Code Security Changes in Outlook 2007
This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.
Summary: Learn how Outlook 2007 enhances code security to help protect Outlook users against malicious code while reducing security warnings for developers and users. Find out how these changes make developing and using Outlook solutions easier while maintaining security. This article applies to managed and unmanaged Outlook COM add-ins and cross-process applications that access Outlook by using the Outlook COM interfaces. (16 printed pages)
Ryan Gregg, Microsoft Corporation
June 2006
Applies to: Microsoft Office Outlook 2007
Contents
Overview of Code Security Changes
Code Security Defaults
Security Warnings
Administrator Options
Protected Members List
Conclusion
Additional Resources
Overview of Code Security Changes
To prevent malicious programs and viruses from propagating through e-mail messages, certain versions of Outlook have included the Object Model Guard to help protect against malicious use of the Outlook object model. Versions that have already been released include Microsoft Office Outlook 2003, Microsoft Outlook 2002, Microsoft Outlook 2000 Service Pack 3, Microsoft Outlook 2000 Service Pack 2, and Microsoft Outlook 2000 and Microsoft Outlook 98, which have been updated with the Outlook E-mail Security Update. Outlook solutions that access these protected properties and methods in the object model may invoke security warnings that the user must respond to before the solution can continue. Microsoft Office Outlook 2007 introduces several changes to the behavior of the Object Model Guard to improve the developer and user experience while helping to keep Outlook secure.
Code Security Defaults
As in Outlook 2003, Outlook 2007 continues to implicitly trust all in-process COM add-ins. Writing a trusted COM add-in continues to be the recommended approach to interact with Outlook data through the object model. The default trust behavior for all in-process COM add-ins works just as it did in Outlook 2003.
Security in Outlook 2007 takes advantage of the status of antivirus software installed on a computer. This change represents a major departure from the way the Object Model Guard worked in the past. If Outlook is able to detect that antivirus software is running with an acceptable status, Outlook disables security warnings for the user. This allows external applications that previously had to resort to Extended MAPI or third-party libraries to avoid security prompts under the appropriate conditions. This new behavior helps keep Outlook secure without overwhelming the user with excessive warning messages.
All out-of-process COM callers and add-ins run without security warnings if all of the following conditions are true:
The client computer is running Microsoft Windows XP Service Pack 2 (SP2) or Microsoft Windows Vista, and the Windows Security Center (WSC) indicates that antivirus software on the computer is in a "Good" health status. If the computer is joined to a domain, the health-status indicator may not be visible, but it is still maintained.
The antivirus software installed on the client computer is designed for Windows XP SP2 or Windows Vista.
Outlook 2007 is configured on the client computer in one of the following ways:
Uses the default security settings
Uses security settings defined by Group Policy and set to warn when antivirus software is inactive or out of date
Uses security settings defined by Group Policy but does not have a programmatic access policy applied
Additionally, Outlook 2007 suppresses security warnings when it is configured to Never warn me about suspicious activity (not recommended) through the Outlook Trust Center.
To detect the status of the antivirus software on client computers, Outlook 2007 depends on the WSC. Currently, antivirus products that are compatible with Windows XP SP2 and Windows Vista register status information with the WSC. Outlook first checks for the current status of antivirus software by querying the WSC. On computers running Microsoft Windows Server 2003, because the WSC is not available, Outlook is unable to detect the status of antivirus software and therefore does not disable security warnings.
In order for Outlook 2007 to disable security warnings, the antivirus software must report the following three conditions:
Antivirus software is installed and shares its status with third-party software through the WSC.
The antivirus software is up to date.
Virus scanning is enabled on access.
Outlook 2007 examines all of the antivirus products that are installed and registered with the WSC. If at least one of those products meets the previous three conditions, Outlook turns off the object model security warnings. Over a single session, Outlook 2007 continues to monitor the status of the antivirus software. At any point, if Outlook detects that no antivirus product on the computer meets all three conditions, Outlook immediately enables the security warnings. At any subsequent point, if Outlook detects that at least one antivirus product meets these criteria, Outlook disables the warnings again.
