Information for administrators about e-mail security settings in Outlook 2007
Original KB number: 926512
Introduction
This article contains information for administrators about e-mail security features in Microsoft Office Outlook 2007. This article lists the security settings that you can set when Outlook 2007 is running in a Microsoft Exchange Server environment.
The AdminSecurityMode registry entry and security policy
Outlook 2007 can use either public folder security forms or Group Policy to manage security for attachments and for add-ins. The ability to use Group Policy object (GPO) settings to store security settings is a new feature in Outlook 2007.
If your environment uses public folders, and if you use public folder security forms in earlier versions of Outlook, you can continue to use public folder security forms. You can do this after you make a minor change to the appropriate registry settings.
Outlook 2007 is designed to take advantage of the GPO settings to manage security for attachments and for add-ins. Unlike Office Outlook 2003, Outlook 2007 does not use the CheckAdminSettings
registry data to determine policy settings or to determine trust levels for add-ins. Instead, Outlook 2007 uses the new AdminSecurityMode
registry entry to determine the security policy.
The AdminSecurityMode
registry entry uses the following configuration:
Key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security
DWORD value: AdminSecurityMode
Values:
0: Use the default Outlook security settings
Note
This is the default setting if the
AdminSecurityMode
registry entry is not present.1: Use the security policy from the Outlook Security Settings public folder
2: Use the security policy from the Outlook 10 Security Settings public folder
3: Use the security policy from the GPO settings
Use the AdminSecurityMode
registry entry to control the security settings that Outlook 2007 applies. You can configure Outlook 2007 to use the current security settings that are published through the existing Outlook public folder security forms. Alternatively, you can configure Outlook 2007 to use GPO-based security settings.
The AddinTrust registry entry and add-in trust policy
The AddinTrust
registry entry in Outlook 2007 works exactly as it does in Outlook 2003. Be aware that when you set the value of the AddinTrust
registry entry to 0 (zero), you configure Outlook 2007 to use the security policy that is determined by the value of the AdminSecurityMode
registry entry. The AddinTrust
registry entry uses the following configuration:
Key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security
DWORD value: AddinTrust
Values:
0: Trust is determined by the value of the AdminSecurityMode registry entry
Note
This is the default setting if the
AddinTrust
registry entry is not present.1: Trust all add-ins
2: Trust no add-ins
Outlook 2007 in an Exchange Server environment that uses public folders
If you already use public folder security forms to manage security, the simplest migration route to Outlook 2007 is to continue to use public folder security forms. You can do this regardless of the version of Exchange Server that you are running in your environment.
To make sure that Outlook 2007 uses the security settings that are configured in the public folder security forms, set the AdminSecurityMode
registry entry to a value of either 1 or 2. The value that you set depends on whether the published forms are located in the Outlook Security Settings public folder or in the Outlook 10 Security Settings public folder.
The following list describes the AdminSecurityMode
registry entry values. The list also describes how each value affects Outlook 2007 in an Exchange Server environment that uses public folders, as follows:
- No registry entry present: Outlook 2007 uses the default administrative settings
- 0: Outlook 2007 uses the default administrative settings
- 1: Outlook 2007 uses the custom administrative settings in the Outlook Security Settings public folder
- 2: Outlook 2007 uses the custom administrative settings in the Outlook 10 Security Settings public folder
- 3: Outlook 2007 uses the GPO settings
Outlook 2007 in an Exchange Server environment that does not use public folders
To configure Outlook 2007 to use GPO-based security settings, set the AdminSecurityMode
registry entry to a value of 3. Additionally, if it is required, confirm that the AddinTrust
registry entry is set to a value of 0 (zero).
Attachment security settings
The security settings for attachments in Outlook 2007 are as follows.
Show Level 1 attachments
Typically, Level 1 attachments are blocked. If you enable this policy, users can see Level 1 attachments in Outlook 2007.
Key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security
DWORD value: ShowLevel1Attach
Values:
- 1: Enabled
- 0: Disabled
Let users demote attachments to Level 2
If you enable this policy, users can demote the security level of attachments from Level 1 security to Level 2 security. By doing this, users can access Level 1 attachments in Outlook 2007. If you disable this policy, users cannot demote the security level of attachments.
