Providing Virus Protection 807
Protecting Against Viruses in Attachments 810
Configuring Blocked Attachments 815
Opening Blocked Attachments 826
Protecting Against Office Macro Viruses 827
Enabling Applications to Send Email with Outlook 828
Tips for Securing Your System 831
IF you use Microsoft Outlook 2010 on a daily basis to manage email, appointments, and contacts, losing the information that you’ve stored in Outlook 2010 could cause significant problems. Outlook 2010 data can be lost in a number of ways, from accidental deletion to file corruption to hard disk failure. In addition, a user who purchases a new computer might leave behind information when transferring data to the new machine.
This chapter examines virus protection for both the server and workstation to help you understand how to protect yourself and your network from email-borne viruses. Outlook 2010 provides features to protect against viruses in attachments, and there are several steps you can and should take to add other forms of virus protection.
Hardware and software failures are by no means the only source of anguish for the average user or administrator. Viruses and worms have become major problems for system administrators and users alike. When a major virus or worm outbreak hits, companies grind to a halt, systems shut down, system administrators turn off mail servers, and general chaos ensues.
The effects of a particularly virulent virus or worm can be devastating for a company. A virus or worm can bring your mail servers to a quick halt because of the load that it imposes on them with the sheer amount of traffic it generates. Bandwidth, both local and across wide area network (WAN) links, is affected as multiple copies of infected messages flood the network. Files can become infected, rendering them unusable and subjecting users to reinfection. This means that you must recover the files from backups, making an adequate backup strategy even more important than usual.
One often-overlooked effect that viruses have on a company is the public relations nightmare that they can create. How would your customers react if they received a flood of infected messages from your company that brought their mail servers to a screeching halt and damaged their production files? Forget for a moment the ire of your customers’ system administrators. Could your company survive the ill will generated by such a catastrophe?
At the least, your company would probably suffer serious consequences. Therefore, developing and implementing an effective virus protection strategy is as important as developing a backup strategy—perhaps even more so. When you examine your antivirus needs, approach the problem from two angles: protecting against outside infection and preventing an outgoing flood of infected messages. You can approach the former through either client-side or server-side solutions, but the latter typically requires a server-side solution.
Your first line of defense against viruses and worms should lie between your local area network (LAN) and the Internet. Many antivirus solution vendors offer perimeter security products that monitor traffic coming from the Internet and detect and block viruses in real time. With perimeter protection in place, threats may never reach your network or servers at all.
Stopping viruses before they get into your LAN is a great goal, but even the best products sometimes miss. If your organization uses Microsoft Exchange Server, you should also consider installing an Exchange Server–based antivirus solution. All the major antivirus vendors offer Exchange Server solutions, as does Microsoft, with its Microsoft Forefront suite of protection products.
In addition to detecting and removing viruses from network and Exchange Server traffic, you should implement a solution that provides real-time virus detection for your network’s file servers. These solutions scan the server for infected files as files are added or modified. For example, a remote user might upload a file containing a virus to your File Transfer Protocol (FTP) server. If local users open the file, their systems become infected and the virus begins to spread across your LAN. Catching and removing the virus as soon as the file is uploaded to the FTP server is the ideal solution. Microsoft SharePoint is another application that should be protected at the application layer. Because documents are stored in Microsoft SQL Server rather than in a file system, the operating system–level antivirus products cannot detect or protect against threats in documents uploaded by users. So you should add a SharePoint antivirus solution in addition to your operating system protection on the servers themselves.
Consider all these points as you evaluate server-side antivirus products. Some might be more important to you than others, so prioritize them and then choose an antivirus suite that best suits your needs and priorities.
In addition to blocking viruses and worms at the server, you should provide antivirus protection at each workstation, particularly if your server-side virus detection is limited. Even if you do provide a full suite of detection services at the server, client-side protection is a vital piece of any antivirus strategy. For example, suppose that your server provides virus filtering, scanning all email traffic coming from the Internet. Even so, the server might miss a new virus in a message with an attached file, perhaps because the virus definition file has not yet been updated. A user opens the infected file and infects his or her system, and the worm begins replicating across the LAN. If the user has a client-side antivirus solution in place, the worm is blocked before it can do any damage.
Use the following criteria to evaluate client-side antivirus solutions:
Are frequent updates available? On any given day, several new viruses appear. Your antivirus solution is only as good as your virus definition files are current. Choose a solution that offers daily or (at least) weekly virus definition updates.
