Protecting Outlook 2010 with group policy security settings

Protecting Outlook 2010 with group policy security settings

Although most Exchange Server administrators put a lot of effort into securing Exchange, many overlook Outlook security. Here’s a look at some security aspects to familiarize yourself with, as well as several settings you can use to protect Outlook 2010.

Centralized security
By default, Outlook maintains its security configuration locally. However, local configurations are ineffective in corporate environments because configuration changes must be applied manually. Thus, you’re better off centrally managing Outlook’s security. You have two options: You can use group policy settings, or store the security settings in designated public folders. Microsoft recommends using

    Requires Free Membership to View

    Login

    When you register, you’ll also receive targeted alerts from my team of editorial writers and independent industry experts with the latest news, tips, and advice to help you do your job more efficiently and effectively. Our goal is to keep you informed on the hottest topics and biggest challenges faced by Exchange professionals today working with Exchange, Outlook and other related technologies.

    Margie Semilof, Editorial Director

    By submitting your registration information to SearchExchange.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchExchange.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Premium Access

Register now for unlimited access to our premium content across our network of over 70 information Technology web sites.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

This was first published in September 2011

group policy settings as long as you don’t have any users on Outlook 2003 or earlier.

Group policy-based security
Active Directory does not contain any Outlook-related settings by default. To implement group policy settings for Outlook 2010 security, you must download the Office 2010 Administrative Template files and then add the templates to a domain controller’s central store.

There are two important things you should know about the Office 2010 Administrative Templates. First, the templates are version-specific. This means that if you still have users on Outlook 2007, any group policy settings implemented using the Office 2010 Administrative Templates won’t be applied to those users.

Similarly, there is a set of administrative templates for Office 2007. If you previously used the Office 2007 Administrative Templates to secure Outlook 2007, security settings will not be applied to Outlook 2010 users.

Outlook 2010 also ignores Outlook-related group policy settings by default. To modify this behavior, first make sure the Office 2010 Administrative Templates are installed. Next, configure the Outlook Security Mode Option group policy setting to use the Use Outlook Group Policy setting. This setting is found in the Group Policy Editor at User Configuration -> Policies -> Administrative Templates -> Microsoft Outlook 2010 -> Security -> Security Form Settings (Figure 1).

Figure 1. After downloading the Office 2010 administrative template, enable the Outlook Security Mode setting.

You can see a description of the setting option in Figure 2.

Figure 2. The Outlook Security Mode should be set to Use Outlook Security Group Policy.

Digital signatures
After installing the administrative templates, there are a number of security settings you can benefit from. For example, you can configure Outlook 2010 so that all outbound email messages are digitally signed. Digital signatures help prevent identity spoofing. To enable this setting, navigate through the Group Policy tree to User Configuration -> Policies -> Administrative Templates -> Microsoft Outlook 2010 -> Security -> Cryptography and enable the Sign All E-Mail Messages setting (Figure 3).

Figure 3. You can configure Outlook 2010 to require outbound email signatures.

In Figure 3, you can also see an Encrypt all e-mail messages setting. Because email messages are normally sent in clear text, encryption is a great way to ensure that messages are not intercepted and exposed during transit.

Though these two group policy settings are fairly simple, they depend on an underlying PKI infrastructure. This requires a public/private key pair that is based on X.509v3 certificates. These certificates can be generated using an enterprise certificate authority (CA) or can be acquired from a commercial CA. Office 2010 uses these certificates to create a digital identity for each user.

Although users can create and store a digital ID locally on their desktop, it’s better to store digital IDs centrally in corporate environments. You have three options for storing digital IDs.

The recommended method is to store digital IDs in the global address list (GAL). Any certificates generated by a CA or Active Directory Certificate Services are automatically published to the GAL. You can also manually publish externally generated certificates to the GAL.

To publish digital IDs to the GAL through Outlook 2010, click the File tab, then Trust Center. Next, click the Trust Center Settings button, then E-Mail Security. There you’ll find a button that publishes digital IDs to your GAL (Figure 4).

Figure 4. You can publish a digital ID to the GAL directly through Outlook 2010.

Finally, you also have the option to either store certificates in an LDAP-based directory service or export the digital IDs and store them directly on your users’ desktops. I recommend publishing digital IDs to the GAL whenever possible.

ABOUT THE AUTHOR:
Brien Posey is an eight-time Microsoft MVP with two decades of IT experience. Before becoming a freelance technical writer, Brien worked as a CIO for a national chain of hospitals and healthcare facilities. He has also served as a network administrator for some of the nation’s largest insurance companies and for the Department of Defense at Fort Knox.

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

Back to top