Attachment blocking is an important feature in Outlook 2007 to help prevent viruses from infecting systems. Although you can rely on the default Outlook 2007 attachment security, you can also choose a centrally managed method of customizing attachment handling for Outlook 2007. You can configure attachment blocking in three ways:
Using Group Policy. With Outlook 2007, you can use Group Policy to control how Outlook 2007 handles security, including attachments and virus prevention features. The use of Group Policy also allows the application of these customized security settings in environments without public folders, such as a computer running Exchange Server 2007 or with clients running Outlook 2007 that are not using Exchange Server. Using Group Policy does, however, require that you be using the Active Directory® directory service to manage your network.
Using the Exchange Security Form. Earlier versions of Microsoft Outlook used the Exchange Security Form, which provides essentially the same options as the Group Policy settings now do. The Exchange Security Form relies on Exchange Server shared folders, however, which limits the use of these configuration options to only organizations using Exchange Server. You can still use the Exchange Security Form with Exchange Server 2007, for example, to support legacy Microsoft Outlook clients.
At the user’s workstation. If neither of the preceding options is available to you, a limited amount of customization can be done on an individual workstation. For example, you can modify the client’s registry to change the Level 1 list (as explained in the section "Configuring Attachment Blocking Directly in Outlook" later in this chapter). These modifications also affect non–Exchange Server accounts.
Configuring attachment blocking centrally, either via Group Policy or on a computer running Exchange Server, is the most effective and efficient method; it gives you, as an administrator, control over attachment security. It also allows you to tailor security by groups within your Windows domains.
Note
Because this book focuses on Outlook 2007 used with Exchange Server 2007, the use of the Exchange Security Form is not covered. For detailed information about using the Exchange Security Form, see the Office 2003 Resource Kit, available at office.microsoft.com/en-us/ork2003/.
In addition to specifying when Outlook 2007 blocks attachments, you can configure other aspects of Outlook 2007 security via Group Policy (or using the Exchange Security Form), letting you limit the behavior of custom forms and control programmatic access to Outlook 2007.
Attachment blocking in Exchange Server can be configured in two ways:
Group Policy is used by Exchange Server 2007, enabling the configuration of these settings without reliance on public folders, which are optional in Exchange Server 2007, or registry entries on each of the client computers.
The Exchange Security Form, which is configured via an adminstrative template stored in a public folder, is used in earlier versions of Exchange Server. While the Exchange Security Form can be used only in environments that have public folders, such as Exchange Server 2003, it is still available for configurations, such as using down-level clients, where it is required.
The settings that are configurable in Group Policy and those set via the Exchange Security Form are largely the same, as described in the following section. Whether you choose to use one or the other, or both, depends on the versions of Exchange Server and Microsoft Outlook that you need to support. Table 34-2 shows which methods can be used by various e-mail servers.
Table 34-2. Security Methods and Types of E-Mail Servers
Security Method | ||
|---|---|---|
E-Mail Server | Group Policy | Exchange Security Form |
Exchange Server 2007 (no public folders) | Yes | No |
Exchange Server 2007 (with public folders) | Yes | Yes |
Exchange Server 2003 | Yes | Yes |
Non–Exchange Server | Yes | No |
Outlook 2007 clients can use any of these methods, depending on the Outlook Security Mode set in Group Policy. When you use only Group Policy settings, clients running Outlook 2003 or earlier use the default security settings. If an Exchange Security Form is also available, clients running Outlook 2003, Outlook 2002, and Outlook 2000 (with the security update) will use it. Table 34-3 describes the specific behavior of each client with each security method.
Table 34-3. Security Methods and Versions of Microsoft Outlook
Outlook Security Mode is set in Group Policy to specify how clients running Outlook 2007 apply security settings. Outlook 2007 can use Group Policy settings, use the Exchange Security Form stored in one of two public folders (Outlook Security Settings or Outlook 10 Security Settings), or use the Outlook 2007 default security settings.
Note
Using both Group Policy settings and the Exchange Security Form supports the widest range of clients and is particularly useful during upgrades from Outlook 2003 to Outlook 2007 or Exchange Server 2003 to Exchange Server 2007. Outlook 2007 clients can retrieve their security information from the appropriate location transparently.