Can updates be scheduled for automatic execution? The average user doesn’t back up documents on a regular basis, much less worry about whether antivirus definition files are up to date. For that reason, it’s important that the client-side antivirus solution you choose provide automatic, scheduled updates.
Does the product scan a variety of file types? Make sure that the product you choose can scan not only executables and other application files, but also Microsoft Office system documents for macro viruses.
You’ll find several client-side antivirus products on the market. Microsoft has two offerings that might be of interest: Microsoft Security Essentials includes antivirus protection in its suite of services for home and small business computer users, and Microsoft Forefront Client Security offers similar protection for computers in an enterprise environment, although it does not scan email. Other popular products include Symantec Norton AntiVirus (www.symantec.com), McAfee VirusScan (www.mcafee.com), and Panda Antivirus for Servers and Desktops (www.pandasecurity.com). Many other products are available that offer comparable features.
Virus protection is an important feature in Outlook 2010. You can configure Outlook 2010 to block specific types of attachments automatically, thus helping prevent virus infections. Outlook 2010 provides two levels of attachment protection, one for individual users and one for system administrators.
Outlook 2010 provides features to help protect your system against viruses and other malicious system attacks. For example, Outlook 2010 supports attachment virus protection, which helps protect against viruses you might receive through infected email attachments. Outlook 2010 offers protection against Office system macro viruses, letting you choose when macros run. Control over programmatic access is also configurable, allowing management of how applications interact with the security features in Outlook 2010 as well as their ability to send email.
Note
For information about protecting against malicious HTML-based messages, see the section Configuring HTML Message Handling, on page 356.
In the old days, infected boot floppy disks were the most common way computer viruses were spread. Today, email is by far the most common infection mechanism. Viruses range from mostly harmless (but irritating) to severe, sometimes causing irreparable damage to your system. Worms are a more recent variation, spreading across the Internet primarily through email and by exploited operating system flaws. Worms can bog down a system by consuming the majority of the system’s resources, and they can cause the same types of damage as viruses.
Outlook 2010 provides protection against viruses and worms by letting you block certain types of attachments that are susceptible to infection. This prevents users from opening attached files that could infect their systems and execute malicious code to damage or steal data. Executable programs (.exe, .com, and .bat files) are also good examples of attachments that are primary delivery mechanisms for viruses. Many other document types are equally susceptible—Hypertext Markup Language (HTML) documents and scripts, for instance, have rapidly become favorite delivery tools for virus creators. Outlook 2010 provides two levels of protection for attachments: Level 1 and Level 2. The following sections explain these two levels, the file types assigned to each, and how to work with attachments.
A new feature in Outlook 2010, discussed briefly in Chapter 8, is designed to limit exposure to threats from Office documents that you receive via email or download from an external location such as a SharePoint site or Internet site. When you open an Office document that is attached to an email, the document’s native application (such as Word) opens in a rights-limited sandbox instance. A banner just under the application’s ribbon displays a message indicating that the file originated as an email attachment and might be unsafe. The banner also reminds you that the application is running in Protected View.
Limiting the rights that the sandbox application has limits the potential for a virus in the document to be able to “get outside” of the application and do any damage. If you feel comfortable that the document is safe, you can click Enable Editing to open the document in a normal instance and begin making changes, save it, and so on.
Level 1 attachments arefor those that are common vectors for infection, such as executable (.exe) files. When you receive a message containing an attachment in the Level 1 group, Outlook 2010 displays the paper clip icon next to the message header, indicating that the message has an attachment, just as it does for other messages with attachments. When you click the message header, Outlook 2010 displays a message indicating that it has blocked the attachment.
You cannot open Level 1 attachments that are blocked by Outlook 2010. You can open and view the messages, but Outlook 2010 disables the interface elements that otherwise would allow you to open or save the attachments. Outlook 2010 displays a message in the InfoBar informing you that the attachment has been blocked and cannot be opened, as shown in Figure 33-1. If you forward a message with a blocked attachment, Outlook 2010 strips the attachment from the forwarded message.
Note
For details on how to open attachments that have been blocked by Outlook 2010, see the section Opening Blocked Attachments, on page 826.
Table 33-1 lists the file name extensions for Level 1 attachments. (Note that this list will change over time.)
Table 33-1. Level 1 Attachments
Outlook 2010 also supports a second level of attachment blocking. Level 2 attachments are defined by the administrator at the server level and therefore apply to Exchange Server accounts, not to Post Office Protocol 3 (POP3), Internet Message Access Protocol (IMAP), or Hypertext Transfer Protocol (HTTP)–based accounts. Because the Level 2 list is empty by default, no attachments are blocked as Level 2 attachments unless the Exchange Server administrator has modified the Level 2 list.