Key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security
DWORD value: AllowUsersToLowerAttachments
Values:
- 1: Enabled
- 0: Disabled
Disable the prompt about Level 1 attachments when users send an item
By default, Outlook 2007 prompts users when an item that has a Level 1 attachment is sent. If you enable this policy, you disable the prompt.
Key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security
DWORD value: DontPromptLevel1AttachSend
Values:
- 1: Enabled
- 0: Disabled
Disable the prompt about Level 1 attachments when users close an item
By default, Outlook 2007 prompts users when an item that has a Level attachment is closed. If you enable this policy, you disable the prompt.
Key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security
DWORD value: DontPromptLevel1AttachClose
Values:
- 1: Enabled
- 0: Disabled
Enable in-place activation of embedded OLE objects
Outlook 2007 can enable in-place activation of embedded OLE objects. This condition may potentially enable users to run malicious code that is disguised as another document. If you enable this policy, Outlook 2007 enables users to make OLE objects in place become active. If you disable this policy, Outlook 2007 cannot enable users to make embedded OLE objects in place become active.
Key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security
DWORD value: AllowInPlaceOLEActivation
Values:
- 1: Enabled
- 0: Disabled
Show OLE package objects
Outlook 2007 can display OLE package objects. OLE package objects can disguise malicious code as another document. If you enable this policy, Outlook 2007 shows OLE package objects. If you disable this policy, Outlook 2007 cannot show OLE package objects.
Key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security
DWORD value: ShowOLEPackageObj
Values:
- 1: Enabled
- 0: Disabled
Add file name extensions that are blocked as Level 1 security items
This policy lists the file name extensions that are promoted to Level 1 security.
Key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security
String: FileExtensionsAddLevel1
Values: List of file name extensions that are separated by a semicolon
Remove file name extensions that are blocked as Level 1 security items
This policy lists the file name extensions that are demoted to Level 2 security.
Key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security
String: FileExtensionsRemoveLevel1
Values: List of file name extensions that are separated by a semicolon
Add file name extensions that are blocked as Level 2 security items
This policy lists the file name extensions that are added to Level 2 security.
Key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security
String: FileExtensionsAddLevel2
Values: List of file name extensions that are separated by a semicolon
Remove file name extensions that are blocked as Level 2 security items
This policy lists the file name extensions that are removed from Level 2 security.
Key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security
String: FileExtensionsRemoveLevel2
Values: List of file name extensions that are separated by a semicolon
Custom form security settings
The security settings for custom forms in Outlook 2007 are as follows.
Enable scripts in one-off Outlook 2007 forms
When you enable this policy, scripts can run in a one-off Outlook 2007 form.
Key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security
DWORD value: EnableOneOffFormScripts
Values:
- 1: Enabled
- 0: Disabled
Configure a prompt for Outlook object model custom actions
When you enable this policy, certain actions can occur when a custom action is performed by using the Outlook object model. You can configure Outlook 2007 to automatically allow the action, to automatically deny the action, or to prompt the user.
Key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security
DWORD value: PromptOOMCustomAction
Values:
0: Automatically deny
1: Prompt user
Note
This is the default setting.
2: Automatically approve
Configure a prompt for the ItemProperty property of a control
This policy controls how the access process works for the ItemProperty property of a control on a custom form. You can configure Outlook 2007 to automatically allow the action, to automatically deny the action, or to prompt the user.
Key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security
DWORD value: PromptOOMItemPropertyAccess
Values:
0: Automatically deny
1: Prompt user
Note
This is the default setting.
2: Automatically approve
Programmatic security settings
Programmatic security settings are listed as follows.
Configure a prompt when a program sends items by using the Outlook object model
This policy determines the behavior that occurs when a program sends items by using the Outlook object model.
Key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security
DWORD value: PromptOOMSend
Values:
0: Automatically deny
1: Prompt user
Note
This is the default setting.
