Overview of security and protection settings for Outlook 2013
Applies to: Office 365 ProPlus, Outlook 2013
Summary: Learn about security settings for Outlook 2013.
Audience: IT Professionals
An administrator can customize many of the security-related features in Outlook 2013. This includes how the security settings are enforced, which kind of ActiveX controls can run, custom forms security, and programmatic security settings. You can also customize Outlook 2013 security settings for attachments, Information Rights Management, junk email, and encryption, which are covered in additional articles that are listed in Additional settings later in this article.
Important
This article provides content for administrators who configure Outlook settings for their organizations.
Are you looking for help with security settings in Outlook on your desktop? You may be looking for one of these articles, which will help you secure Outlook on your desktop.
In this article:
Overview
Specify how security settings are enforced in Outlook
How administrator and user settings interact in Outlook 2013
Working with Outlook COM add-ins
Customize ActiveX and custom forms security in Outlook 2010
Customize programmatic settings in Outlook 2013
Customize Simple MAPI settings
Additional settings
Overview
By default, Outlook is configured to use high security-related settings. High security levels can result in limitations to Outlook functionality, such as restrictions on email message attachment file types. You might have to lower default security settings for your organization. However, be aware that lowering any default security settings might increase the risk of virus execution or propagation.
Before you start to configure security settings for Outlook 2013 by using Group Policy or the Outlook Security template, you must configure the Outlook Security Mode in Group Policy. If you do not set the Outlook Security Mode, Outlook 2013 uses the default security settings and ignores any Outlook 2013 security settings that you have made.
For information about how to download the Outlook 2013 administrative template, and about other Office 2013 Administrative Templates, see Group Policy Administrative Template files (ADMX, ADML) and Office Customization Tool (OCT) files for Office 2013. For more information about Group Policy, see Overview of Group Policy for Office 2013 and Use Group Policy to enforce Office 2010 settings.
Specify how security settings are enforced in Outlook
As with Office Outlook 2007 and Outlook 2010, you can configure security options for Outlook 2013 by using Group Policy (recommended) or change security settings by using the Outlook Security template and publish the settings to a form in a top-level folder in Exchange Server public folders. Unless you have Office Outlook 2003 or earlier versions in your environment, we recommend that you use Group Policy to configure security settings. To use either option, you must enable the Outlook Security Mode setting in Group Policy and set the Outlook Security Policy value. Default security settings in the product are enforced if you do not enable this setting. The Outlook Security Mode setting is in the Outlook 2013 Group Policy template (Outlk15.admx) under User Configuration\Administrative Templates\Microsoft Outlook 2013\Security\Security Form Settings. When you enable the Outlook Security Mode setting, you have the four Outlook Security Policy options, which are described in the following table.
Outlook Security Policy options
| Outlook Security Mode option | Description |
|---|---|
Outlook Default Security |
Outlook ignores any security-related settings configured in Group Policy or when using an Outlook Security template. This is the default setting. |
Outlook Security Group Policy |
Outlook uses the security settings from Group Policy (recommended). |
Security Form from ”Outlook Security Settings” Public Folder |
Outlook uses the settings from the security form that is published in the designated public folder. |
Security Form from ”Outlook 10 Security Settings” Public Folder |
Outlook uses the settings from the security form that is published in the designated public folder. |
Customize security settings by using Group Policy
When you use Group Policy to configure security settings for Outlook 2013, consider the following factors:
Settings in Outlook Security template must be manually migrated to Group Policy. If you previously used the Outlook Security template to manage security settings and now choose to use Group Policy to enforce settings in Outlook 2013, you must manually migrate the settings that you configured earlier to the corresponding Group Policy settings for Outlook 2013.
Customized settings configured by using Group Policy might not be active immediately. You can configure Group Policy to refresh automatically (in the background) on users' computers while users are logged on, at a frequency that you determine. To make sure that new Group Policy settings are active immediately, users must log off and log back on to their computers.
Outlook checks security settings only at startup. If security settings are refreshed while Outlook is running, the new configuration is not used until the user closes and restarts Outlook.
No customized settings are applied in Personal Information Manager (PIM)-only mode. In PIM mode, Outlook uses the default security settings. No administrator settings are necessary or used in this mode.