You can’t open Level 2 attachments directly in Outlook 2010, but Outlook 2010 does allow you to save them to disk, and you can open them from there.
Attachment blocking is an important feature in Outlook 2010 to help prevent viruses from infecting systems. Although you can rely on the default Outlook 2010 attachment security, you can also choose a centrally managed method of customizing attachment handling for Outlook 2010. You can configure attachment blocking in three ways:
Using Group Policy With Outlook 2010, you can use Group Policy to control how Outlook 2010 handles security, including attachments and virus prevention features. The use of Group Policy also allows the application of these customized security settings in environments without public folders, such as a computer running Exchange Server without public folder deployed, or with clients running Outlook 2010 that are not using Exchange Server. Using Group Policy does, however, require that you be using the Active Directory Domain Services (AD DS) to manage your network.
Using the Exchange Security Form Earlier versions of Outlook used the Exchange Security Form, which provides essentially the same options as the Group Policy settings now do. The Exchange Security Form relies on Exchange Server shared folders, however, which limits the use of these configuration options to organizations using Exchange Server. You can still use the Exchange Security Form with Exchange Server 2010, for example, to support older Outlook clients.
At the user’s workstation If neither of the preceding options is available to you, a limited amount of customization can be done on an individual workstation. For example, you can modify the client’s registry to change the Level 1 list (as explained in the section Configuring Attachment Blocking Directly in Outlook, on page 825). These modifications also affect non–Exchange Server accounts.
Configuring attachment blocking centrally, either via Group Policy or on a computer running Exchange Server, is the most effective and efficient method; it gives you, as an administrator, control over attachment security. It also allows you to tailor security by groups within your Windows domains.
Note
Because this book focuses on Outlook 2010 used with Exchange Server 2010, the use of the Exchange Security Form is not covered. For detailed information about using the Exchange Security Form, see the Microsoft Office 2003 Resource Kit, available at office.microsoft.com/en-us/ork2003/.
In addition to specifying when Outlook 2010 blocks attachments, you can configure other aspects of Outlook 2010 security via Group Policy (or using the Exchange Security Form), letting you limit the behavior of custom forms and control programmatic access to Outlook 2010.
Tip
INSIDE OUT Keep systems safe
Apparently, Microsoft’s theory for Level 2 attachments is that the user has a client-side antivirus solution in place that will scan the file automatically as soon as the user saves the file to disk. Alternatively, perhaps the theory is that you can rely on the user to perform a virus check on the file manually. Neither of these scenarios is a sure bet by any means. Even if the user has antivirus software installed, it might be disabled or have an outdated virus definition file. That’s why it’s important to provide virus protection at the network and server levels to prevent viruses from reaching the user at all.
It’s also important to educate users about the potential damage that can be caused by viruses and worms. Too often, these infect systems through user ignorance—users receive an attachment from a known recipient, assume that it’s safe (if they even consider that the file could be infected), and open the file. The result is an infected system and potentially an infected network.
Attachment blocking in Exchange Server can be configured in two ways:
Group Policy is used by Exchange Server 2010, enabling the configuration of these settings without reliance on public folders, which are optional in Exchange Server 2010, or registry entries on each of the clients.
The Exchange Security Form, which is configured via an administrative template stored in a public folder, is used in earlier versions of Exchange Server. While the Exchange Security Form can be used only in environments that have public folders, such as Exchange Server 2003, it is still available for configurations, such as using down-level clients, where it is required.
The settings that are configurable in Group Policy and those set via the Exchange Security Form are largely the same, as described in the following section. Whether you choose to use one or the other, or both, depends on the versions of Exchange Server and Outlook that you need to support. Table 33-2 shows which methods can be used by various email servers.
Table 33-2. Security Methods and Types of Email Servers
Security Method | ||
|---|---|---|
Email Server | Group Policy | Exchange Security Form |
Exchange Server 2010 (no public folders) | Yes | No |
Exchange Server 2010 (with public folders) | Yes | Yes |
Exchange Server 2003 | Yes | Yes |
Non–Exchange Server | Yes | No |
Clients running Outlook 2010 can use any of these methods, depending on the Outlook Security Mode set in Group Policy. When you use only Group Policy settings, clients running Outlook 2003 or earlier use the default security settings. If an Exchange Security Form is also available, clients running Outlook 2003, Outlook 2002, and Outlook 2000 (with the security update) will use it. Table 33-3 describes the specific behavior of each client with each security method.