This new behavior applies to all programs that access Outlook 2007 through the Outlook object model. This includes add-ins and external COM callers. Programs that access Outlook data through other APIs (for example, Collaboration Data Objects, Exchange Client Extensions, or Simple MAPI) are not affected by this change. Solutions using Extended MAPI are not restricted by the Object Model Guard.
Trust Center Options for Code Security
Administrators can use the Trust Center in Outlook 2007 to change the default behavior. To access the Trust Center, open the Tools menu and click Trust Center. In the Trust Center, click Programmatic Access. The Programmatic Access Security dialog box provides options that differ from the default behavior, as shown in Figure 1.
Figure 1. Programmatic Access settings in the Outlook Trust Center
.gif "Programmatic Access settings")
The three settings are as follows:
Warn me about suspicious activity when my antivirus software is inactive or out-of-date (recommended)
This is the default setting, and it implements the behavior described earlier in this article. This setting is recommended for all users.
Always warn me about suspicious activity
This setting enables Outlook 2007 to act like Outlook 2003, so that cross-process COM callers and untrusted add-ins invoke security warnings.
Never warn me about suspicious activity (not recommended)
This setting prevents all security warnings and disables the Object Model Guard. Use this setting only in controlled environments where the risk of malicious code running on the computer is low.
These settings are available only if the current user is an administrator on the computer. Users without administrator privileges can view the current setting but cannot change it. Programmatic Access settings can also be controlled through Group Policy. For more information about configuring Outlook settings by using Group
COM Add-In Security Defaults
In Outlook 2007, all COM add-ins are trusted by default. Administrators can configure an alternate behavior by using Outlook 2007 Group Policy or the Outlook security form on a Microsoft Exchange Server.
As in previous versions, Outlook 2007 trusts only the Application object passed to the add-in during the OnConnection event of the add-in. If the add-in creates a new instance of the Application object, Outlook does not trust that object, even if the add-in is on the list of trusted add-ins. For more information about the OnConnection event, see the IDTExtensibility2 documentation on MSDN.
Object Model Guard
While Outlook 2007 defines new circumstances for untrusted callers to invoke security warnings, it inherits the set of protected objects and members from the Outlook 2003 Object Model Guard. In addition, Outlook 2007 displays warnings for code that attempts to access several new members added to the object model. Outlook raises warnings in five major scenarios, when untrusted code attempts to use the object model to retrieve data or execute certain methods:
Properties or methods that return address objects, including properties and members of these objects:
AddressEntries and AddressEntry
Recipient and Recipients
ExchangeDistributionList and ExchangeUser
SelectNamesDialog
PropertyAccessor
Properties of various objects that may contain addresses or address information, such as:
Alias
Address
Body and HTMLBody
ID
WordEditor
Methods that allow writing items to a storage location outside of Outlook, such as:
Item.SaveAs
CalendarSharing.SaveAsICal
Entry points that provide access to properties using explicit, built-in property names or references to namespaces, such as:
UserProperties.Find
ItemProperties.Item("IMAddress") and other protected properties
Table.Columns.Add
PropertyAccessor.GetProperties
PropertyAccessor.GetProperty
Programmatic sending of an item:
Item.Allow, Item.Send
Action.Execute
Security Warnings
Outlook 2007 displays one of three security warnings when an add-in that is not properly trusted or a cross-process COM client attempts to access a protected property or method. These messages are specific to the type of information or action that the program was attempting to access or execute. The messages have a new appearance and new button labels that are consistent with Windows XP and Windows Vista recommendations for security dialogs.
Address Book Warning
The address book warning, shown in Figure 2, is the most common prompt that a user sees when an untrusted program is accessing Outlook data. This prompt appears for members whose prompt type is "Address Book" in the Protected Members List later in this article.