Special environments
When you use Group Policy to configure security settings for Outlook 2013, consider whether your environment includes one or more of the scenarios that are shown in the following table.
Special environment scenarios
| Scenario | Issue |
|---|---|
Users who access their mailboxes by using a hosted Exchange Server |
If users access mailboxes by using a hosted Exchange Server, you can use the Outlook Security template to configure security settings or use the default Outlook security settings. In hosted environments, users access their mailboxes remotely. For example, they can access their mailboxes remotely by using a virtual private network (VPN) connection or by using Outlook Anywhere (RPC over HTTP). Because Group Policy is deployed by using Active Directory, and in this scenario, the user's local computer is not a member of the domain, Group Policy security settings cannot be applied. Also, by using the Outlook Security template to configure security settings, users automatically receive updates to security settings. Users cannot receive updates to Group Policy security settings unless their computer is in the Active Directory domain. |
Users who have administrative rights on their computers |
Restrictions to Group Policy settings are not enforced when users log on by using administrative credentials. Users who have administrative rights can also change the Outlook security settings on their computers and can remove or alter the restrictions that you have configured. This is true not only for Outlook security settings, but for all Group Policy settings. Although this can be problematic when an organization intends to have standardized settings for all users, there are mitigating factors:
|
Users who access Exchange mailboxes by using Outlook Web App |
Outlook and Outlook Web App do not use the same security model. Outlook Web App has separate security settings that are stored on the Exchange Server computer. For more information see, Understanding security for Outlook Web App. |
How administrator settings and user settings interact in Outlook 2013
Security settings that are defined by the user in Outlook 2013 work as if they are included in the Group Policy settings that you define as the administrator. When there is a conflict between the two, settings with a greater security level override settings with a lower security level.
For example, if you use the Group Policy Attachment Security setting Add file extensions to block as Level 1 to create a list of Level 1 file name extensions to be blocked, your list overrides the default list that is provided with Outlook 2013. It also overrides the users' settings for Level 1 file name extensions to block. Users would only be able to remove file name extensions from the default list that is provided with Outlook 2013. Users cannot remove file types that you add to the Add file extensions to block as Level 1 list. For example, if the user wants to remove the file name extensions .exe and .reg from the Level 1 group, but you use the Add file extensions to block as Level 1 Group Policy setting to add .exe as a Level 1 file type, the user can only remove .reg file from the Level 1 group that is in Outlook.
Working with Outlook COM add-ins
A COM add-in should be coded so that it takes advantage of the Outlook trust model and can run without warning messages in Outlook 2013. Users might continue to see warnings when they access Outlook features that use the add-in, such as when they synchronize a hand-held device with Outlook 2013 on their desktop computers.
However, users are less likely to see warnings in Outlook 2013 than in Office Outlook 2003 or earlier versions. The Object Model (OM) Guard that helps prevent viruses from using the Outlook Address Book to propagate is updated in Office Outlook 2007, Outlook 2010 and Outlook 2013. Outlook 2013 checks for up-to-date antivirus software to help determine when to display address book access warnings and other Outlook security warnings.
You can't change the OM Guard by using the Outlook security form or Group Policy. However, if you use default Outlook 2013 security settings, all COM add-ins that are installed in Outlook 2013 are trusted by default. If you customize security settings by using Group Policy, you can specify COM add-ins that are trusted and that can run without encountering the Outlook object model blocks.
However, in Outlook 2013, two new configurations settings, List of managed add-ins and Block all unmanaged add-ins, allow you to create a list of always enabled add-ins or always blocked add-ins. These settings override the trust center settings. If an add-in is in the Block all unmanaged add-ins list and has also been added to the setting Configure trusted add-ins, the add-in will be blocked. You can find the settings List of managed add-ins and Block all unmanaged add-ins in the Outlook Group Policy template under User Configuration\Administrative Templates\Microsoft Outlook 2013\Miscellaneous.
To trust a COM add-in, include the file name for the add-in in a Group Policy setting with a calculated hash value for the file. Before you can specify an add-in as trusted by Outlook, you must install a program to calculate the hash value. For information about how to do this, see Manage trusted add-ins for Outlook 2010.