Table 33-3. Security Methods and Versions of Microsoft Outlook
Security Method | |||
|---|---|---|---|
Outlook Version | Group Policy | Exchange Security Form | Both |
Outlook 2007 and Outlook 2010 | Uses Group Policy settings (by default) | Uses ESF if set in Group Policy (Outlook Security Settings) | Depends on configuration (Group Policy can override ESF, and vice versa) |
Outlook 2003, Outlook 2002, and Outlook 2000 with security update | Uses default settings | Uses Exchange Security Form settings | Uses Exchange Security Form settings |
Outlook 2000 without the security update and earlier | Uses default settings | Uses default settings | Uses default settings |
Outlook Security Mode is set in Group Policy to specify how clients running Outlook 2010 apply security settings. Outlook 2010 can use Group Policy settings, use the Exchange Security Form stored in one of two public folders (Outlook Security Settings or Outlook 10 Security Settings), or use the Outlook 2010 default security settings.
Note
Using both Group Policy settings and the Exchange Security Form supports the widest range of clients and is particularly useful during upgrades from Outlook 2003 to Outlook 2010 or Exchange Server 2003 to Exchange Server 2010. Clients running Outlook 2010 can retrieve their security information from the appropriate location transparently.
There are three categories of settings you can configure using Group Policy, controlling attachments, forms, and programmatic access to Outlook 2010. These settings are described in the following sections.
Note
This section covers the settings as described in Group Policy; settings in the Exchange Security Form are similar, even if worded slightly differently.
Tip
In order to access these security settings, you must add the Office 2010 administrative templates for group policy, which you will find at http://technet.microsoft.com/en-us/library/cc178992.aspx.
Several options are available for customization of attachment handling, including making changes to the blocked attachment lists, specifying when prompts appear, and controlling users’ ability to configure their own attachment management.
Display Level 1 Attachments This option allows users of Outlook 2010 to see and open Level 1 attachments.
Allow Users To Demote Attachments To Level 2 Enabling this option allows users of Outlook 2010 to demote Level 1 attachments to Level 2, which lets a user save the attachments to disk and then open them.
Do Not Prompt About Level 1 Attachments When Sending An Item This setting disables the warning that normally appears when a user tries to send a Level 1 attachment. The warning explains that the attachment could cause a virus infection and that the recipient might not receive the attachment (because of attachment blocking on the recipient’s server).
Do Not Prompt About Level 1 Attachments When Closing An Item You can disable the warning that normally appears when the user closes a message, an appointment, or another item that contains a Level 1 attachment.
Allow In-Place Activation Of Embedded OLE Objects This option allows users of Outlook 2010 to open embedded Object Linking and Embedding (OLE) objects (such as Microsoft Excel 2010 spreadsheets, Access 2010 databases, and other documents) by double-clicking the object’s icon.
Display OLE Package Objects Enable this option to show embedded OLE objects in email messages. Hiding the objects prevents the user from opening them.
Add File Extensions To Block As Level 1 Use this setting to modify the Level 1 attachment list. You can enter a list of file name extensions to add to the list.
Remove File Extensions Blocked As Level 1 You can specify a list of file name extensions to remove from the Level 1 attachment list.
Add File Extensions To Block As Level 2 Use this setting to modify the Level 2 attachment list. You can enter a list of file name extensions to add to the list.
Remove File Extensions Blocked As Level 2 You can specify a list of file name extensions to remove from the Level 2 attachment list.
Prevent Users From Customizing Attachment Security Settings This Group Policy setting is used in earlier versions of Outlook to specify whether users can add files to (or remove files from) the Level 1 and Level 2 attachment lists that you have configured. This option overrides other settings; if it is enabled, users cannot configure the lists even if other settings would normally allow them to.
Allow Access To E-Mail Attachments This setting also is for earlier versions of Outlook. You can create a list of file types that are to be removed from the default Level 1 attachment list. This is functionally equivalent to the Remove File Extensions Blocked As Level 1 setting, just for clients running previous versions of Outlook.
There are several options that control the actions that can be taken by scripts and controls in custom forms:
Allow Scripts In One-Off Outlook Forms Enabling this option allows scripts to be executed if the script and the form layout are contained in the message.