Figure 2. Outlook 2007 address book access prompt
.gif "Outlook 2007 address book access prompt")
This warning enables the user to allow or deny the action. The user can also choose to allow access to the address book for a period of time indicated in the drop-down box.
If the user clicks Deny, Outlook immediately blocks the call that invokes the warning and returns MAPI_E_NOT_SUPPORTED. Outlook does not return any data for the call. If the program does not properly handle the error, it might crash.
If the user clicks Allow without selecting the Allow access for check box, only the call that generated the warning will be allowed. Additional calls on the same line or calls for objects that derive from the blocked call may generate their own security warnings.
If the user clicks Allow after selecting the Allow access for check box, the call that generated the prompt, as well as future calls, will be allowed for the duration that the user has selected. During this time period, all callers to the object model — not just the program that originally invoked the security warning — are approved for address-book access. After this time period expires, security warnings may reappear.
Send Message Warning
The Send Message warning, shown in Figure 3, is invoked when an untrusted solution attempts to send an item programmatically. This prompt appears for members whose prompt type is "Sending Mail" in the Protected Members List later in this article.This dialog box has a built-in timer that prevents untrusted add-ins from sending messages rapidly and automatically. The user must wait five seconds before clicking Allow.
Figure 3. Outlook 2007 e-mail security prompt
.gif "Outlook 2007 e-mail security prompt")
If the user clicks Deny, Outlook blocks the call that invoked the warning and returns the MAPI_E_NOT_SUPPORTED error. Subsequent calls to send messages programmatically will invoke additional warnings.
If the user clicks Allow, the call that invoked the warning, and only that call, is allowed. Subsequent calls from an untrusted solution to send messages programmatically will continue to generate warnings.
Execute Actions Warning
This warning, shown in Figure 4, is invoked when an untrusted solution executes a custom action from the Actions collection. This prompt appears for members whose prompt type is "Custom Action" in the Protected Members List later in this article. Outlook displays a message similar to the previous warning, indicating that an action is being executed.
Figure 4. Outlook 2007 execute actions security prompt
.gif "Outlook 2007 execute actions security prompt")
If the user clicks Deny, Outlook blocks the call to the Execute method for that action and returns the MAPI_E_NOT_SUPPORTED error.
If the user clicks Allow, the call that invoked the warning, and only that call, is allowed. Subsequent calls from an untrusted solution to execute an action will continue to invoke warnings.
Administrator Options
In addition to the settings that are provided by default, administrators can use two methods in Outlook 2007 to lock down the Object Model Guard settings and alter the default behavior.
Group Policy Security for COM Add-Ins
Outlook 2007 supports using Windows Group Policy settings to manage code security settings. When Outlook is configured to load security settings from Group Policy, it may include a list of trusted add-ins. If this list is present, Group Policy has been configured to enable this list, and a COM add-in matches the hash information provided in the trusted list, Outlook provides a trusted Application object to the COM add-in. If an add-in is not in the list or has been updated since it was added to the list, Outlook does not trust the add-in.
Additionally, administrators can set how Outlook handles the security warnings generated by the Object Model Guard. Four options are available: automatically accept, automatically deny, prompt user, and prompt user without antivirus software. These settings apply to all add-ins not included in the list of trusted add-ins, and to external COM callers to the object model.
Exchange-Brokered Security for COM Add-Ins
There has been no change in the way Outlook 2007 trusts COM add-ins in a Microsoft Exchange environment where security settings are obtained from the Exchange server. You can still configure Outlook 2007 to locate the Outlook security form in a public folder. When Outlook is configured to load settings from this form, Outlook trusts, by default, only those add-ins that are listed in the security form. Administrators can use Group Policy settings to override this behavior and continue to trust all installed add-ins as necessary.
