Microsoft KB Archive/926512

= Information for administrators about e-mail security settings in Outlook 2007 =

Article ID: 926512

Article Last Modified on 6/29/2007

-

APPLIES TO


 * Microsoft Office Outlook 2007

-



INTRODUCTION
This article contains information for administrators about e-mail security features in Microsoft Office Outlook 2007. This article lists the security settings that you can set when Outlook 2007 is running in a Microsoft Exchange Server environment.



The AdminSecurityMode registry entry and security policy
Outlook 2007 can use either public folder security forms or Group Policy to manage security for attachments and for add-ins. The ability to use Group Policy object (GPO) settings to store security settings is a new feature in Outlook 2007.

If your environment uses public folders, and if you use public folder security forms in earlier versions of Outlook, you can continue to use public folder security forms. You can do this after you make a minor change to the appropriate registry settings.

Outlook 2007 is designed to take advantage of the GPO settings to manage security for attachments and for add-ins. Unlike Microsoft Office Outlook 2003, Outlook 2007 does not use the CheckAdminSettings registry data to determine policy settings or to determine trust levels for add-ins. Instead, Outlook 2007 uses the new AdminSecurityMode registry entry to determine the security policy.

The AdminSecurityMode registry entry uses the following configuration:

Key:

DWORD value: AdminSecurityMode

Values:
 * 0: Use the default Outlook security settings

Note This is the default setting if the AdminSecurityMode registry entry is not present.
 * 1: Use the security policy from the Outlook Security Settings public folder
 * 2: Use the security policy from the Outlook 10 Security Settings public folder
 * 3: Use the security policy from the GPO settings

Use the AdminSecurityMode registry entry to control the security settings that Outlook 2007 applies. You can configure Outlook 2007 to use the current security settings that are published through the existing Outlook public folder security forms. Alternatively, you can configure Outlook 2007 to use GPO-based security settings.

The AddinTrust registry entry and add-in trust policy
The AddinTrust registry entry in Outlook 2007 works exactly as it does in Outlook 2003. Be aware that when you set the value of the AddinTrust registry entry to 0 (zero), you configure Outlook 2007 to use the security policy that is determined by the value of the AdminSecurityMode registry entry. The AddinTrust registry entry uses the following configuration:

Key:

DWORD value: AddinTrust

Values:
 * 0: Trust is determined by the value of the AdminSecurityMode registry entry

Note This is the default setting if the AddinTrust registry entry is not present.
 * 1: Trust all add-ins
 * 2: Trust no add-ins

Outlook 2007 in an Exchange Server environment that uses public folders
If you already use public folder security forms to manage security, the simplest migration route to Outlook 2007 is to continue to use public folder security forms. You can do this regardless of the version of Exchange Server that you are running in your environment.

To make sure that Outlook 2007 uses the security settings that are configured in the public folder security forms, set the AdminSecurityMode registry entry to a value of either 1 or 2. The value that you set depends on whether the published forms are located in the Outlook Security Settings public folder or in the Outlook 10 Security Settings public folder.

The following list describes the AdminSecurityMode registry entry values. The list also describes how each value affects Outlook 2007 in an Exchange Server environment that uses public folders, as follows:
 * No registry entry present: Outlook 2007 uses the default administrative settings
 * 0: Outlook 2007 uses the default administrative settings
 * 1: Outlook 2007 uses the custom administrative settings in the Outlook Security Settings public folder
 * 2: Outlook 2007 uses the custom administrative settings in the Outlook 10 Security Settings public folder
 * 3: Outlook 2007 uses the GPO settings

Outlook 2007 in an Exchange Server environment that does not use public folders
To configure Outlook 2007 to use GPO-based security settings, set the AdminSecurityMode registry entry to a value of 3. Additionally, if it is required, confirm that the AddinTrust registry entry is set to a value of 0 (zero).

Attachment security settings
The security settings for attachments in Outlook 2007 are as follows.

Show Level 1 attachments
Typically, Level 1 attachments are blocked. If you enable this policy, users can see Level 1 attachments in Outlook 2007.

Key:

DWORD value: ShowLevel1Attach

Values:
 * 1: Enabled
 * 0: Disabled

Let users demote attachments to Level 2
If you enable this policy, users can demote the security level of attachments from Level 1 security to Level 2 security. By doing this, users can access Level 1 attachments in Outlook 2007. If you disable this policy, users cannot demote the security level of attachments.