Set Outlook Object Model Custom Actions This setting determines the action Outlook 2010 takes if a program attempts to execute a task using the Outlook 2010 object model. For example, a virus could incorporate a script that uses the Outlook 2010 object model to reply to a message and attach itself to that message, bypassing the Outlook 2010 security safeguards. The policy setting Prompt User, which you can select from the Options drop-down list when configuring the policy, causes Outlook 2010 to prompt the user to allow or deny the action. Automatically Approve allows the program to execute the task without prompting the user. Automatically Deny prevents the program from executing the task without prompting the user. Prompt User Based On Computer Security uses the Outlook 2010 security settings.
Set Control ItemProperty Prompt This setting determines the action that Outlook 2010 takes if a user adds a control to a custom Outlook 2010 form and binds that control to any address information fields (To or From, for example). You can select Prompt User to have Outlook 2010 ask the user to allow or deny access to the address fields when the message is received, Automatically Approve to allow access without prompting the user, Automatically Deny to deny access without prompting the user, or Prompt User Based On Computer Security to use the Outlook 2010 security settings.
Note
You can control which applications can access Outlook 2010 programmatically, to send email or retrieve Outlook 2010 information, using Group Policy. For detailed information about how to do this, see the section Enabling Applications to Send Email with Outlook, on page 828.
There are two steps involved in configuring Outlook 2010 attachment security using Group Policy. First, you configure the security settings for attachments and custom forms. Once you are satisfied with the configuration, you configure Group Policy as the method that Outlook 2010 uses to obtain security information.
Note
Security settings applied via Group Policy do not take effect immediately. Changes will be made after the computer receives a Group Policy update (usually at the next logon) and consequently starts Outlook 2010. Even when a computer receives refreshed Group Policy automatically, settings will not apply to Outlook 2010 until the next time it is started.
You manage Outlook 2010 attachment security using the Outlook 2010 administrative template (Outlk14.adm) and the Group Policy Editor.
Note
For detailed information about using Group Policy templates, go to support.microsoft.com/kb/924617.
To install the administrative template, first download the templates from www.microsoft.com and save them to a folder on the local computer or to a file share where you can access them. Then, to add the administrative template to Group Policy, follow these steps:
On a server with the Windows Server administrator tools installed, click Start, Run, type gpedit.msc in the Open box, and then press Enter.
In the Group Policy editor, browse to User Configuration/Administrative Templates.
Right-click Administrative Templates, and then select Add/Remove Template.
In the Add/Remove Templates dialog box, click Add.
Browse to the directory where you downloaded the administrative templates. Select outlk14.adm, and then click Open.
In the Add/Remove Templates dialog box, click Close.
To configure the Outlook 2010 attachment security settings, follow these steps:
On a server with the Windows Server administrator tools installed, run Group Policy by clicking Start, Run, typing gpedit.msc, and then pressing Enter.
Browse to User Configuration\Administrative Templates\Classic Administrative Templates (ADM)\Microsoft Outlook 2010\Security\Security Form Settings\Attachment Security.
Configure the settings, using the following list as a guide. The default setting is Not Configured for all items in this policy:
Enable Display Level 1 Attachments if you want to allow Outlook 2010 users to see and open Level 1 attachments, effectively setting the attachments to Level 2.
To allow Outlook 2010 users to change Level 1 attachments to Level 2, enable Allow Users To Demote Attachments To Level 2.
If you want to suppress the warning that usually appears when a Level 1 attachment is sent, enable Do Not Prompt About Level 1 Attachments When Sending An Item.
To disable the warning that normally appears when the user closes an item that contains a Level 1 attachment, enable Do Not Prompt About Level 1 Attachments When Closing An Item.
If you want to let Outlook 2010 users open embedded OLE objects (such as Microsoft Word 2010 documents, Excel 2010 spreadsheets, and other documents), enable Allow In-Place Activation Of Embedded OLE Objects.
Enable Display OLE Package Objects to show embedded OLE objects in email messages and allow users to open them.
You can block additional file types by enabling Add File Extensions To Block As Level 1. Specify a list of file name extensions, without periods and separated by semicolons (;), in the Additional Extensions field.
You can specify a list of file name extensions to remove from the Level 1 attachment list by enabling Remove File Extensions Blocked As Level 1 and entering the list in the Additional Extensions field.
To add file types to the Level 2 list, enable Add File Extensions To Block As Level 2, and then enter a list of extensions.
Enable Remove File Extensions Blocked As Level 2, and then specify a list of file name extensions to remove from the Level 2 attachment list.
To configure the Custom Form Security settings, follow these steps:
In Group Policy, go to User Configuration\Administrative Templates\Classic Administrative Templates (ADM)\Microsoft Outlook 2010\Security\Security Form Settings\Custom Form Security.