There are three categories of settings you can configure using Group Policy, controlling attachments, forms, and programmatic access to Outlook 2007. These settings are described in the following sections.
Note
This section covers the settings as described in Group Policy; settings in the Exchange Security Form are similar, even if worded slightly differently.
A number of options are available for customization of attachment handling, including making changes to the blocked attachment lists, specifying when prompts appear, and controlling users’ ability to configure their own attachment management.
Display Level 1 Attachments. This option allows Outlook 2007 users to see and open Level 1 attachments.
Allow Users To Demote Attachments To Level 2. Enabling this option allows Outlook 2007 users to demote Level 1 attachments to Level 2, which lets a user save the attachments to disk and then open them.
Do Not Prompt About Level 1 Attachments When Sending An Item. This setting disables the warning that normally appears when a user tries to send a Level 1 attachment. The warning explains that the attachment could cause a virus infection and that the recipient might not receive the attachment (because of attachment blocking on the recipient’s server).
Do Not Prompt About Level 1 Attachments When Closing An Item. You can disable the warning that normally appears when the user closes a message, an appointment, or another item that contains a Level 1 attachment.
Allow In-Place Activation Of Embedded Ole Objects. This option allows Outlook 2007 users to open embedded OLE objects (such as Microsoft Office Excel® 2007 spreadsheets, Access 2007 databases, and other documents) by double-clicking the object’s icon.
Display Ole Package Objects. Enable this option to show embedded OLE objects in e-mail messages. Hiding the objects prevents the user from opening them.
Add File Extensions To Block As Level 1. Use this setting to modify the Level 1 attachment list. You can enter a list of file name extensions to add to the list.
Remove File Extensions Blocked As Level 1. You can specify a list of file name extensions to remove from the Level 1 attachment list.
Add File Extensions To Block As Level 2. Use this setting to modify the Level 2 attachment list. You can enter a list of file name extensions to add to the list.
Remove File Extensions Blocked As Level 2. You can specify a list of file name extensions to remove from the Level 2 attachment list.
Prevent Users From Customizing Attachment Security Settings. This Group Policy setting is used in earlier versions of Microsoft Outlook to specify whether users can add files to (or remove files from) the Level 1 and Level 2 attachment lists that you have configured. This option overrides other settings; if it is enabled, users cannot configure the lists even if other settings would normally allow them to.
Allow Access To E-Mail Attachments. This setting also is for earlier versions of Microsoft Outlook. You can create a list of file types that are to be removed from the default Level 1 attachment list. This is functionally equivalent to the Remove File Extensions Blocked As Level 1 setting, just for legacy clients.
There are several options that control the actions that can be taken by scripts and controls in custom forms:
Allow Scripts In One-Off Outlook Forms. Enabling this option allows scripts to be executed if the script and the form layout are contained in the message.
Set Outlook Object Model Custom Actions. This setting determines the action Outlook 2007 takes if a program attempts to execute a task using the Outlook 2007 object model. For example, a virus could incorporate a script that uses the Outlook 2007 object model to reply to a message and attach itself to that message, bypassing the Outlook 2007 security safeguards. Prompt User causes Outlook 2007 to prompt the user to allow or deny the action. Automatically Approve allows the program to execute the task without prompting the user. Automatically Deny prevents the program from executing the task without prompting the user. Prompt User Based On Computer Security uses the Outlook 2007 security settings.
Set Control Itemproperty Prompt. This setting determines the action Outlook 2007 takes if a user adds a control to a custom Outlook 2007 form and binds that control to any address information fields (To or From, for example). You can select Prompt User to have Outlook 2007 ask the user to allow or deny access to the address fields when the message is received, Automatically Approve to allow access without prompting the user, Automatically Deny to deny access without prompting the user, or Prompt User Based On Computer Security to use the Outlook 2007 security settings.
Note
You can control which applications can access Outlook 2007 programmatically, to send e-mail or retrieve Outlook 2007 information, using Group Policy. For detailed information about how to do this, see "Enabling Applications to Send E-Mail with Outlook" later in this chapter.
