Although most Exchange Server administrators put a lot of effort into securing Exchange, many overlook Outlook
security. Here’s a look at some security aspects to familiarize yourself with, as well as several settings you can use to protect Outlook 2010.
By default, Outlook maintains its security configuration locally. However, local configurations are ineffective in corporate environments because configuration changes must be applied manually. Thus, you’re better off centrally managing Outlook’s security. You have two options: You can use group policy settings, or store the security settings in designated public folders. Microsoft recommends using group policy settings as long as you don’t have any users on Outlook 2003 or earlier.
Group policy-based security
Active Directory does not contain any Outlook-related settings by default. To implement group policy settings for Outlook 2010 security, you must download the Office 2010 Administrative Template files and then add the templates to a domain controller’s central store.
There are two important things you should know about the Office 2010 Administrative Templates. First, the templates are version-specific. This means that if you still have users on Outlook 2007, any group policy settings implemented using the Office 2010 Administrative Templates won’t be applied to those users.
Similarly, there is a set of administrative templates for Office 2007. If you previously used the Office 2007 Administrative Templates to secure Outlook 2007, security settings will not be applied to Outlook 2010 users.
Outlook 2010 also ignores Outlook-related group policy settings by default. To modify this behavior, first make sure the Office 2010 Administrative Templates are installed. Next, configure the Outlook Security Mode Option group policy setting to use the Use Outlook Group Policy setting. This setting is found in the Group Policy Editor at User Configuration -> Policies -> Administrative Templates -> Microsoft Outlook 2010 -> Security -> Security Form Settings (Figure 1).
Figure 1. After downloading the Office 2010 administrative template, enable the Outlook Security Mode setting.
You can see a description of the setting option in Figure 2.
Figure 2. The Outlook Security Mode should be set to Use Outlook Security Group Policy.
After installing the administrative templates, there are a number of security settings you can benefit from. For example, you can configure Outlook 2010 so that all outbound email messages are digitally signed. Digital signatures help prevent identity spoofing. To enable this setting, navigate through the Group Policy tree to User Configuration -> Policies -> Administrative Templates -> Microsoft Outlook 2010 -> Security -> Cryptography and enable the Sign All E-Mail Messages setting (Figure 3).
Figure 3. You can configure Outlook 2010 to require outbound email signatures.
In Figure 3, you can also see an Encrypt all e-mail messages setting. Because email messages are normally sent in clear text, encryption is a great way to ensure that messages are not intercepted and exposed during transit.
Though these two group policy settings are fairly simple, they depend on an underlying PKI infrastructure. This requires a public/private key pair that is based on X.509v3 certificates. These certificates can be generated using an enterprise certificate authority (CA) or can be acquired from a commercial CA. Office 2010 uses these certificates to create a digital identity for each user.
Although users can create and store a digital ID locally on their desktop, it’s better to store digital IDs centrally in corporate environments. You have three options for storing digital IDs.
The recommended method is to store digital IDs in the global address list (GAL). Any certificates generated by a CA or Active Directory Certificate Services are automatically published to the GAL. You can also manually publish externally generated certificates to the GAL.
To publish digital IDs to the GAL through Outlook 2010, click the File tab, then Trust Center. Next, click the Trust Center Settings button, then E-Mail Security. There you’ll find a button that publishes digital IDs to your GAL (Figure 4).
Figure 4. You can publish a digital ID to the GAL directly through Outlook 2010.
Finally, you also have the option to either store certificates in an LDAP-based directory service or export the digital IDs and store them directly on your users’ desktops. I recommend publishing digital IDs to the GAL whenever possible.
ABOUT THE AUTHOR:
Brien Posey is an eight-time Microsoft MVP with two decades of IT experience. Before becoming a freelance technical writer, Brien worked as a CIO for a national chain of hospitals and healthcare facilities. He has also served as a network administrator for some of the nation’s largest insurance companies and for the Department of Defense at Fort Knox.