If Outlook 2007 is configured to use security settings from the security form, it does not leverage the status of antivirus software. In this scenario, there are only three prompt behaviors: prompt user; never prompt and automatically allow; and never prompt and automatically deny. To take advantage of the new code security behavior based on the status of antivirus software, Outlook must be configured to use Windows Group Policy or the Outlook 2007 default security settings.
Protected Members List
Table 1 lists the properties and methods that are protected in Outlook 2007. The third column, Prompt Type, indicates the type of security warning that appears when that member is accessed. Properties and methods that are new or newly protected in Outlook 2007 are identified as such in the Status column.
.gif "Note") Note |
|---|
In the Members column, "Everything" includes all the properties and methods for the specified object except Application, Class, Session, and Parent. |
Table 1. Properties and methods that are protected in Outlook 2007
Object/Interface |
Member |
Prompt Type |
Status |
|---|---|---|---|
Account |
SmtpAddress |
Address Book |
New |
Action |
Execute() |
Custom Action |
|
AddressEntries |
GetFirst() |
Address Book |
|
AddressEntries |
GetLast() |
Address Book |
|
AddressEntries |
GetNext() |
Address Book |
|
AddressEntries |
GetPrevious() |
Address Book |
|
AddressEntries |
Add() |
Address Book |
|
AddressEntries |
Item() |
Address Book |
Newly protected |
AddressEntry |
Address |
Address Book |
|
AddressEntry |
ID |
Address Book |
|
AddressEntry |
Manager |
Address Book |
|
AddressEntry |
Members |
Address Book |
|
AddressEntry |
Parent |
Address Book |
|
AddressEntry |
GetExchangeDistributionList() |
Address Book |
New |
AddressEntry |
GetExchangeUser() |
Address Book |
New |
AddressEntry |
Update() |
Address Book |
Newly protected |
AddressEntry |
PropertyAccessor |
Address Book |
New |
AddressLists |
Item() |
Address Book |
Newly protected |
AddressList |
PropertyAccessor |
Address Book |
New |
AddressList |
AddressEntries |
Address Book |
|
AddressList |
ID |
Address Book |
|
AppointmentItem |
Body |
Address Book |
|
AppointmentItem |
NetMeetingOrganizerAlias |
Address Book |
|
AppointmentItem |
OptionalAttendees |
Address Book |
|
AppointmentItem |
Organizer |
Address Book |
|
AppointmentItem |
PropertyAccessor |
Address Book |
New |
AppointmentItem |
RequiredAttendees |
Address Book |
|
AppointmentItem |
Resources |
Address Book |
|
AppointmentItem |
Respond() |
Sending Mail |
|
AppointmentItem |
SaveAs() |
Address Book |
|
Attachment |
PropertyAccessor |
Address Book |
New |
CalendarSharing |
SaveAsICal() |
Address Book |
New |
Columns |
Add() |
Address Book |
New |
ContactItem |
Body |
Address Book |
|
ContactItem |
Email1Address |
Address Book |
|
ContactItem |
Email1AddressType |
Address Book |
|
ContactItem |
Email1DisplayName |
Address Book |
|
ContactItem |
Email1EntryID |
Address Book |
|
ContactItem |
Email2Address |
Address Book |
|
ContactItem |
Email2AddressType |
Address Book |
|
ContactItem |
Email2DisplayName |
Address Book |
|
ContactItem |
Email2EntryID |
Address Book |
|
ContactItem |
Email3Address |
Address Book |
|
ContactItem |
Email3AddressType |
Address Book |
|
ContactItem |
Email3DisplayName |
Address Book |
|
ContactItem |
Email3EntryID |
Address Book |
|
ContactItem |
IMAddress |
Address Book |
