Plan for Outlook 2007 security in special environments
Updated: April 9, 2009
Applies To: Office Resource Kit
Topic Last Modified: 2009-04-03
When you use Group Policy to configure security settings for Microsoft Office Outlook 2007, there are issues to consider when your environment includes one or more of the following:
Users who access their mailboxes by using a hosted Exchange Server.
Users with administrative rights on their computers.
Users who access Exchange mailboxes by using Outlook Web Access.
If users access mailboxes by using a hosted Exchange Server, you might use the Exchange Server security form to configure security settings or use the default Outlook security settings. In hosted environments, users access their mailboxes remotely; for example, by using a virtual private network (VPN) connection or by using RPC over HTTP. Since Group Policy is deployed by using Active Directory and in this scenario, the user's local computer is not a member of the domain, Group Policy security settings cannot be applied.
Also, by using the Exchange Server security form to configure security settings, users automatically receive updates to security settings. Users cannot receive updates to Group Policy security settings unless their computer is in the Active Directory domain.
Restrictions to Group Policy settings are not enforced when users log on with administrative rights. Users with administrative rights can also change the Outlook security settings on their computer and can remove or alter the restrictions you have configured. This is true not just for Outlook security settings, but for all Group Policy settings.
While this can be problematic when an organization intends to have standardized settings for all users, there are mitigating factors:
Group Policy overrides local changes at the next logon. Changes to Outlook security settings revert to the Group Policy settings when the user logs on.
Overriding a Group Policy affects only the local computer. Users with administrative rights affect only security settings on their computer, not the security settings for users on other computers.
Users without administrative rights cannot change policies. In this scenario, Group Policy security settings are as secure as settings configured by using the Exchange Server security form.
Outlook and Outlook Web Access (OWA) do not use the same security model. OWA has separate security settings stored on the OWA server.
This topic is included in the following downloadable books for easier reading and printing:
See the full list of available books at Office Resource Kit information.