Microsoft Outlook 2002 expands on the virus protection features introduced in Outlook 2000 to allow administrators to protect users' systems from mail-borne viruses. Outlook automatically blocks certain types of attachments, preventing the user from opening them. You can tailor attachment blocking, either at the Exchange server or at the workstation, to change the way Outlook treats specific attachment types. In this Daily Drill Down, I'll explain Outlook's new attachment blocking feature and how you can fine-tune it to your requirements.
Understanding attachment blocking
If you use Outlook 2002 as your e-mail client, whether as a client for Exchange Server or for other e-mail services, you have some useful options for blocking and managing e-mail attachments to help prevent infection. Outlook and Exchange Server group all attachments into two different categories: Level 1 and Level 2. Users can’t open or view Level 1 attachments. They can view the message body itself, but Outlook disables the interface components that would otherwise allow them to open or save the attachment to disk. If a user receives a message with a blocked attachment and then selects the message, Outlook displays a notice in the preview pane’s InfoBar that indicates the attachment is blocked and can’t be opened. Table A lists the default Level 1 attachment types.
|ADE||Microsoft Access project extension|
|ADP||Microsoft Access project|
|BAS||Microsoft Visual Basic class module|
|CHM||Compiled HTML Help file|
|CMD||Microsoft Windows NT/Windows 2000 command script|
|COM||Microsoft MS-DOS program|
|CPL||Control Panel extension|
|INF||Setup Information File|
|INS||Internet Naming Service|
|ISP||Internet Communication settings|
|MDA||Microsoft Access add-in program|
|MDB||Microsoft Access program|
|MDE||Microsoft Access MDE database|
|MDZ||Microsoft Access wizard program|
|MSC||Microsoft Common Console Document|
|MSI||Microsoft Windows Installer package|
|MSP||Windows Installer patch|
|MST||Visual Test source files|
|PCD||Photo CD image or Microsoft Visual Test compiled script|
|PIF||Shortcut to MS-DOS program|
|SCT||Windows Script Component|
|SHS||Shell Scrap Object|
|VBE||VBScript Encoded script file|
|WSC||Windows Script Component|
|WSF||Windows Script file|
|WSH||Windows Script Host settings file|
Level 2 attachments work a little differently. Outlook prevents you from opening the attachment directly from the e-mail message, but it does not stop you from saving the file to disk. After you save the attachment, you can open it outside of Outlook. Because you can configure Level 2 attachments only through Exchange Server, Level 2 attachment behavior applies only to Exchange Server accounts and not to POP3, IMAP, or other e-mail accounts. So, while you can’t configure Level 2 attachments for your POP3 account, for example, you can modify the Level 1 list to change the way Outlook handles Level 1 attachments. You can unblock Level 1 attachments and allow them to be opened directly from an e-mail message, but you can’t configure them to be handled as Level 2 attachments, forcing the user to save them first. By default, the Level 2 attachment list is empty.
In designing the Level 2 attachment option, Microsoft appears to assume that you will either have a virus scanner on your system that will scan the file as soon as you save it to disk or that you will scan the file manually after doing so. There’s a bit of a flaw in that assumption, as there is no guarantee that your virus definition files are up to date or that the virus scanner is even running. So, it’s important not to rely on virus scanners or users’ good intentions to provide protection. A combination of server-based virus scrubbing for e-mail and network-wide scanning is a must to ensure adequate protection. Making sure users understand the implications and potential problems that can be caused by a virus or worm is extremely important from an administrative standpoint, as well.
Configuring attachment blocking under Exchange Server
As I mentioned, you can configure attachment blocking in two locations: at the server level for Exchange Server or at the local workstation. Configuring attachment blocking at the server offers better administrative control over security and allows you to configure attachment blocking by groups. For example, you might block certain types of attachments for general users and a different set of attachments for power users or administrators, with the assumption that users in these latter groups are more savvy and less likely to do something to introduce a virus or worm onto their systems or onto the network.
Setting up for attachment blocking
To configure attachment blocking under Exchange Server, you must first install the Outlook Security Features Administrative Package, or AdminPak, from the Microsoft Office XP CD. Insert the Office XP CD on any system on the network running Windows 2000 (not necessarily the server). This will be the computer from which you will configure attachment blocking; it can be your personal workstation or an administrative workstation. Create a folder to contain the AdminPak files. For the purposes of this example, I’ll assume you’re creating a folder named Program Files\AdminPak. Extract the file \Ork\Files\Pfiles\Orktools\Ork10\Tools\Admpack\Admpack.exe to the AdminPak folder you just created.