Key:

DWORD value: AllowUsersToLowerAttachments

Values:
 * 1: Enabled
 * 0: Disabled

Disable the prompt about Level 1 attachments when users send an item
By default, Outlook 2007 prompts users when an item that has a Level 1 attachment is sent. If you enable this policy, you disable the prompt.

Key:

DWORD value: DontPromptLevel1AttachSend

Values:
 * 1: Enabled
 * 0: Disabled

Disable the prompt about Level 1 attachments when users close an item
By default, Outlook 2007 prompts users when an item that has a Level attachment is closed. If you enable this policy, you disable the prompt.

Key:

DWORD value: DontPromptLevel1AttachClose

Values:
 * 1: Enabled
 * 0: Disabled

Enable in-place activation of embedded OLE objects
Outlook 2007 can enable in-place activation of embedded OLE objects. This condition may potentially enable users to run malicious code that is disguised as another document. If you enable this policy, Outlook 2007 enables users to make OLE objects in place become active. If you disable this policy, Outlook 2007 cannot enable users to make embedded OLE objects in place become active.

Key:

DWORD value: AllowInPlaceOLEActivation

Values:
 * 1: Enabled
 * 0: Disabled

Show OLE package objects
Outlook 2007 can display OLE package objects. OLE package objects can disguise malicious code as another document. If you enable this policy, Outlook 2007 shows OLE package objects. If you disable this policy, Outlook 2007 cannot show OLE package objects.

Key:

DWORD value: ShowOLEPackageObj

Values:
 * 1: Enabled
 * 0: Disabled

Add file name extensions that are blocked as Level 1 security items
This policy lists the file name extensions that are promoted to Level 1 security.

Key:

String: FileExtensionsAddLevel1

Values: List of file name extensions that are separated by a semicolon

Remove file name extensions that are blocked as Level 1 security items
This policy lists the file name extensions that are demoted to Level 2 security.

Key:

String: FileExtensionsRemoveLevel1

Values: List of file name extensions that are separated by a semicolon

Add file name extensions that are blocked as Level 2 security items
This policy lists the file name extensions that are added to Level 2 security.

Key:

String: FileExtensionsAddLevel2

Values: List of file name extensions that are separated by a semicolon

Remove file name extensions that are blocked as Level 2 security items
This policy lists the file name extensions that are removed from Level 2 security.

Key:

String: FileExtensionsRemoveLevel2

Values: List of file name extensions that are separated by a semicolon

Custom form security settings
The security settings for custom forms in Outlook 2007 are as follows.

Enable scripts in one-off Outlook 2007 forms
When you enable this policy, scripts can run in a one-off Outlook 2007 form.

Key:

DWORD value: EnableOneOffFormScripts

Values:
 * 1: Enabled
 * 0: Disabled

Configure a prompt for Outlook object model custom actions
When you enable this policy, certain actions can occur when a custom action is performed by using the Outlook object model. You can configure Outlook 2007 to automatically allow the action, to automatically deny the action, or to prompt the user.

Key:

DWORD value: PromptOOMCustomAction

Values:
 * 0: Automatically deny
 * 1: Prompt user

Note This is the default setting.
 * 2: Automatically approve

Configure a prompt for the &quot;ItemProperty&quot; property of a control
This policy controls how the access process works for the ItemProperty property of a control on a custom form. You can configure Outlook 2007 to automatically allow the action, to automatically deny the action, or to prompt the user.

Key:

DWORD value: PromptOOMItemPropertyAccess

Values:
 * 0: Automatically deny
 * 1: Prompt user

Note This is the default setting.
 * 2: Automatically approve

Programmatic security settings
Programmatic security settings are listed as follows.

Configure a prompt when a program sends items by using the Outlook object model
This policy determines the behavior that occurs when a program sends items by using the Outlook object model.

Key:

DWORD value: PromptOOMSend

Values:
 * 0: Automatically deny
 * 1: Prompt user

Note This is the default setting.
 * 2: Automatically approve

Configure a prompt when a program accesses an address book by using the Outlook object model
This policy determines the behavior that occurs when a program accesses an address book by using the Outlook object model.