If you enforce customized Outlook security settings with the Microsoft Exchange Server security form that is published in an Exchange Server public folder, you can learn how to trust COM add-ins. Scroll down to the Trusted Code tab section in the Microsoft Office 2003 Resource Kit article, Outlook Security Template Settings.
If the user continues to see security prompts after the add-in is included in the list of trusted add-ins, you must work with the COM add-in developer to resolve the problem. For more information about coding trusted add-ins, see Important Security Notes for Microsoft Outlook COM Add-in Developers.
Customize ActiveX and custom forms security in Outlook 2013
You can specify ActiveX and custom forms security settings for Outlook 2013 users. Custom forms security settings include options for changing how Outlook 2013 restricts scripts, custom controls, and custom actions.
Customize how ActiveX controls behave in one-off forms
When Outlook receives a message that contains a form definition, the item is a one-off form. To help prevent unwanted script and controls from running in one-off forms, Outlook does not load ActiveX controls in one-off forms by default.
You can lock down the settings to customize ActiveX controls by using the Group Policy Outlook 2013 template (Outlk15.admx). Or you can configure default settings by using the Office Customization Tool (OCT), in which case users can change the settings. In Group Policy, use the Allow ActiveX One Off Forms setting under User Configuration\Administrative Templates\Microsoft Outlook 2013\Security. In the OCT, the Allow ActiveX One Off Forms setting is in the corresponding location on the Modify user settings page of the OCT. For more information about the OCT, see Office Customization Tool (OCT) reference for Office 2013.
When you enable Allow ActiveX One Off Forms setting, you have three options, which are described in the following table.
Allow Active X One Off Forms setting options
| Option | Description |
|---|---|
Allows all ActiveX Controls |
Allows all ActiveX controls to run without restrictions. |
Allows only Safe Controls |
Allows only safe ActiveX controls to run. An ActiveX control is safe if it is signed with Authenticode and the signer is listed in the Trusted Publishers List. |
Load only Outlook Controls |
Outlook loads only the following controls, which are the only controls that can be used in one-off forms.
|
If you do not configure any of these options, the default is to load only Outlook controls.
Customize custom forms security settings
You can lock down the settings to configure security for custom forms by using the Group Policy Outlook 2013 template (Outlk15.admx). In Group Policy, the settings are under User Configuration\Administrative Templates\Microsoft Outlook 2013\Security\Security Form Settings\Custom Form Security.
The settings that you can configure for scripts, custom controls, and custom actions are shown in the following table:
Scripts, custom controls, and custom actions settings
| Setting name | Registry path and value name | Description |
|---|---|---|
Allow scripts in one-off Outlook forms |
Group Policy registry path: HKEY_CURRENT_USER\software\policies\microsoft\office\15.0\outlook\security!enableoneoffformscripts |
Run scripts in forms where the script and the layout are contained in the message. If users receive a one-off form that contains script, users are prompted whether they want to run the script. |
Set Outlook object model Custom Actions execution prompt |
Group Policy registry path: HKEY_CURRENT_USER\software\policies\microsoft\office\15.0\outlook\security!promptoomcustomaction |
Specifies what occurs when a program attempts to run a custom action by using the Outlook object model. A custom action can be created to reply to a message and circumvent the programmatic send protections. Select one of the following:
|
Customize programmatic settings in Outlook 2013
As an administrator of Outlook 2013, you can configure programmatic security settings to manage restrictions for the Outlook object model. The Outlook object model lets you programmatically manipulate data that is stored in Outlook folders.
Note
The Exchange Server Security template includes settings for Collaboration Data Objects (CDO). However, using CDO with Outlook 2013 is not supported.
You can use Group Policy to configure programmatic security settings for the Outlook object model. In Group Policy, load the Outlook 2013 template (Outlk15.admx). The Group Policy settings are located under User Configuration\Administrative Templates\Microsoft Outlook 2013\Security\Security Form Settings\Programmatic Security. These settings cannot be configured by using the Office Customization Tool.
The following are descriptions of the Group Policy options for programmatic settings. You can choose one of the following settings for each item:
Prompt user Users receive a message allowing them to choose whether to allow or deny the operation. For some prompts, users can choose to allow or deny the operation without prompts for up to 10 minutes.
