Set consistent Outlook 2007 cryptog...

Set consistent Outlook 2007 cryptography options for an organization

Updated: 2009-04-09

You can control many aspects of Microsoft Office Outlook 2007 cryptography features to help configure more secure messaging and message encryption for your organization. For example, you can configure a Group Policy setting that requires a security label on all outgoing mail or a setting that disables publishing to the Global Address List.

You can lock down the settings to customize cryptography by using the Outlook Group Policy template (Outlk12.adm). Or you can configure default settings by using the Office Customization Tool (OCT), in which case users can change the settings. The OCT settings are in corresponding locations on the Modify user settings page of the OCT.

The Outlook template and other ADM files can be downloaded from 2007 Office System Administrative Templates (ADM) on the Microsoft Download Center.

To customize cryptographic options by using Group Policy

In Group Policy, load the Office Outlook 2007 template (Outlk12.adm).
To customize cryptographic settings, under User Configuration\Administrative Templates\Microsoft Office Outlook 2007 \Security\Cryptography, double-click the policy setting you want to set. For example, double-click Do not display 'Publish to GAL' button. (Some options are included in the Signature Status dialog box folder.)
Click Enabled. When appropriate, choose an option that displays on the Setting tab.
Click OK.

The settings you can configure for cryptography are shown below.

Cryptography option	Description
Minimum encryption settings	Set to the minimum key length for an encrypted e-mail message.
S/MIME interoperability with external clients:	Specify the behavior for handling S/MIME messages.
Always use Rich Text formatting in S/MIME messages	Always use Rich Text for S/MIME messages instead of the format specified by the user.
S/MIME password settings	Specify the default and maximum amount of time that an S/MIME password is valid.
Message formats	Choose message formats to support: S/MIME (default), Exchange, Fortezza, or a combination of formats.
Message when Outlook cannot find the digital ID to decode a message	Enter a message to display to users.
Do not provide Continue option on Encryption warning dialog boxes	Disable the Continue button on encryption settings warning dialog boxes.
Run in FIPS compliant mode	Put Outlook into FIPS 140-1 mode.
Do not check e-mail address against address of certificates being using (sic)	Do not verify user's e-mail address with address of certificates used for encryption or signing.
Encrypt all e-mail messages	Encrypt outgoing e-mail messages.
Sign all e-mail messages	Sign outgoing e-mail messages.
Send all signed messages as clear signed messages	Use Clear Signed for signed outgoing e-mail messages.
Request an S/MIME receipt for all S/MIME signed messages	Request a security-enhanced receipt for outgoing e-mail messages.
URL for S/MIME certificates	Provide a URL at which users can obtain an S/MIME receipt. The URL can contain three variables (%1, %2, and %3), that will be replaced by the user's name, e-mail address, and language, respectively.
Ensure all S/MIME signed messages have a label	Require all S/MIME-signed messages to have a security label.
Do not display 'Publish to GAL' button	Disable the 'Publish to GAL' button on the E-mail Security page of the Trust Center.
Signature Warning	Specify an option for when signature warnings display to users.
S/MIME receipt requests	Specify an option for how S/MIME receipt requests are handled.
Fortezza certificate policies	Enter a list of policies allowed in the policies extension of a certificate showing that the certificate is a Fortezza certificate. List policies separated by semi-colons.
Require SUITEB algorithms for S/MIME operations	Use only Suite-B algorithms for S/MIME operations.
Enable Cryptography Icons	Display Outlook cryptography icons in the Outlook UI.
Retrieving CRLs (Certificate Revocation Lists)	Specify how Outlook behaves when CRL lists are retrieved.
Missing CRLs	Specify the Outlook response when a CRL is missing: display error or warning (default).
Missing root certificates	Specify the Outlook response when a root certificate is missing: display error or warning (default).
Promote Level 2 errors as errors, not warnings	Specify the Outlook response for Level 2 errors: display error or warning (default).
Attachment Secure Temporary Folder	Specify a folder path for the Secure Temporary Files Folder. This overrides the default path and is not recommended.

More information about setting Outlook cryptography options

The following sections provide additional information about configuration options for Outlook cryptography.

Outlook security policy settings

The following table lists the Windows registry settings you can configure for your custom installation. The Windows registry settings correspond to the Group Policy settings listed earlier. You add these value entries in the following subkey:

HKEY_CURRENT_USER\Software\\Microsoft\Office\12.0\Outlook\Security

Value name	Value data (Data type)	Description	Corresponding UI option
AlwaysEncrypt	0, 1 (DWORD)	Set to 1 to encrypt outgoing messages. Default is 0.	Encrypt contents check box (E-mail Security page).
AlwaysSign	0, 1 (DWORD)	Set to 1 to sign outgoing messages. Default is 0.	Add digital signature check box (E-mail Security page).
ClearSign	0, 1 (DWORD)	Set to 1 to use Clear Signed for outgoing messages. Default is 0.	Send clear text signed message check box (E-mail Security page).
RequestSecureReceipt	0, 1 (DWORD)	Set to 1 to request security-enhanced receipts for outgoing messages. Default is 0.	Request S/MIME receipt check box (E-mail Security page).
ForceSecurityLabel	0, 1 (DWORD)	Set to 1 to require a label on outgoing messages. (The registry setting does not specify which label.) Default is 0.	None
ForceSecurityLabelX	ASN encoded BLOB (Binary)	This value entry specifies whether a user-defined security label must exist on outgoing signed messages. The string can optionally include label, classification, and category. Default is no security label required.	None
SigStatusNoCRL	0, 1 (DWORD)	Set to 0 to specify that a missing CRL during signature validation is a warning. Set to 1 to specify that a missing CRL is an error. Default is 0.	None
SigStatusNoTrustDecision	0, 1, 2 (DWORD)	Set to 0 to specify that a No Trust decision is allowed. Set to 1 to specify that a No Trust decision is a warning. Set to 2 to specify that a No Trust decision is an error. Default is 0.	None
PromoteErrorsAsWarnings	0, 1 (DWORD)	Set to 0 to promote Error Level 2 errors as errors. Set to 1 to promote Error Level 2 errors as warnings. Default is 1.	None
PublishtoGalDisabled	0, 1 (DWORD)	Set to 1 to disable the Publish to GAL button. Default is 0.	Publish to GAL button (E-mail Security page)
FIPSMode	0, 1 (DWORD)	Set to 1 to put Outlook into FIPS 140-1 mode. Default is 0.	None
WarnAboutInvalid	0, 1, 2 (DWORD)	Set to 0 to display the Show and Ask check box (Secure E-mail Problem pont dialog box). Set to 1 to always show the dialog box. Set to 2 to never show the dialog box. Default is 2.	Secure E-mail Problem pont dialog box.
DisableContinueEncryption	0, 1 (DWORD)	Set to 0 to show the Continue Encrypting button in the final Encryption Errors dialog box. Set to 1 to hide the button. Default is 0.	Continue Encrypting button on final Encryption Errors dialog box. This dialog box appears when a user tries to send a message to someone who cannot receive encrypted messages. This setting disables the button that allows users to send the message regardless. (The recipient cannot open encrypted mail messages sent by overriding the error.)
RespondtoReceiptRequest	0, 1, 2, 3 (DWORD)	Set to 0 to always send a receipt response and prompt for a password, if needed. Set to 1 to prompt for a password when sending a receipt response. Set to 2 to never send a receipt response. Set to 3 to enforce sending a receipt response. Default is 0.	None
NeedEncryptionString	String	Displays the specified string when the user tries unsuccessfully to open an encrypted message. Can provide information about where to enroll in security. Default string is used, unless the value is set to another string.	Default string
Options	0, 1 (DWORD)	Set to 0 to show a warning dialog box when a user attempts to read a signed message with an invalid signature. Set to 1 to never show the warning. Default is 0.	None
MinEncKey	40, 64, 128, 168 (DWORD)	Set to the minimum key length for an encrypted e-mail message.	None
RequiredCA	String	Set to the name of the required certificate authority (CA). When a value is set, Outlook disallows users from signing e-mail by using a certificate from a different CA.	None
EnrollPageURL	String	URL for the default certificate authority (internal or external) from which you wish your users to obtain new digital IDs. Note: Set in HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Security subkey if you do not have administrator rights on the user's computer.	Get Digital ID button (E-mail Security page).

When you specify a value for PromoteErrorsAsWarnings, potential Error Level 2 conditions include the following:

Unknown Signature Algorithm
No Signing Certification Found
Bad Attribute Sets
No Issuer Certificate Found
No CRL Found
Out of Date CRL
Root Trust Problem
Out of Date CTL

When you specify a value for EnrollPageURL, use the following parameters to send information about the user to the enrollment Web page.

Parameter	Placeholder in URL string
User display name	%1
SMTP e-mail name	%2
User interface language ID	%3

For example, to send user information to the Microsoft enrollment Web page, set the EnrollPageURL entry to the following value, including the parameters:

www.microsoft.com/ie/certpage.htm?name=%1&email=%2&helplcid=%3

For example, if the user's name is Jeff Smith, e-mail address is someone@example.com, and user interface language ID is 1033, the placeholders are resolved as follows:

www.microsoft.com/ie/certpage.htm?name=Jeff%20Smith&email=someone@example.com&helplcid=1033

Security policy settings for general cryptography

The following table shows additional Windows registry settings that you can use for your custom configuration. These settings are contained in the following subkey:

HKEY_CURRENT_USER\Software\Microsoft\Cryptography\SMIME\SecurityPolicies\Default

Value name	Value data (Data type)	Description	Corresponding UI option
ShowWithMultiLabels	0, 1, (DWORD)	Set to 0 to attempt to display a message when the signature layer has different labels set in different signatures. Set to 1 to prevent display of message. Default is 0.	None
CertErrorWithLabel	0, 1, 2 (DWORD)	Set to 0 to process a message with a certificate error when the message has a label. Set to 1 to deny access to a message with a certificate error. Set to 2 to ignore the message label and grant access to the message. (The user still sees a certificate error.) Default is 0.	None

Security policy settings for KMS-issued certificates

The values in the following table only apply to certificates issued by Microsoft Exchange Key Management Service (KMS). The table shows additional Windows registry settings that you can use for your custom configuration. These settings are contained in the following subkey:

HKEY_CURRENT_USER\Software\Microsoft\Cryptography\Defaults\Provider

Value name	Value data (Data type)	Description	Corresponding UI option
MaxPWDTime	0, number (DWORD)	Set to 0 to remove the user's ability to save a password (the user is required to enter a password each time a key set is required). Set to a positive number to specify a maximum password time in minutes. Default is 999.	None
DefPWDTime	Number (DWORD)	Set to the default value for the amount of time a password is saved.	None

Download this book

This topic is included in the following downloadable books for easier reading and printing:

See the full list of available books at Office Resource Kit information.