While Microsoft has made significant progress securing Exchange 2003 and Outlook 2003, vulnerabilities still exist. Use the following 10 steps to mitigate potential problems before they become major issues.
1. Stay current with Office security updates – Using Microsoft Update, you can automatically or manually download and install Office and Windows updates. You can download Office-specific updates from Microsoft’s Office Web site. If you manage a large number of desktops, consider using Windows Server Update Services (WSUS), which includes support for Office products via its automatic update mechanism. Alternatively, you can manually download updates from the Office resource kit site. Check out these Office 2003 downloads and Office XP/2002 downloads.
2. Encrypt traffic between Exchange and Outlook clients – If the network between the client and the Exchange server isn’t totally secure, you should encrypt the communication channel between Outlook and Exchange. To do this, click Tools | E-mail accounts, select View or change existing e-mail accounts and click Next. Select the user’s Exchange e-mail account and click Change. Click the More Settings and select the Security tab. Under Encryption, enable the checkbox labeled Encrypt data between Microsoft Office Outlook and Microsoft Exchange Server and click OK.
3. Learn about Outlook’s attachment blocking feature – Outlook 2003 includes attachment blocking functionality designed to protect end users from running dangerous attachments, such as executable files, script files, Windows program information files (pif) and more. Check out this omplete list of file types blocked by Outlook 2003.
If you need to receive a message with an attachment that is on the blocked list, ask the sender to zip the file (unless you choose to block zip files) before sending it, or make the file available via a download location. If you have a file type that you would like to block—perhaps zip files—you can edit the desktop’s registry to add the new file type you’d like to block.
To block a specific file type, open regedit and navigate to the key:
Add a new string value key named Level1Add. Open the new key and add the list of extensions you’d like to allow, each separated by a semicolon (example .zip;.xls;.exe). Outlook will now block attachments with the extensions you specify from your inbox.
4. Create a Public Key Infrastructure (PKI) to support more secure messaging – This goes beyond Outlook, and requires that you create a certificate infrastructure, thus allowing you (or your users) the ability to verify the authenticity of people sending them mail and to be able to send messages to recipients that are similarly guaranteed. Microsoft Knowledge Base article 286159 includes a number of steps that help you can take to manage your digitally secure Outlook environment.
5. Read messages in plain text – HTML e-mail messages can contain viruses or malicious scripts. By default, Outlook allows you to read HTML formatted messages, but you can disable this behavior and read messages in plain-text only. To disable HTML e-mail, click Tools | Options and select the Preferences tab. Click E-mail Options and enable the Read all standard mail in plain text checkbox. While you don’t have to worry as much about digitally signed mail since you should know who sent the message, if you want to force all digitally signed mail to be delivered to you in plain text only, also enable the All digitally signed mail in plain text checkbox.
6. Ask Outlook to catch more junk mail, or consider using a white list – Outlook 2003 includes the ability to catch junk e-mail and place it into a junk e-mail folder in Outlook. Outlook includes four default junk e-mail settings. No filtering—don’t look for junk e-mail. Only move mail from senders you have explicitly blocked to the junk mail folder. Low & medium—The low setting handles only absolutely obvious junk mail while the medium setting catches more, but starts to run the risk of catching mail that shouldn’t be moved. Finally, if you want to make sure you get mail only from people you know, you can choose the Safe Lists Only setting and then populate your Safe Senders list. Note that this white list method can result in quite a lot of management overhead. To manage junk mail settings, click Tools | Options, select the Preferences tab, and click Junk E-mail.
7. Be comfortable with the Reading Pane… as long as you don’t change default settings – In previous versions of Outlook, the Reading Pane posed a privacy risk since users could view HTML messages and other potentially insecure items that could report back to the sender that a message was read. As such, many people disabled the Reading Pane in order to secure themselves from possibly opening a malicious message. However, Outlook 2003 includes features that make the Reading Pane (which can be very useful) safe to use. This is due to Outlook’s new default setting that disables the automatically downloading of pictures in HTML messages.
If these settings have been changed so that pictures are automatically downloaded into Outlook, you should change the setting back to the default. To reset the Reading Pane’s default settings, click Tools | Options, choose the Security tab, and click the Change Automatic Download Settings. Select all the available checkboxes. The two middle checkboxes relax this setting for senders that you feel are safe while the other two checkboxes enforce the picture downloading ban.
8. Scan and secure with the Microsoft Baseline Security Analyzer – Version 2.0 of the Microsoft Baseline Security Analyzer (MBSA) scans systems for missing updates, including updates for Microsoft Office XP and later. Further, MBSA 2.0 will tell you if any of your systems have their firewalls disabled, and let you know whether Automatic Updates are on or off. MBSA 2.0 is available for download.
9. Maintain macro and publisher security – By default, Outlook’s macro security is set to high, which automatically blocks unsigned macros from being executed. The next, and highest, option requires that macros only be run from trusted locations. Macros not from trusted locations will not be run, whether they’re signed or not. I don’t recommend this highest level of security, and recommend that you leave this option set to the default of high. However, on the next tab—Trusted Publishers—consider clearing the checkbox “Trust all installed add-ins and templates”. These options are found at Tools | Macro | Security. Check out this full list of the ramifications of manipulating the various macro security options.
10. Password protect your PST files – This is especially important for laptop users as the PST files could hold the keys to the kingdom if someone got their hands on your files. While Exchange users can’t do this, smaller shops using Outlook with other mail systems can. To add a password to your PST file, right-click the top level folder and choose the Properties option from the shortcut menu. Click the Advanced button and, on the resulting screen, click the Change Password button. Enter the new password as well as its verification and click OK.