change security settings for Outlook users. Section 2.3 of the Readme.txt file provides detailed steps about how to install the form. After the form is installed, it is the default form for the Outlook Security Settings folder, and you can click New
to open the form and create a new security setting.
When you use the Outlook Security Form, you can create one item in the folder that stores the default security settings for the users. In addition, you can use the form to create additional items in the folder; each item is an exception to the default security settings. For example, you can create a "Power Users" item in the folder that contains a list of members in that group and the custom settings that they have. The form stores the user's name in the Members
box of the form, and the settings are stored in a variety of Outlook user-defined fields in the item. Settings that you can configure include attachments, the Outlook object model, Simple Messaging Application Programming Interface (MAPI), Collaboration Data Objects (CDO), and the type of file extensions that are in the Level 1 or Level 2 lists. The Readme.txt file contains more detailed information about the individual settings.
When you use the Members
box on the form, type resolvable e-mail addresses that are semicolon-delimited so that the entire list can be resolved, just as if you were typing the text in the To
box of an e-mail message. The data from the Members
box is actually stored in the To
field of the item.
When you type file extensions on the form, as you are instructed to do in the Readme.txt file, make sure that each file extension does not include a period (.) before the file extension, that each extension is separated with a semicolon (;), and that you do not have spaces between the file extensions. For example:
: The form includes settings for the CDO object model, but these settings do not function unless you install the CDO E-mail Security Update. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
Information about the CDO e-mail security update
Note that the folder operates on a "most recently created item" basis. If you add a user to more than one group, when Outlook starts it finds and uses the most recently created item that contains that user. Outlook does not retrieve all of the items from the folder, and Outlook does not evaluate all of the permissions that the user has been granted over the folder's history. Therefore, it is important that you carefully plan the security settings groups and which users are members of each group.
How to Update an Administrative Installation Point
If the users in your organization are running Outlook or Microsoft Office from a server location the ORK provides details about how to apply the Outlook E-mail Security Update to a server-based installation (the "setup /a" command).
Information About the Windows Registry Key
When a user starts Outlook, Outlook checks to see if a registry key is set and configured to use custom security settings. If it is, Outlook retrieves the user's settings from the Outlook Security Settings public folder.
The registry key holds a DWORD value and is in the following location:
The CheckAdminSettings value can contain the following values:
|No key||Outlook uses default administrative settings.|
|Set to 0||Outlook uses default administrative settings.|
|Set to 1||Outlook looks for custom administrative settings in the Outlook Security Settings folder.|
|Set to 2||Outlook looks for custom administrative settings in the Outlook 10 Security Settings folder.|
|Set to anything else||Outlook uses default administrative settings.|
: The behavior that is described may seem different from the behavior that is described in section 2.4 of the Readme.txt file. The Readme.txt file implies that if you have no key or if the key has a value of zero, Outlook checks for settings on the server. This is not correct; the default Outlook "lock-down" settings are used, not the settings that are stored in the Default Security Settings folder in the public folder.
Section 2.4 of the Readme.txt file provides details about how to deploy the registry to the user's computers. The method that you use to deploy the registry varies depending on configuration and whether or not policies are in effect.
How to Manually Create the Registry Key
For information about how to create the registry key, see section 2.4.3 of the Readme.txt file.
How to Implement the Security Update on Third-Party Mail Servers
For more information about implementing the security update on third-party mail servers, click the following article number to view the article in the Microsoft Knowledge Base:
How to implement the Outlook e-mail security update on other mail servers