While Microsoft has made significant progress securing
Exchange 2003 and Outlook 2003, vulnerabilities still exist. Use the following
10 steps to mitigate potential problems before they become major issues.
current with Office security updates – Using
Microsoft Update, you can automatically or manually download and
install Office and Windows updates. You can download Office-specific
updates from Microsoft’s
Office Web site. If you manage a large number of desktops, consider
using Windows Server Update Services (WSUS), which includes support for
Office products via its automatic update mechanism. Alternatively, you can
manually download updates from the Office resource kit site. Check out
2003 downloads and Office XP/2002
traffic between Exchange and Outlook clients – If the network between
the client and the Exchange server isn’t totally secure, you should
encrypt the communication channel between Outlook and Exchange. To do
this, click Tools | E-mail accounts, select View or change existing e-mail
accounts and click Next. Select the user’s Exchange e-mail account and
click Change. Click the More Settings and select the Security tab. Under
Encryption, enable the checkbox labeled Encrypt data between Microsoft
Office Outlook and Microsoft Exchange Server and click OK.
about Outlook’s attachment blocking feature – Outlook 2003 includes
attachment blocking functionality designed to protect end users from
running dangerous attachments, such as executable files, script files,
Windows program information files (pif) and
more. Check out this omplete list of
file types blocked by Outlook 2003.
If you need to receive a message with an attachment that is on the blocked
list, ask the sender to zip the file (unless you choose to block zip
files) before sending it, or make the file available via a download
location. If you have a file type that you would like to block—perhaps zip
files—you can edit the desktop’s registry to add the new file type you’d
like to block.
To block a specific file type, open regedit and
navigate to the key:
Add a new string value key named Level1Add. Open the new key and add the
list of extensions you’d like to allow, each separated by a semicolon
(example .zip;.xls;.exe). Outlook will now block
attachments with the extensions you specify from your inbox.
a Public Key Infrastructure (PKI) to support more secure messaging –
This goes beyond Outlook, and requires that you create a certificate
infrastructure, thus allowing you (or your users) the ability to verify
the authenticity of people sending them mail and to be able to send
messages to recipients that are similarly guaranteed. Microsoft
Knowledge Base article 286159 includes a number of steps that help you
can take to manage your digitally secure Outlook environment.
messages in plain text – HTML e-mail messages can contain viruses or
malicious scripts. By default, Outlook allows you to read HTML formatted
messages, but you can disable this behavior and read messages in
plain-text only. To disable HTML e-mail, click Tools | Options and select
the Preferences tab. Click E-mail Options and enable the Read all standard
mail in plain text checkbox. While you don’t have to worry as much about
digitally signed mail since you should know who sent the message, if you
want to force all digitally signed mail to be delivered to you in plain
text only, also enable the All digitally signed mail in plain text
- Ask Outlook to catch more junk mail, or
consider using a white list – Outlook 2003 includes the ability to
catch junk e-mail and place it into a junk e-mail folder in Outlook.
Outlook includes four default junk e-mail settings. No filtering—don’t look for junk e-mail. Only move mail from senders
you have explicitly blocked to the junk mail folder. Low & medium—The
low setting handles only absolutely obvious junk mail while the medium
setting catches more, but starts to run the risk of catching mail that
shouldn’t be moved. Finally, if you want to make sure you get mail only
from people you know, you can choose the Safe
Lists Only setting and then populate your Safe Senders list. Note that
this white list method can result in quite a lot of management overhead.
To manage junk mail settings, click Tools | Options, select the
Preferences tab, and click Junk E-mail.
comfortable with the Reading Pane… as long as you don’t change default
settings – In previous versions of Outlook, the Reading Pane posed a
privacy risk since users could view HTML messages and other potentially
insecure items that could report back to the sender that a message was
read. As such, many people disabled the Reading Pane in order to secure
themselves from possibly opening a malicious message. However, Outlook
2003 includes features that make the Reading Pane (which can be very
useful) safe to use. This is due to Outlook’s new default setting that
disables the automatically downloading of pictures in HTML messages.
these settings have been changed so that pictures are automatically
downloaded into Outlook, you should change the setting back to the
default. To reset the Reading Pane’s default settings, click Tools |
Options, choose the Security tab, and click the Change Automatic Download
Settings. Select all the available checkboxes. The two middle checkboxes
relax this setting for senders that you feel are safe while the other two
checkboxes enforce the picture downloading ban.
and secure with the Microsoft Baseline Security Analyzer – Version 2.0
of the Microsoft Baseline Security Analyzer (MBSA) scans systems for
missing updates, including updates for Microsoft Office XP and later.
Further, MBSA 2.0 will tell you if any of your systems have their
firewalls disabled, and let you know whether Automatic Updates are on or
2.0 is available for download.
macro and publisher security – By default, Outlook’s macro security is
set to high, which automatically blocks unsigned macros from being
executed. The next, and highest, option requires that macros only be run
from trusted locations. Macros not from trusted locations will not be run,
whether they’re signed or not. I don’t recommend this highest level of
security, and recommend that you leave this option set to the default of
high. However, on the next tab—Trusted Publishers—consider clearing the
checkbox “Trust all installed add-ins and templates”. These options are
found at Tools | Macro | Security. Check out this full list of the ramifications
of manipulating the various macro security options.
protect your PST files – This is especially important for laptop users
as the PST files could hold the keys to the kingdom if someone got their
hands on your files. While Exchange users can’t do this, smaller shops using
Outlook with other mail systems can. To add a password to your PST file,
right-click the top level folder and choose the Properties option from the
shortcut menu. Click the Advanced button and, on the resulting screen,
click the Change Password button. Enter the new password as well as its
verification and click OK.