Configuring Outlook Security Features to Help Prevent Viruses

The Microsoft® Outlook® security model includes a number of features to help protect users against viruses and worms that can be propagated through e-mail messages. The security-related features include object model blocks (such as limiting automated address book access), access to attachments, and so on. Security-related features are included in the product, but they can be customized. You can customize most of the features relating to security by using the Outlook security template. Your users must be using Outlook with an Exchange server to take advantage of the customizations that are modified by using the security template.

 Note   You can also customize several features by using the registry instead of the Exchange Server security template. These features include the following: read as plain text, automatic picture download, and HTML mail zones. You can also lock down the settings by using policies. For more information about modifying these settings, see Helping Users Avoid Junk E-mail Messages in Outlook 2003. You can also customize how Outlook loads ActiveX controls in one-off forms. More information is provided later in this topic under Customizing how ActiveX controls behave in one-off forms.

Security settings are controlled by a custom form that is stored in a designated folder on the Microsoft Exchange server. After the form is published in the folder, you can use it create items in the folder to store the security settings. You can use a registry key setting to cause Outlook to reference these settings. To update these settings, you must be an authorized administrator.

The settings that you can configure by using the template can help provide a high level of security. However, the higher the level of security, the more limitations there are to Outlook functionality. Restrictions enforced by the Outlook security form include limits to specific types of attachments, heightened default security settings, and controlled access to the Outlook automation code.

 Note   To learn more about how Outlook virus protection features work, see How Outlook helps to protect your computer from viruses.

Requirements for customized security settings

As an administrator, you can use the template to customize the Outlook security settings to help meet your organization's needs. For example, you can help control the types of attached files blocked by Outlook, modify the Outlook object model security and warning levels, and specify user or group security levels. However, to customize these settings, your users must have the appropriate Outlook configuration.

To enable custom security settings, your users must be using Outlook with an Exchange server. You cannot modify most of these settings if your organization is using Outlook with a third-party e-mail service. (The exception is for attachment-blocking settings, which can be configured when using a third-party e-mail service.)

Lowering any default security settings may increase your risk of virus execution or propagation. Use caution and read the documentation before you modify these settings.

Enabling customized security settings for users

When you create custom security settings for Outlook by using the Outlook security template, the settings are stored in messages in a top-level folder in the Public Folders tree. Users who need these settings must have a special registry key set on their computers for the settings to apply.

When the key is present, Outlook searches the Exchange server for custom security settings to apply to a user. If these settings are found, they are applied. Otherwise, the default security settings in Outlook are used.

Users without the special key have the default Outlook security settings that are in the product.

Note that in some cases, administrator-defined security settings may interact with security settings defined by the user. Specifically, users can customize attachment-blocking behavior, if you, as administrator, have given permission.

Obtaining the files required to customize security settings

The files you need to configure the security settings and publish the form to enforce the settings are included in a self-extracting executable named Admpack.exe. You can find this downloadable file on the Office XP Resource Kit Downloads page. It is not installed by default from the Office Resource Kit Setup program. The four administrative files are as follows:

  • OutlookSecurity.oft

An Outlook template that enables you to customize Outlook client security settings that are saved in a public folder on the Exchange server. The OFT is the form that you publish into the special public folder that Outlook can be directed to reference for client security settings.

  • Hashctl.dll and Comdlg32.ocx

Two controls used by the form.

  • Readme.doc

A document that provides information on the values and settings available in the template and describes how to deploy the new settings on the Exchange server.

Customized security settings caveats

There are a couple caveats to keep in mind when deploying customized security settings for Outlook 2003:

  • Outlook must be restarted to get the customized settings.

The first time a user starts Outlook after the customized security settings have been applied, the user sees default administrative settings and not the exception or default form that has been set. The user needs to close Outlook and then restart Outlook again to get the correct security settings and permissions.

  • No customized settings are applied in Personal Information Manager (PIM)-only mode.

In PIM mode, Outlook uses the default security settings. No administrator settings are looked for or used in this mode.

Customizing how ActiveX controls behave in one-off forms

When Outlook receives a message containing a form definition, the item is considered to be a one-off form. To help prevent unwanted script and controls from running in one-off forms, Outlook does not load ActiveX® controls in one-off forms by default. You can control this behavior by setting a registry key or policy in HKCU\Software\Policies\Microsoft\Office\11.0\Outlook\Security or HKCU\Software\Microsoft\Office\11.0\Outlook\Security.

 Note    This policy is not provided in the Outlk11.adm file in the original retail product but is included in the updated ADM files released later. You can download the updated Office 2003 Policy Template Files and Deployment Planning Tools (Office-2003-SP1-ADMs-OPAs-and-Explain-Text.exe). You can find this downloadable file on the Office 2003 Resource Kit Downloads page.

Value name: AllowActiveXOneOffForms

Value type: DWORD

Value data: [ 0 | 1 | 2 ]

0 - Only load controls that are in the following list.

1 - Allow only safe controls.

2 - Allow all ActiveX controls.

If the registry key is not present, Outlook loads only controls listed here. This is the default behavior. The following controls can be used in one-off forms:

  • Controls from fm20.dll
  • Microsoft Office Outlook Rich Format Control
  • Microsoft Office Outlook Recipient Control
  • Microsoft Office Outlook View Control

Related link

For more information about how administrator settings work with user settings, see Administrator-Controlled Settings vs. User-Controlled Settings.

Applies to:
Deployment Center 2003