Microsoft’s Office 2003 Resource Kit provides a set of tools
that help you administer and fine tune its signature Office suite. Here’s a
look at the Outlook Administrator Pack, a utility that allows you to customize
server-side security settings.

What it does

The Outlook Administrator Pack gives you a centralized way
to customize server-side security settings for users of Outlook 98, 2000, XP,
and 2003. Using the Pack, you have access to Outlook settings that are normally
locked down. This allows you to tailor settings such as allowed attachments and
warning levels to your organization as a whole or to groups of users.

Why you need it

The Outlook Administrator Pack simplifies administration of
Outlook security, provided your enterprise uses a server on which global
security settings can be applied (such as Exchange Server). Using this utility
you can adjust your settings as needed.

Restrictions

The Outlook Administrator Pack will not apply to enterprises
where users run Outlook with PST mailboxes. Rather, it is intended for
organizations running Outlook with Microsoft Exchange Server and either Mailbox
(MDB) or Offline folders (OST). In addition, the administration machine must
use Microsoft Windows 2000 or later.

Download and installation

The Outlook Administrator Pack (OAP) is one of many tools
that come with Microsoft’s Office 2003 Resource Kit (ORK). Other utilities
include the

  • Custom
    Installation Wizard
  • Custom
    Maintenance Wizard
  • MST
    File Viewer
  • Profile
    Wizard

A custom installation will allow you to specify which
utilities to install. Run the Setup file any time after that to add or remove
components. For more information on the ORK’s tools, see Microsoft’s Office 2003
Editions Resource Kit
Web page. Download the resource kit (7.3 MB) from Microsoft’s
Web site
.

Oddly, the Outlook Administrator Pack is not installed with
the rest of the ORK, even if you do a custom installation. Instead, Setup
copies the self-extracting installation file for the Outlook utility to your
hard drive. Installing the OAP is an additional step.

Installing the Office 2003 ORK

To install the Microsoft Office 2003 Resource Kit,
double-click the file Ork.exe. Accept the license agreement. Choose the type of
installation you want: Install Now (this choice contains the default
installation), Complete Installation, or Custom Installation.

Accept the default installation directory, or type in your
own. If you chose a Custom Installation, the Advanced Customization screen will
appear. Otherwise, the ORK will be installed at this time. For a Custom
Installation, drill down into each tool and select either Run From My Computer,
Run All From My Computer, or Not Available. Click Next to confirm your choices.

Once installation is complete, the ORK tools will be
available in the Start Menu. Choose Start | All Programs | Microsoft Office |
Microsoft Office Tools | Microsoft Office 2003 Office Resource Kit.

Installing the Outlook Administrator Pack

After installing the Office 2003 Resource Kit, use My
Computer to navigate to Program Files | ORKTOOLS | ORK11 | TOOLS | Outlook
Administrator Pack. Double-click the self-extracting file ADMPACK.EXE. Accept
the license agreement. Next, indicate where you want the installation program
to place the extracted files, such as C:\OAP. If the folder doesn’t exist, the
installation program will create it for you. Four files are created in the
location you specify:

  • Comdlg32.ocx
    and Hashctl.dll enable Trusted Code controls and set up this COM add-in as
    a Trusted Code.
  • OutlookSecurity.oft
    is the Outlook template you’ll use for customizing server-side Outlook
    security settings.
  • Readme.doc
    contains detailed instructions for configuring and using the Outlook
    template.

Installing and registering the Trusted Code controls on an
administrative computer allows users to execute COM add-ins that bypass
built-in security blocks. In other words, the COM add-ins are registered as
“trusted” by the application. The control only needs to be set up on
the administrative machine(s), not on the systems of each user.

To install the Trusted Code control:

On your administrative computer(s), place a copy of
Hashctl.dll and Comdlg32.ocx in your Windows operating system’s System32
directory. It’s possible you may need to replace a previous version of
Comdlg32.ocx.

Register these files by choosing Start | Run and typing the
commands regsvr32 hashctl.dll, and then regsvr32 hashctl.dll.

Creating a Public Folder for security settings

In order for your modified security settings to apply to all
users, you need to create a Public Folder on Exchange Server called either
Outlook Security Settings or Outlook 10 Security Settings (make sure to spell it
exactly as indicated). Place this new folder in the root of the Public Folders
tree. Next, set the Security Settings folder’s Access Control List (ACL) to
give read-access to all users.

If you plan to share administration, at this time you should
also specify which additional users have the authority to create, edit, and
delete files in this folder. For convenience, you may wish to set up a security
group with owner permissions.

Publishing the new security form

Once you have installed the Outlook Administrator Pack,
registered the Trusted Code control, and set up the Outlook Security Settings
Public Folder, you are ready to set up the security template. Double-click the
file Comdlg32.ocx in the directory in which you installed the Outlook
Administrator Pack. Next, point the template to the Outlook Security Settings
folder you created on the Exchange Server. The template will open.