Select Allow Scripts In One-Off Outlook Forms if you want scripts to be executed when the script and the form layout are contained in the message.
Set the Outlook object model Custom Actions execution prompt to specify the action that Outlook 2010 takes if a program attempts to execute a task using the Outlook 2010 object model. Select Prompt User to have Outlook 2010 prompt the user to allow or deny the action. Select Automatically Approve to allow the program to execute the task without prompting the user. Select Automatically Deny to prevent the program from executing the task without prompting the user. Select Prompt User Based On Computer Security to use the Outlook 2010 security settings.
You can select Set Control ItemProperty Prompt and then configure the action that Outlook 2010 takes if a user adds a control to a custom Outlook 2010 form and binds that control to an address information field (such as To or From). Select Prompt User to have Outlook 2010 ask the user to allow or deny access to the address fields when the message is received. Select Automatically Approve to allow access without prompting the user. Select Automatically Deny to deny access without prompting the user. Select Prompt User Based On Computer Security to use the Outlook 2010 security settings.
To configure older Outlook settings, follow these steps:
In Group Policy, go to User Configuration\Administrative Templates\Classic Administrative Templates (ADM)\Microsoft Outlook 2010\Security.
To force Outlook to use Protected View when opening attachments that were received from internal servers (for example, a message from another user of Exchange Server in the same Exchange Server environment), set the Use Protected View For Attachments Received From Internal Senders policy to Enabled.
If you do not want users to modify the Level 1 and Level 2 attachment lists, select Prevent Users From Customizing Attachment Security Settings.
After you have configured the Outlook 2010 security settings, you have to enable the use of those settings by enabling Exchange Server security and selecting the Outlook Security Mode. You do this using the same administrative template that you used to configure the security settings. To select the security mode for Outlook 2010, follow these steps:
Run Group Policy, and then open Outlk14.adm. Go to User Configuration\Administrative Templates\Classic Administrative Templates (ADM)\Microsoft Outlook 2010\Security\Security Form Settings.
Double-click Outlook Security Mode, and then select Enabled. Select Use Outlook Security Group Policy from the drop-down list, and then click OK.
The preceding sections explained how to configure attachment blocking for Exchange Server users. Non–Exchange Server users can also control attachment blocking, although the method for modifying the attachment list is different. So if you use Outlook 2010 in a workgroup or on a stand-alone computer without Exchange Server, you can still control which attachments Outlook 2010 prevents you from opening. You simply have fewer options for controlling and applying security settings.
Note
If you modify the registry settings that affect the Level 1 list, you must restart Outlook 2010 for the changes to take effect.
To change the Level 1 attachment list, you must modify a registry setting on your local computer. You can remove file types from the list as well as add them. To apply the changes across multiple computers, distribute a registry script file. You can distribute this file through a logon script, place it on a network share for users to access, or send users a message containing a shortcut to the file. (For information about how to deploy registry files using a logon script, see the Windows Server help file.)
Follow these steps to create the necessary registry settings and optionally export them as a .reg file for other users:
On a system with Outlook 2010 installed, choose Start, Run, and then type regedit in the Run dialog box.
In the Registry Editor, open the key HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Security.
In that key, type a string value named Level1Remove.
Set the value of Level1Remove to include the file name extensions of those files that you want removed from the Level 1 attachment list, without leading periods and separated by semicolons. The following example removes Microsoft Installer (.msi) files and Help (.hlp) files from the list:
msi;hlp
If you want to share the customized registry with other users, choose File, Export Registry File. Select a location for the .reg file, and then click Save. You can then distribute the .reg file to the other users, as noted earlier.
Outlook 2010 is aggressive about which attachments it blocks, but you might want to add other attachment types to the Level 1 list so that Outlook 2010 will block them. Using the same method as in the preceding procedure, add the registry value HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Security\Level1Add. Set the value of Level1Add to include the file name extensions that you want added to the Level 1 list. You can add multiple file types separated by semicolons. See the preceding section for options for propagating the change to other users.
Although it’s useful to block attachments in general, there will undoubtedly still be the occasional legitimate attachment that ends up getting blocked by Outlook 2010. Fortunately, even though attachments are blocked, you can still access them using a few other approaches. The attachment file type (Level 1 or Level 2) and the other email programs available to you determine the best method for opening the file.
You can configure Outlook 2010 to allow certain Level 1 attachments (essentially removing them from the Level 1 list) by modifying the registry. (See the section Configuring Attachment Blocking Directly in Outlook, on page 825, for instructions.) You might want to do this if you find yourself repeatedly having to deal with the same type of blocked Level 1 attachment. If you are using Exchange Server, your ability to do this may be controlled by the administrator as described in the section Configuring Blocked Attachments, on page 815.