The next step is to install the Trusted Code Control that will allow the security template included with the AdminPak to function without running into security roadblocks in Exchange Server. On the Windows 2000 computer where you plan to administer Exchange Server security, log on as Administrator. Locate the file Hashctl.dll in the AdminPak folder and copy it to the %systemroot%\System32 folder on your local computer. Next, register the service; Click Start | Run, enter REGSVR32 HASHCTL.DLL, and then click OK in the resulting dialog box. Copy the file Comdlg32.ocx from the AdminPak folder to the %systemroot%\System32 folder and click Yes when prompted to replace the existing file. Then, register the service; Click Start | Run, enter REGSVR32 COMDLG32.OCX, and then click OK in the resulting dialog box.
At this point, the pieces are in place to enable security configuration. Before you configure settings, however, you need to create a public folder on the server to store the custom security settings. Outlook checks this folder for security settings that apply to the user when Outlook starts; if it finds applicable settings, it applies them to the user’s Outlook session. Following are the steps for creating the folder under Exchange 2000 Server; the steps under Exchange Server 5.5 are similar.
First, open the Exchange System Manager, expand the Administrative group, and then expand the Folders\Public Folders branch. Right-click Public Folders and choose New | Public Folder. In the property sheet for the new folder, type either Outlook Security Settings or Outlook 10 Security Settings for the folder name on the General tab. Enter a description, if desired, and click OK to create the folder. Right-click the folder you just created and choose Properties to open its property sheet. Click the Permissions tab and then click Client Permissions to open the Client Permissions dialog box. Select Default, clear the Create Items option, and make sure Read Items and Folder Visible are selected. Next, select Anonymous and, from the Roles drop-down list, select None.
You can grant other users or groups the ability to customize security settings. Click Add, select a user or group, and click OK. Then configure the user or group permissions to provide the level of access you want them to have. When you’re satisfied with the permissions, click OK to close the Client Permissions dialog box and then close the folder’s property sheet.
Configuring blocked attachments
With the security folder created on the server, you’re ready to start customizing security settings using the template provided with the AdminPak. On the workstation where you installed the AdminPak, open Outlook. Click the arrow beside the New button on the Standard toolbar and select Choose Form. In the Choose Form dialog box, select User Templates In File System from the Look In drop-down list and browse to the AdminPak folder. Select the OutlookSecurity template and click OK to open it. Outlook will then prompt you to select the folder for storing security settings. Select the Outlook Security Settings public folder you created on Exchange Server.
When Outlook displays the Default Security Settings form, save it to the public folder. Choose Tools | Forms | Publish Forms. Select the Outlook Security Settings folder from the Publish Form As dialog box, type Outlook Security Form in the Display Name and Form Name fields, and click Publish. Click the Close button on the form to close it and click No when prompted to save changes. If the Close button won’t work on your system (an apparent bug in the form), click the Close button in the upper right corner of the form window.
At this point, you’re ready to create a set of security settings to serve as the default for users who don’t have their own custom settings. Still in Outlook, click the arrow beside the New button on the Standard toolbar and select Choose Form. Open the Outlook Security Settings public folder. On the Outlook Security Settings tab of the form, make sure Default Security Settings For All Users is selected. Make modifications on the form as desired to customize the default settings, based on the options described in the following list. When you’re satisfied with the settings, click Close, and then click Yes when prompted to save changes. Exchange Server will prompt you to specify authentication credentials with Administrative permissions in the Outlook Security Settings public folder.
- Security Group Name: Use this field to name the group of settings. For example, you might use the name No Restrictions for a group of settings that allows the user to view and save all attachments.
- Members: Type the user names, separated by semicolons. You can include distribution and security group names under Exchange 2000 Server but not under Exchange Server 5.5. When a user is a member of more than one security group, the one created most recently takes precedence. You can press [Ctrl]K to resolve names to valid addresses.
- Show Level 1 Attachments: Select this option if you want the group or user to be able to open Level 1 attachments directly in Outlook.
- Allow Users to Lower Attachments To Level 2: Select this option if you want the group or user to be able to save a Level 1 attachment to disk and open it from there (essentially, treat Level 1 attachments as Level 2 attachments).
