The following is tip #1 from "20 Tips on securing Outlook in 20 minutes," excerpted from a chapter in Paul Robichaux's book, Secure Messaging with Microsoft Exchange Server 2003 © 2004, published by Microsoft Press. Return
to the main page for more tips on this topic.
The security update (which is what I'm going to call it, even though it's included in the current version of Outlook) includes five major changes:
- Improved attachment security. Outlook blocks access to some file types altogether,
including .exe and .pif files and screen savers. Administrators can specify a second, less
restricted set of file types that can't be opened directly, but can be saved to disk.
- More control for users. The ability for users to control programmatic access to the address book and to
Outlook's mail-sending functionality.
- Support for letting Exchange administrators specify which sources for code and Component
Object Model (COM) add-ins for Outlook should be trusted. Note that this feature is only
available in Outlook 2002 and Outlook 2003; it's not present in the security updates for
Outlook 2000 and Outlook 98. These restrictions apply only to COM add-ins, not to programs
that use Messaging Application Programming Interface (MAPI) or Collaboration Data Objects (CDO).
- Security zone change. A change to the default security zone in which Outlook runs.
- Code change.Code on unpublished or one-off Outlook forms does not run unless specifically allowed by the Exchange administrator.
As a technical solution to what is largely a be-havioral problem, Outlook 2002 checks the file type of each message attachment against an internal list of file types. A default list is included with the product, as shown here, but you can override or customize this list using an Exchange public folder.
These file types (including .bat, .exe, .vbs, .lnk, and .js) are blocked by Outlook. Recipients get a warning InfoBar listing the blocked files when they open or preview a message with a Level 1 attachment, but they can't see or access the attachment themselves (at least through Outlook; clients using Post Office Protocol [POP], and Internet Message Access Protocol [IMAP] clients other than Outlook can still get to Level 1 files). For a complete list of the Level 1 attachment types, go to http://www.microsoft.com /office/ork/2003/three/ch12/OutG07.htm.)
There are no Level 2 file types by default; you have to add them yourself. With Level 2 attachments, you can see the icon for the attachment, and when you double-click it, you are prompted to save the attachment to your hard disk, but you can't run it directly from its current location. After you have saved the attachment, you can decide how to handle it. This is supposed to make users think before blindly double-clicking every collection of bits that lands in their Inbox.
When you attach a file to an outgoing message, Outlook checks the file type against the Level 1 list. If you've attached any Level 1 files, a dialog box warns you that the recipients might not be able to open the attachment. Clicking Yes in this dialog box sends the message as is. Note that you can tell Out-look to not give you this warning; I'll tell you how later.
When you receive a message that contains a Level 1 attachment, your Inbox displays the paper clip in the attachment column to let you know that the message includes an attachment. When you open an e mail message containing an attachment, the attachment is blocked, and the Outlook InfoBar warns you that the attachment is untouchable. The File | Save Attachments command (as well as the View Attachments command on the shortcut menu that opens when you right-click) shows only those at-tachments that aren't blocked, rendering the others completely inaccessible. When you open the mes-sage itself, you'll see a warning InfoBar listing the blocked files, but you can still get to all attachments that have extensions that aren't on the banned list.
If you receive a message containing a Level 2 file as an attachment, the attachment appears normally. However, when you try to open it, you'll get a warning dialog box telling you that it's a bad idea to run the attachment directly and offering to let you save it to disk.
Get more "20 Tips on securing Outlook in 20 minutes!" Return to the main page.
About the author: Paul Robichaux is a partner at 3sharp LLC, author of several books on Exchange, Windows, and security, a Microsoft MVP for Exchange Server and a frequent speaker and presenter at IT industry conferences. He's written software for everyone from the U.S. National Security Agency to scientists flying their experiments aboard the Space Shuttle, fixed helicopters in the desert, and spent way too much time playing video games.