Outlook 2010 also uses a list of Level 2 attachments, which are defined by the administrator at the server level (and therefore apply to Exchange Server accounts). You can’t open Level 2 attachments in Outlook 2010, but you can save them to disk and open them from there. To open a Level 2 attachment this way, follow these steps:
Right-click the attachment, either in the Reading pane or in the message form, and choose Save As.
In the Save Attachment dialog box, specify the folder in which you want to save the file, and then click Save.
Outside Outlook 2010, browse to the folder where you saved the attachment, and then open the file.
Because the Level 2 list is empty by default, no attachments are blocked as Level 2 attachments unless the Exchange Server administrator has modified the Level 2 list.
Note
For detailed information about configuring attachment blocking under Exchange Server, see the section Configuring Blocked Attachments, on page 815.
Like other Office system applications, Outlook 2010 allows you to use macros to automate common tasks. Macros have become an increasingly popular infection mechanism for viruses because most inexperienced users don’t expect to have their systems infected by the sort of Office documents they regularly work with. However, Office macros can contain viruses that cause just as much damage as any other virus. Protecting yourself against macro viruses is an important step in safeguarding your system overall.
You can guard against macro viruses by implementing a virus scanner on your computer that checks your documents for macro viruses, by installing an antivirus solution on your email servers or SharePoint farm, or by using both methods. Another line of protection is to control how and when macros are allowed to run. Outlook 2010 provides four security levels for macros that determine which macros can run on the system. To set the level, in Outlook 2010, click File, Options, Trust Center, Trust Center Settings, and finally Macro Settings, and then select one of these levels:
Disable All Macros Without Notification Macros are totally disabled, and Outlook 2010 does not display any warning that a macro is attempting to run.
Notifications For Digitally Signed Macros, All Other Macros Disabled Your system can run only macros that are digitally signed. This means that some macros—even benign and potentially useful ones—are not available.
Notifications For All Macros You will be prompted as to whether you want to run any macros.
Enable All Macros (Not Recommended; Potentially Dangerous Code Can Run) Macros run automatically, regardless of their signature. This is the most dangerous setting.
Note
For additional information about configuring macro security and specifying trusted sources, see the section Setting Macro Security, on page 725. To learn how to add a digital signature to your macros so that they don’t generate a security warning, see the section Signing Your Macros to Avoid Security Warnings, on page 727.
Some applications interact with Outlook 2010, most typically using the address book to address and send a message. In most cases, these applications will generate a security warning dialog box. The warning is built into Outlook 2010 to help you identify when unauthorized applications are attempting to access your Outlook 2010 data. For example, a worm that propagates itself by email would likely generate the warning.
The section Configuring Attachments in Exchange Server, on page 817, explained how Exchange Server administrators can use Group Policy to configure security settings for Outlook 2010 users. That section covered how to configure attachment blocking. You can also use Group Policy to configure the behavior of specific types of applications in relation to the security features in Outlook 2010, as well as specify dynamic-link libraries (DLLs) that should be explicitly trusted and allowed to run without generating a security warning.
Note
If you have not already configured Group Policy to manage security settings, see the section Configuring Attachments in Exchange Server, on page 817.
Just as with the other security settings that can be configured in Exchange Server, you can control programmatic access to Outlook 2010 via either Group Policy or the Exchange Security Form.
To configure the settings that determine how Outlook 2010 security features handle various types of applications, follow these steps:
Run Group Policy, and then go to User Configuration\Administrative Templates\Classic Administrative Templates (ADM)\Microsoft Outlook 2010\Security\Security Form Settings\Programmatic Security.
Configure the Outlook 2010 object model–related settings as desired. Each of these policy items has the same Guard behavior options. Select Prompt User to have Outlook 2010 prompt the user to allow or deny the action. Select Automatically Approve to allow the program to execute the task without prompting the user. Select Automatically Deny to prevent the program from executing the task without prompting the user. Select Prompt User Based On Computer Security to use the following Outlook 2010 security settings:
Configure Outlook Object Model Prompt When Sending Mail Specifies the action that Outlook 2010 takes when an application tries to send mail programmatically with the Outlook 2010 object model.
Configure Outlook Object Model Prompt When Accessing An Address Book Specifies the action that Outlook 2010 takes when an application tries to access an address book with the Outlook 2010 object model.
