Software

TechRepublic Tutorial: Tweak Outlook security so you can use Mapisend

Learn how to modify Outlook to allow the Mapisend command line to run.


The Mapisend utility included with the Microsoft Exchange Resource Kit is a command-line tool you can use to send e-mail messages through the Mail Application Programming Interface (MAPI). Mapisend is handy for generating messages from batch files and scripts, or any other situation in which you need to generate an e-mail message from a console. Security settings in Outlook and Exchange Server can prevent Mapisend from working, though. I’ll explain how to configure Outlook and Exchange to allow Mapisend to work even with the Outlook security features in place.

Outlook security
The Security Update for Outlook 98 and Outlook 2000—and the same features built into Outlook 2002—help prevent virus infections and other potential problems by blocking access to certain types of attachments. Outlook recognizes two levels of attachments—Level 1 attachments are blocked altogether, but a user can save a Level 2 attachment to disk and open it.

The security features also block other types of potentially dangerous actions, including applications being able to send messages programmatically, such as through MAPI or CDO. Mapisend is a good example of an application that uses MAPI to send a message. If you install the Outlook Security Update or run Outlook 2002, Mapisend will fail because of the default security settings.

All of the Outlook security features apply by default. However, a crafty Exchange Server administrator can configure security policies to tailor Outlook’s security features for specific users or groups. For example, you might change the way Level 1 attachments are handled for administrators. I’ll focus on the changes you need to make to get Mapisend working again. You have to follow a lot of steps, but it isn’t difficult as long as you don’t skip any.

Note
For those of you who are already familiar with how to configure Outlook security policies, here’s the compressed version of how to enable Mapisend: Open the Programmatic Settings tab of the applicable policy and set When Sending Items Via Simple MAPI to Automatically Approve. The rest of you will need to read on.

Installing Admpack and the Trusted Code control
The first step is to install the form that will enable you to configure Outlook security settings. The form and a couple of associated DLLs are included in the Outlook Security Features Administration Pack, or Admpack. The files are available in the Office XP Resource Kit, or you can download a self-extracting archive from Microsoft’s Web site. To install the Admpack, first create a folder to contain the files—you can install them on the Exchange Server or your workstation. Next, extract the files from Admpack.exe to the folder.

The next step is to install the Trusted Code control, which will allow you to set the security options without running afoul of Exchange Server’s security. To install the control, log on as administrator from the computer that is going to manage the security settings. This computer needs to be running Windows 2000 or Windows XP. Copy the files Hashctl.dll and Comdlg32.ocx from the Admpack folder to the %systemroot%\System32 folder on the local workstation. After copying the files, click Start | Run and enter regsvr32 hashctl.dll to register the control. Click Start | Run, and enter regsvr32 comdlg32.ocx to register the .ocx file.

Create the public security folder
Next, you need to create a public folder on the Exchange Server to contain the forms that will control Outlook security (Figure A). I’ll assume Exchange 2000 Server for this example; the steps are much the same for Exchange Server 5.5.

Open the Exchange System Manager and open the Administrative Group where the public folders are located. Expand the branch Folders\Public Folders. Right-click Public Folders and choose New Public Folder. In the resulting Properties dialog box, enter either Outlook Security Settings or Outlook 10 Security Settings in the Name field. You can use either name, but remember the one you used, because you’ll need it later. Add a description in the Public Folder Description field if you wish, then click OK to create the folder.

Figure A
Create a new public folder on the Exchange Server with Outlook Security Settings (or Outlook 10 Security Settings) as the name of the folder.


In the Exchange System Manager, right-click the folder you just created and choose Properties. Click the Permissions tab and then click Client Permissions. Select Default, clear the Create Items option, and make sure Read Items and Folder Visible are selected (Figure B). Select Anonymous and select None from the Roles drop-down list. If you want to grant other users or groups the ability to modify security settings, click Add to add the user or group and then set the appropriate permissions. When you’re satisfied with the permissions, click OK.

Figure B
Set the permissions for the public folder to allow users to read, but not modify, items in the folder.


Create custom security settings
Now you’re almost ready to open the form and configure settings that will allow Mapisend to work. First, you need to create the default settings. Open Outlook on the user’s workstation, click the arrow beside the New button on the toolbar, and select Choose Form. Browse to the folder where you installed Admpack and choose the OutlookSecurity template. Outlook will prompt you to select a folder, so choose the Outlook Security Settings public folder you created previously on the server. The security form will then open on the user’s desktop (Figure C).

Figure C
Create the default security settings before creating custom settings.


Choose Tools | Forms | Publish Forms. Browse to and select the Outlook Security Settings public folder. Enter Outlook Security Form in the Display Name and Form Name fields and click Publish. If you’re prompted for logon credentials, enter the credentials you used when you created the public folder, or a set of credentials that has Create Items permissions in the folder. Close the form and respond No when asked if you want to save changes.

At this point, you’ll have a set of security settings on the server that will apply to all users. You’ll need to create another security set that will enable Mapisend to function. Mapisend needs an Outlook profile to do its job, so the policy needs to apply to whichever profile you use with Mapisend. To create the custom settings, click the arrow beside the New button on the toolbar and select Choose Form. Browse to the Outlook Security Settings public folder and choose the security template you created previously.

On the Outlook Security Settings tab, click Security Settings For Exception Group. In the Security Group Name field, enter Allow MAPISEND to Bypass Security (or a name of your choosing). Click in the Members field and enter the names for users that will be able to bypass security for Mapisend. You can press [Ctrl]K to resolve the names. On Exchange 2000 Server, you can enter the name of a distribution list or security group. Separate names with semicolons. If you’re not sure what name(s) to enter, open a new message form and click To. Browse through the address list and select the name you want to use. Then, highlight the name, copy it to the Clipboard, and paste it into the Members field on the form.

After you’ve specified the names, click the Programmatic Settings tab (Figure D). Locate the When Sending Items Via Simple MAPI option and set it to Automatically Approve. Choose Tools | Forms | Publish Form As. Open the Outlook Security Settings public folder and enter a new name for the post, such as Allow Mapisend to Bypass Security. Then click Publish.

Figure D
Use the Programmatic Settings tab to configure security for Mapisend and other options.


Configure client systems
At this point, the security settings are in place, but you need to configure the client computers (or servers where Mapisend will be used) to check for custom security settings. You’ll do this by adding a registry key and value on the computer.

On the computer where you’re using Mapisend, log on with the credentials you’ll use for Mapisend. Open the Registry Editor and open the key:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Security

Add a DWORD value named CheckAdminSettings in the Security key. Set the value of CheckAdminSettings to 1 if you used Outlook Security Settings as the folder name; set it to 2 if you used Outlook 10 Security Settings as the name (any other value causes Outlook to use the default settings). Close the Registry Editor.

You’re ready to send with Mapisend
Finally, to use Mapisend, open a command console and enter a Mapisend command to generate a message. Use the -u and -p switches to specify the user name and password, respectively, of an account that is included in the custom security policy. Or, use the -i switch if you want to select the profile from a drop-down list. If everything is set correctly, Mapisend will send the message and give you a “Message sent successfully” notification. If you missed a step or used the wrong credentials, you’ll get a dialog box telling you that a program is attempting to send a message and asking if you want to allow the message. Close the dialog, check your security settings, and try it again.

Editor's Picks

Free Newsletters, In your Inbox