While Microsoft has made significant progress securing
Exchange 2003 and Outlook 2003, vulnerabilities still exist. Use the following
10 steps to mitigate potential problems before they become major issues.

  1. Stay
    current with Office security updates     Using
    Microsoft Update    , you can automatically or manually download and
    install Office and Windows updates. You can download Office-specific
    updates from Microsoft’s
    Office Web site    . If you manage a large number of desktops, consider
    using Windows Server Update Services (WSUS), which includes support for
    Office products via its automatic update mechanism. Alternatively, you can
    manually download updates from the Office resource kit site. Check out
    these Office
    2003 downloads     and Office XP/2002
    downloads    .
  2. Encrypt
    traffic between Exchange and Outlook clients     – If the network between
    the client and the Exchange server isn’t totally secure, you should
    encrypt the communication channel between Outlook and Exchange. To do
    this, click Tools | E-mail accounts, select View or change existing e-mail
    accounts and click Next. Select the user’s Exchange e-mail account and
    click Change. Click the More Settings and select the Security tab. Under
    Encryption, enable the checkbox labeled Encrypt data between Microsoft
    Office Outlook and Microsoft Exchange Server and click OK.
  3. Learn
    about Outlook’s attachment blocking feature     – Outlook 2003 includes
    attachment blocking functionality designed to protect end users from
    running dangerous attachments, such as executable files, script files,
    Windows program information files (pif) and
    more. Check out this omplete list of
    file types blocked by Outlook 2003    .

    If you need to receive a message with an attachment that is on the blocked
    list, ask the sender to zip the file (unless you choose to block zip
    files) before sending it, or make the file available via a download
    location. If you have a file type that you would like to block—perhaps zip
    files—you can edit the desktop’s registry to add the new file type you’d
    like to block.

    To block a specific file type, open regedit and
    navigate to the key:

    HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Security

    Add a new string value key named Level1Add. Open the new key and add the
    list of extensions you’d like to allow, each separated by a semicolon
    (example .zip;.xls;.exe). Outlook will now block
    attachments with the extensions you specify from your inbox.

  4. Create
    a Public Key Infrastructure (PKI) to support more secure messaging
    This goes beyond Outlook, and requires that you create a certificate
    infrastructure, thus allowing you (or your users) the ability to verify
    the authenticity of people sending them mail and to be able to send
    messages to recipients that are similarly guaranteed. Microsoft
    Knowledge Base article 286159     includes a number of steps that help you
    can take to manage your digitally secure Outlook environment.
  5. Read
    messages in plain text     – HTML e-mail messages can contain viruses or
    malicious scripts. By default, Outlook allows you to read HTML formatted
    messages, but you can disable this behavior and read messages in
    plain-text only. To disable HTML e-mail, click Tools | Options and select
    the Preferences tab. Click E-mail Options and enable the Read all standard
    mail in plain text checkbox. While you don’t have to worry as much about
    digitally signed mail since you should know who sent the message, if you
    want to force all digitally signed mail to be delivered to you in plain
    text only, also enable the All digitally signed mail in plain text
    checkbox.
  6. Ask Outlook to catch more junk mail, or
    consider using a white list     – Outlook 2003 includes the ability to
    catch junk e-mail and place it into a junk e-mail folder in Outlook.
    Outlook includes four default junk e-mail settings. No filtering—don’t look for junk e-mail. Only move mail from senders
    you have explicitly blocked to the junk mail folder. Low & medium—The
    low setting handles only absolutely obvious junk mail while the medium
    setting catches more, but starts to run the risk of catching mail that
    shouldn’t be moved. Finally, if you want to make sure you get mail only
    from people you know, you can choose the Safe
    Lists Only setting and then populate your Safe Senders list. Note that
    this white list method can result in quite a lot of management overhead.
    To manage junk mail settings, click Tools | Options, select the
    Preferences tab, and click Junk E-mail.
  7. Be
    comfortable with the Reading Pane… as long as you don’t change default
    settings     – In previous versions of Outlook, the Reading Pane posed a
    privacy risk since users could view HTML messages and other potentially
    insecure items that could report back to the sender that a message was
    read. As such, many people disabled the Reading Pane in order to secure
    themselves from possibly opening a malicious message. However, Outlook
    2003 includes features that make the Reading Pane (which can be very
    useful) safe to use. This is due to Outlook’s new default setting that
    disables the automatically downloading of pictures in HTML messages.

    If
    these settings have been changed so that pictures are automatically
    downloaded into Outlook, you should change the setting back to the
    default. To reset the Reading Pane’s default settings, click Tools |
    Options, choose the Security tab, and click the Change Automatic Download
    Settings. Select all the available checkboxes. The two middle checkboxes
    relax this setting for senders that you feel are safe while the other two
    checkboxes enforce the picture downloading ban.

  8. Scan
    and secure with the Microsoft Baseline Security Analyzer     – Version 2.0
    of the Microsoft Baseline Security Analyzer (MBSA) scans systems for
    missing updates, including updates for Microsoft Office XP and later.
    Further, MBSA 2.0 will tell you if any of your systems have their
    firewalls disabled, and let you know whether Automatic Updates are on or
    off. MBSA
    2.0 is available for download    .
  9. Maintain
    macro and publisher security     – By default, Outlook’s macro security is
    set to high, which automatically blocks unsigned macros from being
    executed. The next, and highest, option requires that macros only be run
    from trusted locations. Macros not from trusted locations will not be run,
    whether they’re signed or not. I don’t recommend this highest level of
    security, and recommend that you leave this option set to the default of
    high. However, on the next tab—Trusted Publishers—consider clearing the
    checkbox “Trust all installed add-ins and templates”. These options are
    found at Tools | Macro | Security. Check out this full list of the ramifications
    of manipulating the various macro security options    .
  10. Password
    protect your PST files     – This is especially important for laptop users
    as the PST files could hold the keys to the kingdom if someone got their
    hands on your files. While Exchange users can’t do this, smaller shops using
    Outlook with other mail systems can. To add a password to your PST file,
    right-click the top level folder and choose the Properties option from the
    shortcut menu. Click the Advanced button and, on the resulting screen,
    click the Change Password button. Enter the new password as well as its
    verification and click OK.