Configure Outlook Object Model Prompt When Reading Address Information Specifies the action that Outlook 2010 takes when an application tries to access a recipient field, such as To or Cc, with the Outlook 2010 object model.
Configure Outlook Object Model Prompt When Responding To Meeting And Task Requests Specifies the action that Outlook 2010 takes when an application tries to send mail programmatically by using the Respond method on task and meeting requests.
Configure Outlook Object Model Prompt When Executing Save As Specifies the action that Outlook 2010 takes when an application tries to use the Save As command programmatically to save an item.
Configure Outlook Object Model Prompt When Accessing The Formula Property Of A UserProperty Object Specifies the action that Outlook 2010 takes if a user has added a Combination or Formula custom field to a custom form and bound it to an Address Information field. Blocking access can prevent an application from indirectly retrieving the value of the Address Information field through its Value property.
When you have finished configuring programmatic settings, close Group Policy.
Part of the battle of getting an application past the Outlook 2010 security prompts is in understanding what method it is using to access your Outlook 2010 data. If you’re not sure, you can simply change one setting, test, and if the change doesn’t enable the application to bypass the security prompts, change a different setting. This trial-and-error method isn’t the most direct, but it won’t take much time to test each of the possibilities. Remember that you must refresh Group Policy and then start Outlook 2010 for these changes to be applied.
In addition to (or as an alternative to) configuring security settings to allow various types of applications to bypass the Outlook 2010 security prompts, you can identify specific applications that can bypass the Outlook 2010 security prompts. These applications must be written specifically to use the Outlook 2010 security trust model.
Before an unsigned application (for example, a noncommercial application) can be added to the in, you must generate a hash key value to use when setting Group Policy. The Outlook 2010 Security Hash Generator Tool is available from Microsoft by going to office.microsoft.com/downloads/ and searching for “Outlook 2010 Security Hash Generator Tool.” Once you have downloaded the hash generator, you have to install and register it before using it to create hash keys.
To install the hash generator, follow these steps:
Run the Hash Generator Tool Setup program to start installation. Specify a folder for the extracted files, and then click OK.
Open a command prompt window, and then go to the folder with the extracted files.
Type CreateHash.bat /register, and then press Enter.
To register an add-in, follow these steps:
To add a trusted application, follow these steps:
Copy, to a location accessible to the computer where you will be modifying the Outlook 2010 security settings, the DLL or other executable file that loads the application to be trusted.
Generate a hash key and note its value for use during installation.
Run Group Policy, and then go to User Configuration\Administrative Templates\Classic Administrative Templates (ADM)\Microsoft Outlook 2010\Security\Security Form\Programmatic Security\Trusted Add-ins.
Double-click Configured Trusted Add-ins.
Select Enabled, and then click Show.
In the Show Contents dialog box, add the DLL name or hash, and then click OK.
Repeat the process for any other applications that you want to add to the trusted list, and then close Group Policy.
As you have seen, Outlook 2010 has several ways to help keep your system more secure, but there are additional steps that you can take to further ensure that you don’t fall victim to viruses or other malicious software.
Make sure that your antivirus protection is kept up to date The threat from viruses changes on a daily basis, and virus definitions need updating just about as quickly. Set your antivirus software to check for updates automatically, and check it occasionally to make sure that it’s doing so.
Create exceptions to the standard rules with discretion Although there are several ways around the virus protection measures provided in Outlook 2010, you should be careful deciding when you use them. Just because you can demote all Level 1 attachments to Level 2 to get past the Outlook 2010 built-in filtering doesn’t mean you should.
Get in the habit of storing the file in an archive, such as a compressed (zipped) folder, created using Windows Explorer (or a program such as WinZip) before sending Since files with a .zip extension are not blocked by Outlook 2010, you can be sure that your attachment will arrive (unless the recipient server blocks it), allowing the recipient to save it and extract the contents.
Note
To create a zipped folder, in a Windows Explorer window, select the file(s) you want to zip, and then right-click and choose Send To, Compressed (Zipped) Folder. A compressed file will be created in the current folder.
If you have access to a location where you can upload files, such as a file server or a SharePoint site, upload your files there and send email with a link to the site rather than sending the file as an attachment. This method has advantages beyond avoiding unwanted attachment blocking: Mail files are smaller without large attachments, for example, and multiple people can download a file from a single location. Plus, you don’t duplicate the file for multiple recipients, which adds to your storage requirements.
When it comes to computer security, a little common sense goes a long way. Pay attention to what you do in email. Don’t open unexpected attachments or those from unknown sources.