- Do Not Prompt About Level 1 Attachments When Sending An Item: Select this option to disable the warning Outlook otherwise generates when a user attempts to send a Level 1 attachment to another user.
- Do Not Prompt About Level 1 Attachments When Closing An Item: Select this option to disable the warning Outlook generates when a user closes an item containing a Level 1 attachment.
- Allow In-Place Activation Of Embedded OLE Objects: If this option is enabled, the user or group subject to the security settings can open OLE objects embedded in messages. With Word as the default e-mail editor, users can always open embedded OLE objects. This setting applies only to users who use Outlook as the editor.
- Show OLE Package Objects: If this option is selected, embedded OLE objects appear in messages. When the option is not selected, the OLE objects are hidden.
- Level 1 File Extensions: Modify the Level 1 attachment list with these controls. Type the file extension, using semicolons to separate multiple file types.
- Level 2 File Extensions: Modify the Level 2 attachment list with these controls. As with the Level 1 attachment list, specify the file extension only and separate multiple types using semicolons.
- Enable Scripts In One-Off Outlook Forms: Select this option to allow scripts to execute if the script and the form layout are contained in the message.
- When Executing A Custom Action Via Outlook Object Model: Select the way you want Outlook to respond when a program attempts to execute a task using the Outlook object model (such as through a VB script).
- When Accessing The ItemProperty Property Of A Control On An Outlook Custom Form: Select the way you want Outlook to respond when a user adds a custom control to a form and binds the control to any address fields (To, Cc, etc.).
When Outlook starts on a user’s computer, it checks the public folder and, if it finds a security form that lists the current user’s name, it applies those settings. Otherwise, it applies the default settings. However, you need to make a change to the user’s registry to direct Outlook to check the folder at startup. You can do so individually through the Registry Editor, customize the user’s registry through his logon script, or send him or her a link to a registry script stored on a network server. You can’t send the registry script as an attachment, because Outlook will block the attachment by default.
To create the registry script, open the Registry Editor and open the branch HKEY_CURRENT_USER\Software\Policies\Microsoft\Security. Create the key if it does not exist. Create a new DWORD value named CheckAdminSettings in the key. Use one of the following values for CheckAdminSettings:
- 0 : Causes Outlook to use the default security settings (Outlook will also use the default security settings if no CheckAdminSettings value exists.)
- 1 : Look in the Outlook Security Settings public folder for custom settings for this user
- 2 : Look in the Outlook 10 Security Settings public folder for custom settings for this user
- Any other value: Causes Outlook to use the default security settings.
After you create the key and value, choose Registry | Export Registry File. Specify a name for the registry file and save it to disk, making sure the Selected Branch option is selected. (You don’t want to export the entire registry!) You can then place the file on a network share and send users a link to the share or incorporate the registry file through the user’s logon script.
Configuring attachment blocking under Outlook 2002
When you use Outlook in conjunction with Exchange Server, the Exchange Server administrator configures security at the server. In situations where you don’t use Exchange Server at all, such as in a standalone computer or in a workgroup, you can configure attachment blocking locally. This lets you specify the attachments that Outlook will allow you to open.
You have fewer options for controlling attachment blocking locally vs. under Exchange Server. You can remove file types from the Level 1 attachment list, but you can’t add other file types or modify the Level 2 list. You accomplish this change through a registry modification and, as with the settings I described previously, you can share the changes with other users by exporting the registry key to a registry script and then distributing that script to the other users.
To modify the Level 1 attachment list on your computer, open the Registry Editor and expand the branch HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Security. Add a string value named Level1Remove in that key. After you create the value, double-click it and add the file extensions, separated by semicolons, of the file types you want removed from the Level 1 list. For example, to be able to open Help (HLP) and Microsoft Access database (MDB) files, enter hlp;mdb as the value of Level1Remove. Restart Outlook for the change to take effect.
One final tip
Here’s one final tip for working with blocked attachments: If you run into a situation where you don’t want to make the modifications I’ve described, you can work around attachment blocking. Outlook doesn’t strip out the attachments; it simply prevents you from opening them. So, create a new folder in Outlook and move the message with the attachment to that folder. Open Outlook Express and import that folder from Outlook. You’ll be able to open the message in Outlook Express and open the attachment without any problems.