There are two steps involved in configuring Outlook 2007 attachment security using Group Policy. First, you configure the security settings for attachments and custom forms. Once you are satisfied with the configuration, you configure Group Policy as the method that Outlook 2007 uses to obtain security information.
Note
Security settings applied via Group Policy do not take effect immediately. Changes will be made after the computer receives a Group Policy update (usually at the next logon) and consequently starts Outlook 2007. Even when a computer receives refreshed Group Policy automatically, settings will not apply to Outlook 2007 until the next time it is started.
You manage Outlook 2007 attachment security using the Outlook 2007 administrative template (Outlk12.adm) which is found in the Admin Pack (adminpak.msi) and the Group Policy Editor.
Note
For detailed information about using Group Policy templates, go to: support.microsoft.com/kb/924617.
To install the administrative template, follow these steps:
Create a folder on the local computer to contain the template files. (The steps outlined here assume that you’re creating a folder named AdminPak for the files.)
Download the administrative templates from www.microsoft.com/downloads/details.aspx?familyid=92d8519a-e143-4aee-8f7a-e4bbaeba13e7. Save the file in the AdminPak directory.
Open a Command Prompt window, and switch to the AdminPak folder.
Type adminTemplates /extract:adminPak, and then press Enter.
Follow the prompts to extract the administrative templates.
To add the administrative template to Group Policy, follow these steps:
On a server with the Windows Server administrator tools installed, click Start, Run, type gpedit.msc in the Open box, and then press Enter.
In the Group Policy editor, browse to User Configuration/Administrative Templates.
Right-click Administrative Templates, and then select Add/Remove Template.
In the Add/Remove Templates dialog box, click Add.
Browse to the AdminPak directory. Select outlk12.adm, and then click Open.
In the Add/Remove Templates dialog box, click Close.
To configure the Outlook 2007 attachment security settings, follow these steps:
On a server with the Windows Server administrator tools installed, run Group Policy by clicking Start, Run, typing gpedit.msc, and then pressing Enter.
Browse to User ConfigurationAdministrative TemplatesClassic Administrative Templates (ADM)Microsoft Office Outlook SecuritySecurity Form SettingsAttachment Security.
Configure the settings using this list as a guide. The default setting is Not Configured for all items in this policy:
Enable Display Level 1 attachments if you want to allow Outlook 2007 users to see and open Level 1 attachments, effectively setting the attachments to Level 2.
To allow Outlook 2007 users to change Level 1 attachments to Level 2, enable Allow Users To Demote Attachments To Level 2.
If you want to surpress the warning that usually appears when a Level 1 attachment is sent, enable Do Not Prompt About Level 1 Attachments When Sending An Item.
To disable the warning that normally appears when the user closes an item that contains a Level 1 attachment, enable Do Not Prompt About Level 1 Attachments When Closing An Item.
If you want to let Outlook 2007 users open embedded OLE objects (such as Microsoft Office Word 2007 documents, Excel 2007 spreadsheets, and other documents), enable Allow In-Place Activation Of Embedded Ole Objects.
Enable Display Ole Package Objects to show embedded OLE objects in e-mail messages and allow users to open them.
You can block additional file types by enabling Add File Extensions To Block As Level 1. Specify a list of file name extensions, without periods and separated by semicolons (;), in the Additional Extensions field.
You can specify a list of file name extensions to remove from the Level 1 attachment list by enabling Remove File Extensions Blocked As Level 1 and entering the list in the Additonal Extensions field.
To add file types to the Level 2 list, enable Add File Extensions To Block As Level 2, and then enter a list of extensions.
Enable Remove File Extensions Blocked As Level 2, and then specify a list of file name extensions to remove from the Level 2 attachment list.
To configure the Custom Form Security settings, follow these steps:
In Group Policy, go to User ConfigurationAdministrative TemplatesClassic Administrative Templates (ADM)Microsoft Office Outlook 2007SecuritySecurity Form SettingsCustom Form Security.
Select Allow Scripts In One-Off Outlook Forms if you want scripts to be executed when the script and the form layout are contained in the message.
