5-Minute Security Advisor - How Outlook Security Works

Updated : June 7, 2002

Outlook is a very powerful and flexible email program. One of its signature features is Visual Basic for Applications (VBA) support, which has allowed third-party developers to create a wide range of add-ins and supplemental tools to make Outlook even better. Unfortunately, as with most other powerful tools (think chainsaws, hunting rifles, and dynamite), this power has occasionally been misused by criminals who have released viruses that spread through Outlook's scripting language. In addition, wily attackers have found other tricky ways to get malicious content into your mailbox. Luckily, the Outlook development team has gotten wise to their tricks, so Outlook 2002 includes a robust set of security features that help you protect your computer—and network—from these malicious attacks. These features fall into several categories; the most interesting ones revolve around Outlook's protections against viruses and other types of hostile code and its support for protecting email with digital signatures and encryption.

Controlling attachment types

One of the most noticeable features in Outlook 2002 is its ability to screen out some types of attachments. This feature is useful because most users are prone to open attachments even when they come from unknown sources, leading to widespread outbreaks of viruses and penetrations by Trojan-horse programs such as SubSeven. Whether you're a home user or a corporate administrator, the first protective measure you should take is to install a good anti-virus program on every desktop you're responsible for. Administrators can control which attachment types are available to users: type 1 attachments are completely blocked, so that they are never accessible. Type 2 attachments may be saved to disk so the user can open them after confirming their safety. If you're using Outlook 2000 or earlier, you're still in luck; Microsoft has made the Outlook 2002 improvements available for earlier versions.

Action: If you're running Outlook 97, upgrade to Outlook 98 or later. If you're using Outlook 98, get the email security update package. If you're using Outlook 2000, first install the Office Service Release-1 (SR1) package, then get Outlook 2000 Service Pack 2, which includes the update.

Individual users https://support.microsoft.com/default.aspx?scid=kb;EN-US;290497 can also customize which attachment types are accessible. However, you need to use this feature carefully; if you're not sure whether you can count on the people using your computers not to open programs without verifying their origin, you might prefer to leave the default blocking settings in place.

Restricting what outside programs can do

Outlook has always allowed external programs, such as PocketPC or PalmOS synchronization tools and Microsoft Word's mail-merge feature, to access your address book and create or read messages. In Outlook 2002 (and 2000, if you install the CDO update), Outlook restricts what untrusted outside programs may do by preventing them from querying the address book, sending mail on your behalf, or saving untrusted files to your disks. To be more precise, Outlook will prompt you when an external program tries to do one of these things; developers of legitimate programs can work with Microsoft to have Outlook recognize their applications so that they don't prompt you. This feature is automatic; if you're using an Exchange server, the administrator can customize exactly what types of programmatic access are allowed.

Protecting against malicious HTML, scripts, and controls

Outlook can send and receive HTML mail. Because these HTML messages can contain scripts that execute when the page is loaded, attackers have been able to pervert this useful function to embed malicious scripts in messages. To prevent these scripts from doing damage, Outlook 2002 automatically disables scripts and ActiveX controls in HTML messages you receive. You can gain a greater degree of control over how messages run by configuring Outlook 2000/2002's security zones feature, which is based on the same feature in Internet Explorer (IE) . The Security tab of Outlook 2002's Tools | Options dialog box lets you choose whether you want messages to be executed as though their originators are in the Internet or Restricted Sites zones. Add sites you trust to behave properly (such as Microsoft's TechNet site) to your Trusted Sites zone, leaving the security settings on High or Medium for the Internet and Restricted Sites zones. See the Internet Explorer security checklist for a comprehensive approach to securing your IE installation.)

Protecting mail with encryption & digital signatures

Outlook 2000 and 2002 support the Secure Multipurpose Internet Mail Extensions, or S/MIME. S/MIME is a set of security protocols that allow your mail to be protected against tampering and eavesdropping. Messages sent between two S/MIME-capable programs can be digitally signed, encrypted, or signed and encrypted. Corporate Microsoft Exchange users have had access to this technology through Windows 2000's public-key infrastructure components for a while now, but individual users can take advantage of it. too. The basic steps are simple:

1. Obtain a certificate, also known as a digital ID. From within Outlook, use the Tools | Options command to bring up the Options dialog, then switch to the Security tab and click the "Get a Digital ID" button. (US users can skip directly to this digital ID page.)

2. Depending on who issued your certificate, it might be automatically installed, or you might have to import it yourself by using the Security tab's Import/Export button.

3. After your certificate is installed, you can click the Security tab's Settings… button to see the S/MIME settings available to you.

After you've completed these three steps, you can create signed or encrypted messages by composing the message normally, then opening its Options dialog. Click the Security Settings button, and you'll see the Security Properties dialog. Check the boxes corresponding to the security you want applied to the message, then send it—that's it! (iI you need more detailed instructions, read the how-to document that explains exactly what to do.)