2: Automatically approve
Configure a prompt when a program accesses an address book by using the Outlook object model
This policy determines the behavior that occurs when a program accesses an address book by using the Outlook object model.
Key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security
DWORD value: PromptOOMAddressBookAccess
Values:
0: Automatically deny
1: Prompt user
Note
This is the default setting.
2: Automatically approve
Configure a prompt when a program reads address information by using the Outlook object model
This policy determines the behavior that occurs when a program reads address information by using the Outlook object model.
Key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security
DWORD value: PromptOOMAddressInformationAccess
Values:
0: Automatically deny
1: Prompt user
Note
This is the default setting.
2: Automatically approve
Configure a prompt when a program responds to meeting requests and task requests by using the Outlook object model
This policy determines the behavior that occurs when a program responds to meeting requests and task requests by using the Outlook object model.
Key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security
DWORD value: PromptOOMMeetingTaskRequestResponse
Values:
0: Automatically deny
1: Prompt user
Note
This is the default setting.
2: Automatically approve
Configure a prompt when a program uses the Outlook object model to access the Save As command to save an item
This policy determines the behavior that occurs when a program uses the Outlook object model to access the Save As command to save an item.
Key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security
DWORD value: PromptOOMSaveAs
Values:
0: Automatically deny
1: Prompt user
Note
This is the default setting.
2: Automatically approve
Configure a prompt when users access the Formula property of a UserProperty object
This policy determines the behavior that occurs when users access the Formula
property of a UserProperty
object.
Key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security
DWORD value: PromptOOMFormulaAccess
Values:
0: Automatically deny
1: Prompt user
Note
This is the default setting.
2: Automatically approve
Configure a prompt when a program accesses address information by using the UserProperties.Find method
This policy determines the behavior that occurs when a program accesses address information by using the UserProperties.Find
method.
Key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security
DWORD value: PromptOOMAddressUserPropertyFind
Values:
0: Automatically deny
1: Prompt user
Note
This is the default setting.
2: Automatically approve
About the settings for Simple MAPI operations
Originally, there were plans to include settings for the following Simple MAPI operations:
- A program sends items by using Simple MAPI
- A program resolves addresses by using Simple MAPI
- A program opens a message by using Simple MAPI
However, these settings were not added to the product in the release version of Outlook 2007. We are researching the ability to add this functionality to the GPO settings. These settings may be included in a future release.
Trusted add-ins
The security settings for trusted add-ins are as follows.
List of trusted add-ins
This policy lists the file names and the hash values that are always trusted by Outlook 2007.
Key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security\TrustedAddins
String: The file name of the add-in
Value: A hash of the file that is generated by the Secure Hash Algorithm (SHA-1). The hash is stored in the same format that is used in the security form.
Note
Each trusted add-in has a string value and a corresponding hash value in the TrustedAddins
subkey.
Registry settings that were used in earlier versions of Outlook
Certain registry settings that were used in earlier versions of Outlook also apply to Outlook 2007. You can use these registry settings together with public folder security forms, or you can use them as independent settings. These registry settings are not considered part of the Outlook 2007 Group Policy object approach to attachment and add-in security.
The DisallowAttachmentCustomization registry entry
When you enable this policy, Outlook 2007 disables the Level1Remove
registry entry. However, the Level1Add
registry entry continues to work.
Key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security
DWORD value: DisallowAttachmentCustomization
Values: Any value
Note
This policy controls whether you can customize the attachment security settings by using non-policy registry keys.
The Level1Remove registry entry
This policy lists the file name extensions that are demoted to Level 2 security.
Key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security
String: Level1Remove
Values: List of file name extensions that are separated by a semicolon
Note
If the DisallowAttachmentCustomization registry entry is present, Outlook 2007 ignores the Level1Remove
registry entry.
The Level1Add registry entry
This policy lists the file name extensions that are promoted to Level 1 security.
Key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security
DWORD value: Level1Add
Values: List of file name extensions that are separated by a semicolon
Note
The file name extensions on this list are blocked by Outlook 2007.
For more information about Outlook 2007 security settings, see Customize programmatic settings in Outlook 2007.