Software

10 tips for helping users keep Outlook data secure


Your users probably understand the importance of safeguarding the data on their computers. But they don't always realize that some of that data is contained in Outlook. Here are a few suggestions you can share with them to help them protect that Outlook data.

Note: Since Exchange servers control certain options, users may need to check with their administrator if they run into something that's unavailable. Also, some of the options discussed here are available only to Exchange clients. If users are running Outlook on a contained system, those options won't be available.

This information is also available as a PDF download.

#1: Protect private items

If you're running Outlook on an Exchange server, you can mark some items as private when you create them. Other people can see the item, but not its details. For instance, if you create a private appointment, other users will see only Private Appointment. Other users won't be able to open the appointment to glean more information. To create a private appointment, simply click the Private check box on the first page of the Appointment form (it's in the bottom-right corner).

Anyone with permission to access your folder can open items unless you specifically deny them access. To do so, Select Options from the Tools menu and click the Delegates tab. Select a user and click Permissions. To hide private items from the selected user, deselect the Delegate Can See My Private Items check box.

#2: Secure personal folders

You can password-protect your personal folders to slow down a would-be snoop. Just remember that a password isn't a total solution. Cheap password-hacking utilities are available to anyone with the inclination and a few bucks. A password only slows down a determined hacker while you're away from your desk.

To create a password for your Personal Folders file, right-click the top-level folder (which is probably Personal Folders) and choose Properties For Personal Folders. On the General tab, click the Advanced button and then click Change Password. If you had a previous password, enter it in the Old Password field. If not, skip this step. Then, enter the same password in both the New Password and Verify password fields. The Save This Password In Your Password List option lets you bypass the password process. Doing so negates the password, so don't select that option.

You can't password protect subfolders. It's everything or nothing.

#3: Change logon security

Most systems allow unrestricted access to Outlook once you log on to Windows. That means that anyone can log in to your copy of Outlook while you're away from your desk. Password-protecting your personal folders certainly helps, but you might also want to restrict access to Outlook. You can do so by changing the authentication method Outlook uses. If you do, Outlook will require a password every time you open it -- even if you're already logged in to your system via Windows authentication. To change the authentication method Outlook uses, do the following:

  1. Open Outlook and choose E-mail Accounts from the Tools menu. Select View Or Change Existing E-mail Accounts and click Next.
  2. Choose the appropriate Exchange account and click Change.
  3. Click More Settings and then click the Security tab.
  4. Check the Always Prompt For User Name And Password option.
  5. Click OK, Next, and Finish.
  6. Close Outlook and relaunch.

Outlook will prompt you for your domain\username and password. For instance, if the server name is RabbitTracks and your username is SusanH, you'd enter RabbitTracks\SusanH.

Use extreme care when changing this option. If you make a mistake, you'll lock yourself out of Outlook. In fact, you might want to discuss this decision with your administrator before committing to it. In addition, this option is available only for Outlook clients on Exchange Server.

#4: Make your passwords strong

Some people make the mistake of using passwords that are unique to or known only to themselves -- or at least they think so. For instance, they use a social security number or their baby's middle name. These are weak passwords. Someone who knows you could quickly gain access to your data by simply guessing.

A strong password adheres to the following guidelines:

  • Has at least seven characters.
  • Includes both uppercase and lowercase letters, numbers, and a symbol character between the second and sixth position.
  • Is a random collection of characters.
  • Repeats no characters.
  • Doesn't use consecutive characters, such as 123 or abc.
  • Contains no pattern.
  • Doesn't include any string or value that's familiar to you, such as a social security number, your pet's name, or your birthday.

Write down the password and keep it in a secure place it. Don't write it on a post-it and stick it to your computer screen. Don't laugh -- you'd be surprised how many people do just that, without thinking about the consequences.

Remember, most passwords are case-sensitive. Change your password frequently. Once a month isn't too often.

#5: Protect against infection

Most people know by now that viruses are programs that hide inside other files, and that they can hijack e-mail, destroy data, and replicate themselves and try to infect other files or users. But knowing about the threat is one thing. Effectively protecting against it is another.

E-mail is particularly vulnerable. Harmful files can gain access through e-mail attachments and Web-based e-mail. Just opening a message can execute the virus file. The best protection is an antivirus program. After installing, you must remember to update the definition files frequently because new viruses are released every day.

#6: Suspect attachments

Just because you know someone doesn't mean the attached file he or she just sent you is safe. If the sender's system is infected, the attachment may contain a copy of a virus, and the system sent it to you without sender's knowledge. The potential for infection is so serious that starting with version 2002, Outlook blocks most attachments by default. There are three blocking levels:

  • Level 1: Outlook blocks access to potentially unsafe attachments. You can see the attachment with the e-mail message, but you can't open it.
  • Level 2: You can't open the attached file from inside Outlook. Right-click the attached file and store it to a local disk.
  • Level 3: Double-click to open the attached file inside Outlook.

If you receive a level 1 attachment and you need it, you have a few options:

  • Ask the sender to zip the file and resend it, as zip files have level 3 clearance.
  • Edit the Windows Registry to change level types for specific types of files. Do so only when you receive certain file types regularly. (Don't consider this option unless you're experienced with tweaking the registry.)
  • Export the message to Outlook Express and open it there.

Keep in mind that the second and third options can release a harmful virus.

#7: Encrypt sensitive data

Outlook clients on Exchange offer built-in encryption. Doing so protects your data only as it travels from your client to server. It won't encrypt data in your personal folders, so anyone who has access to your system can still view your Outlook items.