Set the Outlook object model Custom Actions execution prompt to specify the action that Outlook 2007 takes if a program attempts to execute a task using the Outlook 2007 object model. Select Prompt User to have Outlook 2007 prompt the user to allow or deny the action. Select Automatically Approve to allow the program to execute the task without prompting the user. Select Automatically Deny to prevent the program from executing the task without prompting the user. Select Prompt User based On Computer Security to use the Outlook 2007 security settings.
You can select Set Control Itemproperty Prompt and then configure the action that Outlook 2007 takes if a user adds a control to a custom Outlook 2007 form and binds that control to an address information field (such as To or From). Select Prompt User to have Outlook 2007 ask the user to allow or deny access to the address fields when the message is received. Select Automatically Approve to allow access without prompting the user. Select Automatically Deny to deny access without prompting the user. Select Prompt User Based On Computer Security to use the Outlook 2007 security settings.
To configure legacy Microsoft Outlook settings, follow these steps:
In Group Policy, go to User ConfigurationAdministrative TemplatesClassic Administrative Templates (ADM)Microsoft Office Outlook 2007Security.
If you do not want users to modify the Level 1 and Level 2 attachment lists, select Prevent Users From Customizing Attachment Security Settings.
To remove file types from the default Level 1 attachment list, select Allow Access To E-Mail Attachments, and then provide a list of file name extensions (without a period) in the List Of File Extensions To Allow field. You can enter multiple file name extensions separated by semicolons.
After you have configured the Outlook 2007 security settings, you have to enable the use of those settings by enabling Exchange Server security and selecting the Outlook Security Mode. You do this using the same administrative template that you used to configure the security settings. To select the security mode for Outlook 2007, follow these steps:
Run Group Policy, and then open Outlk12.adm. Go to User ConfigurationAdministrative TemplatesClassic Administrative Templates (ADM)Microsoft Office Outlook 2007SecuritySecurity Form Settings.
Double-click Outlook Security Mode, and then select Enabled. Select Use Outlook Security Group Policy in the drop-down list, and then click OK.
The preceding sections explained how to configure attachment blocking for Exchange Server users. Non–Exchange Server users can also control attachment blocking, although the method for modifying the attachment list is different. So if you use Outlook 2007 in a workgroup or on a stand-alone computer without Exchange Server, you can still control which attachments Outlook 2007 prevents you from opening. You simply have fewer options for controlling and applying security settings.
Note
If you modify the registry settings that affect the Level 1 list, you must restart Outlook 2007 for the changes to take effect.
To change the Level 1 attachment list, you must modify a registry setting on your local computer. You can remove file types from the list, as well as add them. To apply the changes across multiple computers, distribute a registry script file. You can distribute this file through a logon script, place it on a network share for users to access, or send users a message containing a shortcut to the file. (For information about how to deploy registry files using a logon script, see the Windows Server help file.)
Follow these steps to create the necessary registry settings and optionally export them as a .reg file for other users:
On a system with Outlook 2007 installed, choose Start, Run, and then type regedit in the Run dialog box.
In the Registry Editor, open the key HKEY_CURRENT_USERSoftwareMicrosoftOffice12.0OutlookSecurity.
In that key, add a string value named Level1Remove.
Set the value of Level1Remove to include the file name extensions of those files you want removed from the Level 1 attachment list, without leading periods and separated by semicolons. The following example removes Microsoft Installer (.msi) files and Help (.hlp) files from the list:
msi;hlp
If you want to share the customized registry with other users, choose Registry, Export Registry File. Select a location for the .reg file, and then click Save. You can then distribute the .reg file to the other users, as noted earlier.
Outlook 2007 is aggressive about which attachments it blocks, but you might want to add other attachment types to the Level 1 list so that Outlook 2007 will block them. Using the same method as in the preceding procedure, add the registry value HKEY_CURRENT_USERSoftwareMicrosoftOffice12.0OutlookSecurityLevel1Add. Set the value of Level1Add to include the file name extensions that you want added to the Level 1 list. You can add multiple file types separated by semicolons. See the preceding section for options for propagating the change to other users.