From the template menu, select Tools | Forms | Publish Form.
Name the form Outlook Security Form
unless you have a previous security form you are overriding. In that case, use
the same name as the previous form. Click Publish. When the form is saved,
close the template. Do not save changes when asked.

Configuring the Outlook Security Form

To configure security settings for your users, open
Microsoft Outlook on your administrative machine. Select Tools | Forms | Choose
Forms. Navigate to your new template and select it. Click Open.

You will see a form with three tabs:

  • Outlook
    Security Settings
  • Programmatic
    Settings
  • Trusted
    Code

Outlook Security Settings

In the Outlook Security Settings tab, create the
customizations for Default Security Settings for All Users by selecting that
radio button and making the desired changes (Figure A). Alternatively,
you can set security settings for specific groups. The procedure is the same,
except that in the Security Group Name box, you name the group for which you
are customizing settings and add the member names in the box below. Note: For
Exchange Server 2000 and later versions, you can use distribution lists in
place of member names.

Figure A

Use the Outlook Security Settings tab to customize the behavior of
attachments, scripts, and controls.

Here is a rundown of changes to attachment file types you
can make:

  • Level
    1:
    File attachments in this category can’t be opened, saved, or
    printed. By default, Level 1 attachments include .bas, .bat, .chm, .cmd,
    .com, .cpl, .exe, .hlp, .inf, .js, .mdb, .msi, .mst, .pif, .reg, .scr,
    .url, .vbs, .wsh, and others. You can add new file types or remove
    attachments form this list. Removing them puts them in a Level 2 category.
    For a complete list of restricted file types, see the Readme.doc file that
    installs with the OAP.
  • Level
    2:
    File attachments in this category have to be saved to disk before
    viewing or editing. By default, there are no Level 2 file attachments. You
    can add new file types or remove attachments from this list. When you add
    extensions that are on the Level 1 list, they are also demoted from Level
    1 to Level 2 status.

On this tab, you can also specify how Outlook scripts and
controls are handled: Prompt User, Automatically Approve, and Automatically
Deny. Finally, you can change the way end users manage their own Outlook
security by checking any of the Miscellaneous Attachment Settings.

Programmatic settings

The Programmatic Settings tab contains various actions
Outlook takes in response to program conditions, such as sending items or
responding to meeting requests. You will probably want to leave the values in
this tab set to Prompt User. But if you wish, you can change these responses to
Automatically Approve or Automatically Deny.

Trusted Code settings

In the Trusted Code tab, add or remove DLL files for COM
add-ins. Each COM add-in placed in this tab will run on client computers,
bypassing Outlook’s security, provided the DLL file exists on the client
machine.

When you’ve finished adjusting settings, choose File |
Close.

Enabling new security settings for users

Once you have configured customized security settings, you
may need to take an additional step to set up client computers to use them. If
you installed Microsoft Office with system polices, no further action is
necessary. Otherwise, create the following registry DWORD key on client
computers:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Security\CheckAdminSettings.

The values of the key are as follows:

  • 0 –
    Use Outlook’s default administrative settings.
  • 1 –
    Use the custom administrative settings in the folder called Outlook
    Security Settings.
  • 2 –
    Use the custom administrative settings in the folder called Outlook 10
    Security Settings.
  • Any
    other value or no key present – Use Outlook’s default administrative
    settings.

Highlight the new registry key and export it using the
Selected Branch option. Install the key on client machines. Some installation
options include using remote administration, adding the installation to a login
script, e-mailing users a shortcut to the file (files with .reg extensions
can’t be run as Outlook attachments), or giving users the location of the .reg
file on a shared directory and instructing them to install it.

Additional notes and cautions

Remember that when you change file types from Level 1 to
Level 2 status, or allow users to customize Outlook file extensions and add
files to Trusted Code status, you introduce security risks. To reduce the
danger to your network, use these settings with care.

The first time your users run Outlook after you change
security settings, the program will still use the default settings. Users will
need to close Outlook and reopen it again to incorporate the new security
policy.

Even if you allow users to manipulate some security
settings, the values you set for Level 1 as an administrator will override
values set by users. And if you haven’t explicitly checked Allow Users To Lower
Attachments To Level 2, any user settings will be ignored.

The Outlook Administrator Pack is a useful form-based tool
for setting customized global security settings. By creating several of these
forms in the Public Folders’ Outlook Security Settings folder, you can specify
different security options for different groups of users. The main problems to
watch out for are getting the required client-side registry entry set up if you
are not running Office with policies, keeping up with new security requirements
and user groups, and getting users to start Outlook twice to incorporate new
changes.