Microsoft KB Archive/815623

= OL2000: How to Enable the Digital Security Features for Outlook 2000 SR-1a =

Article ID: 815623

Article Last Modified on 2/1/2007

-

APPLIES TO


 * Microsoft Outlook 2000 Service Pack 1

-



IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.



SUMMARY
When you install Microsoft Outlook 2000 Service Release 1a (SR-1a), the digital security features in Microsoft Outlook are disabled, and the default encryption level is set to 40-bit.

To use the following features after you have installed Outlook 2000 SR-1a
 * High Encryption (128-bit or higher)
 * Certificate Revocation List checking
 * Publish to GAL

edit the registry and download the appropriate updates as instructed in this article.



How to Enable Security Features
Follow these steps to enable the digital security options, including the Certificate Revocation List Checking and Publish to GAL features, in Outlook 2000 SR-1a.

Note For additional information about how to use the Publish to GAL feature, see the “How to use the Publish to GAL Feature” section of this article.

WARNING : If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

 Click Start, click Run. In the Open box, type regedit, and then click OK. Locate the following subkey in the registry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Office\9.0\Outlook

 On the Edit menu, click New, and then click Key . Type Security to name the new subkey, and then press ENTER. The new subkey will be selected. On the Edit menu, click Add Value, and then add the following registry value:

Value Name : EnableSRFeatures

Data Type : REG_DWORD

Value : 1

 Quit Registry Editor.</li></ol>

Note If the EnableSRFeatures value is set to 0, the new security features are not enabled or visible.

For additional information about the security features that are described in this article, click the following article number to view the article in the Microsoft Knowledge Base:

249780 OL2000: XCLN: Updated Outlook Security Features Installed with Office

How to Enable High Encryption (128-Bit or Higher)
You must obtain the following updates to enable High Encryption.

Updated 128-Bit Encryption Provider for Outlook 2000 SR-1 (Required for All Versions of Microsoft Windows)
By default, Microsoft Outlook 2000 includes 40-bit encryption. Download and install the updated 128-bit Encryption Provider for Outlook 2000 SR-1a to enable High Encryption. To do this, follow the steps that are described in the following Microsoft Knowledge Base article:

324522 OL2000: Incorrect Cipher Strength Appears in Security Information Dialog Box

High Encryption Pack
Note The Microsoft Windows XP systems include the High Encryption, and no additional downloads are required.

For Microsoft Windows Millennium (Me), Microsoft Windows 98, Microsoft Windows 98 SE, Microsoft Windows 95, and Microsoft Windows NT 4.0 users

Download and install the Microsoft Internet Explorer High Encryption Pack for your version of Microsoft Internet Explorer. To do so, visit the following Microsoft Web site, and search for the appropriate download for your version of Internet Explorer.

http://windowsupdate.microsoft.com

For Microsoft Windows 2000 users

Download and install the Microsoft Windows 2000 High Encryption Pack (128-bit). To do this, visit the following Microsoft Web site.

http://www.microsoft.com/downloads/details.aspx?FamilyID=c10925a0-ac66-4c44-b5c3-9dcab4da1c63

How to Enable CRL Checking
To enable CRL checking, download the appropriate updates for your operating system, and then modify the registry.

Required Updates to Enable CRL Checking
<ul> For Windows Millennium (Me), Windows 98, Windows 98 SE, Windows 95 users

Download and install one of the following versions of Internet Explorer: Microsoft Internet Explorer 5.01 Service Pack 2, Microsoft Internet Explorer 5.5 Service Pack 2, or Microsoft Internet Explorer 6.0 Service Pack 1.

For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

267954 How to Obtain the Latest Internet Explorer 5.01 Service Pack

276369 How to Obtain the Latest Service Pack for Internet Explorer 5.5

328548 How to Obtain the Latest Service Pack for Internet Explorer 6

</li> For Windows NT 4.0 users

Download and install one of the following versions of Internet Explorer: Internet Explorer 5.01 Service Pack 2, Internet Explorer 5.5 Service Pack 2, or Internet Explorer 6.0 Service Pack 1. For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

267954 How to Obtain the Latest Internet Explorer 5.01 Service Pack

276369 How to Obtain the Latest Service Pack for Internet Explorer 5.5

328548 How to Obtain the Latest Service Pack for Internet Explorer 6

Additionally, download and install the hotfix that is described in the following Microsoft Knowledge Base article:

282935 &quot;Certificate Revocation List Is Not Available&quot; Error Message Appears

</li> For Windows 2000 users

Download and install Microsoft Windows 2000 Service Pack 3.

For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

Additionally, download and install the hotfix that is described in the following Microsoft Knowledge Base article:

308707 &quot;Certificate Revocation List Is Not Available&quot; Error Message Appears

</li></ul>

How to Edit the Registry to Enable CRL Checking
To edit the registry to enable CRL Checking, follow these steps.

WARNING : If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

<ol> Click Start, click Run.</li> In the Open box, type regedit, and then click OK.</li> Locate the following subkey in the registry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography

</li> On the Edit menu, click New, and then click Key .</li> Type {7801ebd0-cf4b-11d0-851f-0060979387ea} to name the new subkey, and then press ENTER. The new subkey will be selected.</li> On the Edit menu, click New, click DWORD Value, and then add the following registry value:

Value Name : PolicyFlags

Data Type : REG_DWORD

Value : 10000

</li> Quit Registry Editor.</li></ol>

How to Use the Publish to GAL Feature
The Publish to GAL feature writes a user's public key to the Microsoft Active Directory or the Microsoft Exchange 5.5 Directory. This permits you to encrypt messages that are sent to recipients in the Global Address List without having to create a Microsoft Outlook contact. To publish your public key to the Global Address List, follow these steps:
 * 1) Start Outlook.
 * 2) On the Tools menu, click Options, and then click the Security tab.
 * 3) Click Publish to GAL.

Note If the Publish to GAL button is not visible, follow the steps in the “How to Enable Security Features” section of this article to create the EnableSRFeatures registry value.

When you use the Publish to GAL feature, the public key is written to the UserSMIMECertificate Active Directory object. When you are in an environment that uses a Certificate Server, your public key is automatically written to the UserCertificate object.

When you use the Publish to GAL feature, the public key is written to the Tagged-X-509-Cert Exchange 5.5 Directory object. When you are in an environment that uses a Certificate Server, the public key is automatically written to the X-509-Cert object.

You must use the Publish to GAL feature to send 128-bit or higher encrypted messages to Global Address List recipients in Outlook 2000.

Keywords: kbinfo KB815623

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.