To add encryption to your Exchange E-mail account, do the following:

  1. Choose E-mail Accounts from the Tools menu. Then, select View Or Change Existing E-mail Accounts and click Next.
  2. Choose your Exchange account, click Change, and click More Settings.
  3. Click the Security tab and select Encrypt Information.
  4. Click OK twice, click Next, and then click Finish.

#8: Purchase a handy-dandy decoder ring

If you're working with sensitive data, consider purchasing a digital certificate. Certification uses Secure Multipurpose Internet Mail Extensions (S/MIMME) protocol, and Outlook supports it. Using certification, you can send secure messages by offering a guarantee to the recipient that you are who you say you are. Purchase a digital certificate from VeriSign or obtain one from Thawte.

Each certificate has both a public and a private key. Windows stores it in the Registry and it's never distributed. You'll share the public key to anyone who sends you encrypted mail. Then, you'll use your private key to decrypt the message.

Truthfully, if you intend to go this route, you need more than this tip. Knowing this type of security is available is just the beginning. But here's the real tip -- once you've installed your digital ID, back it up by completing the following steps:

  1. Choose Options from the Tools menu and click the Security tab.
  2. Click Import/Export in the Digital ID section.
  3. Click the Export Your Digital ID To A File option.
  4. Enter a filename and/or click Browse to select a location to save the file and click Save.
  5. Enter a password and confirm it. Write down the password and store it in a secure location.
  6. Click OK to export the digital ID.

Store the file in a safe secure place -- preferably an off-site location in a fireproof safe or vault.

#9: Defensive zones

Incoming e-mail messages and Web pages often contain files you want to run. However, sometimes those files have the potential to release a virus or perform some other malicious deed locally. Internet Explorer uses security zones so you can determine which sites can download files. Outlook also uses security zones:

  • Local Intranet Zone: Use this for sites on your local intranet; security level is set to Medium-Low.
  • Trusted Sites Zone: Use this for sites outside your intranet that you trust completely; security level is set to Low.
  • Internet Zone: Use this for most Web sites; security level is set to Medium.
  • Restricted Sites Zone: Put sites you don't trust into this zone; security level is set to High.

A Low level accepts all content without warning you first, so you should use this zone with care. A Medium level warns you before running content. You can choose not to run the file. Medium-low runs most content without prompting you. However, it will prompt you before downloading an unsigned ActiveX control. A High level won't download or run anything. Just remember that a High level won't protect you from the latest threats, so back up your efforts with update virus software.

#10: Download patches and updates

Perhaps the best way to keep Outlook data secure is to keep your system updated with the latest patches and service packs. Windows can handle it all for you automatically. In the Control Panel, double-click Automatic Updates and click the Automatic (Recommended) option. This setting downloads and installs appropriate updates for your system behind the scenes. You don't have to do a thing but be online for the download.

Alternately, you can download updates automatically and then decide when to install them. Or you can choose when to download and install them. However, do not turn off automatic updating unless you have a good reason for doing so and know what you're doing.

Initially, automatic updating was a bit buggy, but Microsoft seems to have worked out most of the kinks. If you don't have PC support or an IT department that handles updates for you, the best thing you can do to protect yourself is to enable automatic updates.


About

Susan Sales Harkins is an IT consultant, specializing in desktop solutions. Previously, she was editor in chief for The Cobb Group, the world's largest publisher of technical journals.

7 comments
misseviltoyou
misseviltoyou

This is going to make me seem like an idiot I know, but does viewing messages in the Reading Pane on Outlook constitute opening the message?

mw00110011
mw00110011

I was reading an earlier TechRepublic Outlook user-experience-enhancement article, and then gravitated to this more interesting article on security. Both had good points but I, as well as others apparently, am not too crazy about the efficiency vs. security of the Reading Pane. Also, I've noticed that users who 'like' this feature are often the ones who have committed other questionable acts in Outlook, such as replying to 'Remove-links' in SPAM emails and loading their email up with graphics, backgrounds, and Word or HTML content because it looks neat. I turn the Reading Pane off as soon as I get Outlook installed. I don't think the full-view-approach beats the need for meaningful email subjects and adequate scrutiny of incoming messages before they are opened. I have noticed that when checking the email header, copying it into a new message and then sending it and the suspicious email 'item' to FrontBridge that the file is marked as 'read' in my inbox. I wonder if that breaks the secure chain around my Inbox?

sethumba80
sethumba80

Please let me know 10 items about the outlook.

rudy.berongoy
rudy.berongoy

Yes it does, by default this is switched on in Outlook (I Think), just switch it off. I Hope that helps

clintonspicer
clintonspicer

Ummmm Nothing!!!!! Doo dee Dooo (walks away shaking head)

philthee
philthee

We're always being warned that opening an email can be a trigger to spammers that your address is active (by downloading pictures, etc). Simply having the preview pane ON will do this automatically! Typically, I turn the pane OFF in my Inbox, AntiSpam, Junk and Deleted Items folders. Any other folders would contain mail that's been "screened", so I leave the pane turned ON for those.

clintonspicer
clintonspicer

Ok here's a doozy. I have 300 clients running outlook. My build list when installing email and logging the users accounts into the Exchange server for the first time dictates that I turn the reading pane off which I am aware secures the email. What I want to know is, is there a group policy for Exchange or a tool that can turn the reading pane off and leave it off preventing the users from re-opening it? I open it up to you my friends, it would be a good solution for a security vulnerability

Editor's Picks