Using Security Features in Outlook

You can set several security options for Microsoft Outlook 2000 in the Windows registry. The following Outlook registry entries help you control security for your users.

Hiding the invalid signature message

By default, each time a user attempts to read a signed message that has an invalid signature, a dialog box appears warning the user about the signature and listing the cause of the failure. If you don’t want users to see this message, you can hide this dialog box by setting the following registry entry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Office\9.0\Outlook\Security\Options

To skip the warning dialog box, set the value of the last bit of the DWORD value to 1 (0x00000001). This entry is set to 0 by default. Do not alter the other bits in this value; they help control other security options.

Specifying the minimum key length for encrypted e-mail messages

You can set a minimum key length for encrypted e-mail messages based on the desired security level. Outlook displays a warning message if an e-mail message does not meet this minimum key length. Standard key sizes are 40, 64, 128, and 168. To specify a minimum key length, enter a DWORD value in the following registry entry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Office\9.0\Outlook\Security\MinEncKey

 Note    International users cannot read e-mail messages encrypted using a key length greater than 40.

Specifying a certificate authority

You can limit users to certificates from a specific certificate authority only. For example, you can limit users to certificates from only the Microsoft Exchange Key Management Server. To limit users to a particular certificate authority, enter the certificate authority name as a String value in the following registry entry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Office\9.0\Outlook\Security\RequiredCA

 Tip    If you don’t want your users to use S/MIME security, you can disable it. To disable S/MIME, set this registry entry to the name of the Microsoft Exchange Key Management Server In Key Management Server, set the Issue V1 certificates only option to disable users’ ability to issue S/MIME (V3) certificates.

Specifying password time limits

You can specify the maximum amount of time that a password for a key set can be stored. Setting this value to 0 effectively removes the user’s ability to save a password and requires that the password be entered each time a key set is requested. To set the maximum password time, set a DWORD value in the following registry entry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Defaults\Provider\MaxPWDTime

You can also set the default value for the amount of time a password is saved. To set the default value for saving a password, specify a DWORD value in the following registry entry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Defaults\Provider\DefPWDTime

Specifying the enrollment page address

When users sign up for a new Digital ID by clicking the Get Digital ID button on the Security tab in the Options dialog box (Tools menu), they are directed to a default external certificate authority enrollment page on the Microsoft Web site. If you prefer, you can set a registry entry to point to an internal certificate authority Web page instead.

Use one of the following registry entries to set a URL for the enrollment page:

• If you have administrator privileges on the user’s computer, type the URL in this registry entry:

  HKEY_LOCAL_MACHINE\Software\Microsoft\Office\9.0\Outlook\Security\EnrollPageURL

• If you do not have administrator privileges on the user’s computer, type the URL in this registry entry:

  HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Outlook\Security\EnrollPageURL

 Note    The EnrollPageURL entry in the HKEY_LOCAL_MACHINE subkey overrides the EnrollPageURL entry in the HKEY_CURRENT_USER subkey.

The EnrollPageURL registry entries use the following parameters to send information about the user to the enrollment Web page.

For example, to send user information to the Microsoft enrollment Web page, set the EnrollPageURL entry to the following value, including the parameters:

www.microsoft.com/ie/certpage.htm?name=%1&email=%2&helplcid=%3

If the user’s name is Jeff Smith, his e-mail address is someone@microsoft.com, and his user interface language ID is 1033, then the placeholders are resolved as follows:

www.microsoft.com/ie/certpage.htm?name=Jeff%20Smith&email=someone@microsoft.com&helplcid=1033

System Policy Tip   You can use system policies to set security levels in Outlook. In the System Policy Editor, set the Required Certificate Authority, Minimum encryption settings, S/MIME interoperability with external clients, and Outlook Rich Text in S/MIME messages policies under User\Microsoft Outlook 2000\Tools | Options\Security. For more information about the System Policy Editor, see Using the System Policy Editor.