Key:

DWORD value: PromptOOMAddressBookAccess

Values:
 * 0: Automatically deny
 * 1: Prompt user

Note This is the default setting.
 * 2: Automatically approve

Configure a prompt when a program reads address information by using the Outlook object model
This policy determines the behavior that occurs when a program reads address information by using the Outlook object model.

Key:

DWORD value: PromptOOMAddressInformationAccess

Values:
 * 0: Automatically deny
 * 1: Prompt user

Note This is the default setting.
 * 2: Automatically approve

Configure a prompt when a program responds to meeting requests and task requests by using the Outlook object model
This policy determines the behavior that occurs when a program responds to meeting requests and task requests by using the Outlook object model.

Key:

DWORD value: PromptOOMMeetingTaskRequestResponse

Values:
 * 0: Automatically deny
 * 1: Prompt user

Note This is the default setting.
 * 2: Automatically approve

Configure a prompt when a program uses the Outlook object model to access the &quot;Save As&quot; command to save an item
This policy determines the behavior that occurs when a program uses the Outlook object model to access the Save As command to save an item.

Key:

DWORD value: PromptOOMSaveAs

Values:
 * 0: Automatically deny
 * 1: Prompt user

Note This is the default setting.
 * 2: Automatically approve

Configure a prompt when users access the &quot;Formula&quot; property of a UserProperty object
This policy determines the behavior that occurs when users access the Formula property of a UserProperty object.

Key:

DWORD value: PromptOOMFormulaAccess

Values:
 * 0: Automatically deny
 * 1: Prompt user

Note This is the default setting.
 * 2: Automatically approve

Configure a prompt when a program accesses address information by using the &quot;UserProperties.Find&quot; method
This policy determines the behavior that occurs when a program accesses address information by using the UserProperties.Find method.

Key:

DWORD value: PromptOOMAddressUserPropertyFind

Values:
 * 0: Automatically deny
 * 1: Prompt user

Note This is the default setting.
 * 2: Automatically approve

About the settings for Simple MAPI operations
Originally, there were plans to include settings for the following Simple MAPI operations:
 * A program sends items by using Simple MAPI
 * A program resolves addresses by using Simple MAPI
 * A program opens a message by using Simple MAPI

However, these settings were not added to the product in the release version of Outlook 2007. We are researching the ability to add this functionality to the GPO settings. These settings may be included in a future release.

Trusted add-ins
The security settings for trusted add-ins are as follows.

List of trusted add-ins
This policy lists the file names and the hash values that are always trusted by Outlook 2007.

Key:

String: The file name of the add-in

Value: A hash of the file that is generated by the Secure Hash Algorithm (SHA-1). The hash is stored in the same format that is used in the security form.

Note Each trusted add-in has a string value and a corresponding hash value in the TrustedAddins subkey.

Registry settings that were used in earlier versions of Outlook
Certain registry settings that were used in earlier versions of Outlook also apply to Outlook 2007. You can use these registry settings together with public folder security forms, or you can use them as independent settings. These registry settings are not considered part of the Outlook 2007 Group Policy object approach to attachment and add-in security.

The DisallowAttachmentCustomization registry entry
When you enable this policy, Outlook 2007 disables the Level1Remove registry entry. However, the Level1Add registry entry continues to work.

Key:

DWORD value: DisallowAttachmentCustomization

Values: Any value

Note This policy controls whether you can customize the attachment security settings by using non-policy registry keys.

The Level1Remove registry entry
This policy lists the file name extensions that are demoted to Level 2 security.

Key:

String: Level1Remove

Values: List of file name extensions that are separated by a semicolon

Note If the DisallowAttachmentCustomization registry entry is present, Outlook 2007 ignores the Level1Remove registry entry.

The Level1Add registry entry
This policy lists the file name extensions that are promoted to Level 1 security.

Key:

DWORD value: Level1Add

Values: List of file name extensions that are separated by a semicolon

Note The file name extensions on this list are blocked by Outlook 2007.

For more information about Outlook 2007 security settings, visit the following Microsoft Web site:

http://technet2.microsoft.com/Office/en-us/library/8a611f92-e197-4dd3-9417-5ed513891af11033.mspx?mfr=true

Additional query words: ol1007 outlook2007 restriction file type

Keywords: kbhowto kbinfo kbregistry kbexpertiseinter KB926512

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.