Outlook's protection against harmful files gives a one-two punch

Microsoft has set up two different mechanisms, known as Level 1 protection and Level 2 protection. Here's how they work.

For Level 1 protection, when a new e-mail arrives in a user's Inbox, Outlook looks at the attachment's extension to determine what type of protection should be applied to it. Microsoft has a list of about 50 different file extensions that are considered potentially harmful. If an inbound message contains an attachment with one of these extensions, then Outlook will block the attachment. (For the complete list of blocked file extensions, go to http://www.microsoft.com/office/ork/2003/three/ch12/OutG07.htm.)

Level 2 protection is disabled by default. The idea behind Level 2 protection is that if you consider a file type to be potentially harmful, but occasionally have a legitimate business need for users to be able to open files of that type, then you can assign those file types Level 2 Protection. Level 2 protection prevents the file from being opened directly through Outlook, but does allow the file to be saved to an alternate location where it can then be opened. By assigning Level 2 protection, you remove the possibility of a macro automatically opening a potentially harmful file from within Outlook.

Both Level 1 and Level 2 protection are controlled through the system's registry. The main difference is the location. If you simply want to control Level 1 security, you can do so directly from a user's workstation. Level 2 security can only be implemented directly from an Exchange Server, though.

Edit the registry with extreme care
I will show you how to manipulate file protection, but you must remember that editing the registry is dangerous. Making an incorrect modification can destroy Windows and/or your applications. You should, therefore, make a full system backup before trying any of the modifications that I am about to show you.

Now let's take a look at how you assign Level 2 protection to a file. The actual technique that you would use depends on what you are trying to accomplish. If you simply want to remove Level 1 protection from a few file extensions, it is possible to do so without manually modifying the registry if you buy one of the third party add-ons for Outlook. If, however, you don't want to spring for the extra software, then you will have to change the restrictions manually.

To open the Registry Editor, enter the REGEDIT command at the Run prompt. After doing so, navigate through the registry to HKEY_CURRENT_USERSoftwarePoliciesMicrosoftOffice11.0OutlookSecurity. There is a chance that this registry location won't even exist, but if it does, then you need to look for a key in this location named DisallowAttachmentCustomization. If this key exists and has a value of 1, then a group policy is preventing the currently logged-in user from modifying the behavior associated with file attachments within Outlook.

Make blocked extensions welcome
You can also make a file extension that was previously blocked available. Microsoft's official recommendation is that if someone needs to send you a file of a type that is blocked, then the file should be either zipped or renamed so that the file will have a different extension. If this isn't an option, though, you can remove Level 1 protection from a file extension by opening the Registry Editor and navigating to HKEY_CURRENT_USERSoftwareMicrosoftOffice11.0Outlook. Beneath Outlook, there should be a Security container. If it exists, select it. If it doesn't exist, create it. Now select the New and String Value commands from the Registry Editor's Edit menu. Create a new string value named Level1Remove.

After you create this value, right click on it and select the Modify command from the resulting shortcut menu. Now enter a list of the extensions that you want to exclude from Level 1 protection. Each extension must be preceeded with a period and extensions must be separated by a semi colon. For example, if you wanted to exclude the extensions EXE, BAT and PIF, you would enter: .exe;.bat;.pif.

Now let's take a look at how to implement Level 2 protection. As I said earlier, Level 2 protection can only be set from an Exchange Server. To do so, go to your Exchange Server and open the Registry Editor. Navigate through the Registry to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMSExchangeWebOWA. At this location, you will find a key named Level2FileTypes. Simply modify the key to include the file extensions you want to assign Level 2 protection. File extensions should be separated by a comma and should not include the period. For example, if you wanted to assign the extensions EXE, BAT, and PIF, it would look like this: exe,bat,pif.

In case you are wondering, this same registry location contains another key called Level1FileTypes. You can use this key to control Level 1 protection directly from the server. All of the same basic syntax rules apply to this key as applied to the Level2FileTypes key.

Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Posey has served as the CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, CNET, ZDNet, TechTarget, MSD2D, Relevant Technologies and numerous other technology companies. You can visit Brien's personal Web site at http://www.brienposey.com.

Rate this Tip To rate tips, you must be a member of SearchExchange.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Exchange Security Tips How to install Forefront Security for Exchange Server Is full email encryption the solution to Exchange security? Lock down direct file access and protect OWA users Controlling spam in Exchange 2007 at the edge transport server level When to use a self-signed certificate with Exchange Server 2007 Obtaining and verifying SSL certificates in Exchange Server How file-level antivirus software can harm your Exchange Server Understanding Exchange Server 2007 SP1 mobile security settings Which ActiveSync authentication method is best for your mobile device? Why you should secure Exchange 2007 using administrative policies Outlook and Outlook Web Access Tips Block Web beacons and protect OWA users from spam Outlook 2007 shut-down problems and fixes OWA 2007 configuration tricks to boost performance Pros and cons of Outlook 2007's storage engine redesign Lock down direct file access and protect OWA users Simplify an OWA URL on Windows Server 2008 Windows Mobile 6.5 touts Internet Explorer, OWA improvements Custom error message redirects OWA users When OWA's default configurations aren't good enough Save time typing Outlook 2007 messages with Quick Parts Microsoft Outlook Message date and send times showing incorrectly in Outlook and OWA Microsoft Outlook and SharePoint interoperability considerations Outlook 2007 shut-down problems and fixes Microsoft Outlook and SharePoint calendar dos and don'ts Free tools facilitate large-scale Outlook and SharePoint integrations Exchange Mailbag: POP3 settings and Outlook issues Pros and cons of Outlook 2007's storage engine redesign Fix Outlook 2007 and SharePoint synchronization breaks Email issues after configuring hosted Exchange server on laptop Avoid Outlook 2007 performance issues during repairs Microsoft Outlook Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bacn  (SearchExchange.com) email bankruptcy  (SearchExchange.com) offline folder file  (SearchExchange.com) OST file  (SearchExchange.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.