Automatically approve Outlook automatically grants programmatic access requests from any program. This option can create a significant vulnerability, and we do not recommend it.
Automatically deny Outlook automatically denies programmatic access requests from any program. The user does not receive a prompt.
Prompt user based on computer security Outlook relies on the setting in the "Programmatic Access" section of the Trust Center. This is the default behavior.
The settings that you can configure for programmatic security settings for the Outlook object model are shown in the following table.
Programmatic security settings
| Setting name | Registry path and value name | Description |
|---|---|---|
Configure Outlook object model prompt when accessing an address book |
Group Policy registry path: HKEY_CURRENT_USER\software\policies\microsoft\office\15.0\outlook\security!promptoomaddressbookaccess |
Specifies what happens when a program attempts to gain access to an address book by using the Outlook object model. |
Configure Outlook object model prompt when accessing the Formula property of a UserProperty object |
Group Policy registry path: HKEY_CURRENT_USER\software\policies\microsoft\office\15.0\outlook\security!promptoomformulaaccess |
Specifies what happens when a user adds a Combination or Formula custom field to a custom form and binds it to an Address Information field. By doing this, code can be used to indirectly retrieve the value of the Address Information field by getting the Value property of the field. |
Configure Outlook object model prompt when executing Save As |
Group Policy registry path: HKEY_CURRENT_USER\software\policies\microsoft\office\15.0\outlook\security!promptoomsaveas |
Specifies what happens when a program attempts to programmatically use the Save As command to save an item. When an item is saved, a malicious program could search the file for email addresses. |
Configure Outlook object model prompt when reading address information |
Group Policy registry path: HKEY_CURRENT_USER\software\policies\microsoft\office\15.0\outlook\security!promptoomaddressinformationaccess |
Specifies what happens when a program attempts to gain access to a recipient field, such as To, by using the Outlook object model. |
Configure Outlook object model prompt when responding to meeting and task requests |
Group Policy registry path: HKEY_CURRENT_USER\software\policies\microsoft\office\15.0\outlook\security!promptoommeetingtaskrequestresponse |
Specifies what happens when a program attempts to send mail programmatically by using the Respond method on task requests and meeting requests. This method resembles the Send method on mail messages. |
Configure Outlook object model prompt when sending mail |
Group Policy registry path: HKEY_CURRENT_USER\software\policies\microsoft\office\15.0\outlook\security!promptoomsend |
Specifies what happens when a program attempts to send mail programmatically by using the Outlook object model. |
Customize Simple MAPI settings
You can use Group Policy to configure Simple MAPI settings for the Outlook object model. In Group Policy, load the Outlook 2013 template (Outlk15.admx). The Group Policy settings are located under User Configuration\Administrative Templates\Microsoft Outlook 2013\Security\Security Form Settings\Programmatic Security. These settings cannot be configured by using the Office Customization Tool.
Simple MAPI settings
| Setting name | Registry path and value name | Description |
|---|---|---|
Configure Simple MAPI sending prompt |
Group Policy registry path: HKEY_CURRENT_USER\software\policies\microsoft\office\15.0\outlook\security!promptsimplemapisend |
Allows you to specify what occurs when a program attempts to send mail programmatically by using Simple MAPI. |
Configure Simple MAPI name resolution prompt |
Group Policy registry path: HKEY_CURRENT_USER\software\policies\microsoft\office\15.0\outlook\security!promptsimplemapinameresolve |
Allows you to specify what occurs when a program attempts to gain access to an Address Book by using Simple MAPI. |
Configure Simple MAPI message opening prompt |
Group Policy registry path: HKEY_CURRENT_USER\software\policies\microsoft\office\15.0\outlook\security!promptsimplemapiopenmessage |
Allows you to specify what occurs when a program attempts to gain access to a recipient field, such as the “To” field by using Simple MAPI. |
Additional settings
The following table lists the articles that cover additional security settings not included in this article.
Additional security articles
| Feature | Related resources |
|---|---|
ActiveX controls |
|
Attachments |
|
Cryptography |
|
Digital signatures |
|
Junk email |
|
Information Rights Management |
|
Protected view |