|
ContactItem |
NetMeetingAlias |
Address Book |
|
ContactItem |
PropertyAccessor |
Address Book |
New |
ContactItem |
ReferredBy |
Address Book |
|
ContactItem |
SaveAs() |
Address Book |
|
DistListItem |
Body |
Address Book |
|
DistListItem |
GetMember() |
Address Book |
|
DistListItem |
PropertyAccessor |
Address Book |
New |
DistListItem |
SaveAs() |
Address Book |
|
DocumentItem |
Body |
Address Book |
|
DocumentItem |
PropertyAccessor |
Address Book |
New |
ExchangeDistributionList |
Address |
Address Book |
New |
ExchangeDistributionList |
Alias |
Address Book |
New |
ExchangeDistributionList |
GetExchangeDistributionList() |
Address Book |
New |
ExchangeDistributionList |
GetExchangeUser() |
Address Book |
New |
ExchangeDistributionList |
GetMemberOfList() |
Address Book |
New |
ExchangeDistributionList |
GetExchangeDistributionListMembers() |
Address Book |
New |
ExchangeDistributionList |
GetOwners() |
Address Book |
New |
ExchangeDistributionList |
ID |
Address Book |
New |
ExchangeDistributionList |
Parent |
Address Book |
New |
ExchangeDistributionList |
PrimarySmtpAddress |
Address Book |
New |
ExchangeDistributionList |
PropertyAccessor |
Address Book |
New |
ExchangeDistributionList |
Update() |
Address Book |
New |
ExchangeUser |
Address |
Address Book |
New |
ExchangeUser |
Alias |
Address Book |
New |
ExchangeUser |
GetDirectReports() |
Address Book |
New |
ExchangeUser |
GetExchangeDistributionList() |
Address Book |
New |
ExchangeUser |
GetExchangeUser() |
Address Book |
New |
ExchangeUser |
GetExchangeUserManager() |
Address Book |
New |
ExchangeUser |
GetMemberOfList() |
Address Book |
New |
ExchangeUser |
ID |
Address Book |
New |
ExchangeUser |
Parent |
Address Book |
New |
ExchangeUser |
PrimarySmtpAddress |
Address Book |
New |
ExchangeUser |
PropertyAccessor |
Address Book |
New |
ExchangeUser |
Update() |
Address Book |
New |
Folder |
GetCalendarExporter() |
Address Book |
New |
Folder |
PropertyAccessor |
Address Book |
New |
Inspector |
HTMLEditor |
Address Book |
|
Inspector |
WordEditor |
Address Book |
|
ItemProperties |
Any protected property for an item |
Address Book |
|
JournalItem |
Body |
Address Book |
|
JournalItem |
ContactNames |
Address Book |
|
JournalItem |
PropertyAccessor |
Address Book |
New |
JournalItem |
SaveAs() |
Address Book |
|
MailItem |
Bcc |
Address Book |
|
MailItem |
Body |
Address Book |
|
MailItem |
Cc |
Address Book |
|
MailItem |
HTMLBody |
Address Book |
|
MailItem |
PropertyAccessor |
Address Book |
New |
MailItem |
ReceivedByName |
Address Book |
|
MailItem |
ReceivedOnBehalfOfName |
Address Book |
|
MailItem |
Recipients |
Address Book |
|
MailItem |
ReplyRecipientNames |
Address Book |
|
MailItem |
SaveAs() |
Address Book |
|
MailItem |
Send() |
Sending Mail |
|
MailItem |
SenderEmailAddress |
Address Book |
|
MailItem |
SenderEmailType |
Address Book |
|
MailItem |
SenderName |
Address Book |
|
MailItem |
SendOnBehalfOfName |
Address Book |
|
MailItem |
To |
Address Book |
|
MeetingItem |
Body |
Address Book |
|
MeetingItem |
PropertyAccessor |
Address Book |
New |
MeetingItem |
SaveAs() |
Address Book |
|
MeetingItem |
SenderName |
Address Book |
|
MeetingItem |
Recipients |
Address Book |
|
NameSpace |
CurrentUser |
Address Book |
|
NameSpace |
GetAddressEntryFromID() |
Address Book |
New |
NameSpace |
GetRecipientFromID() |
Address Book |
|
NameSpace |
SelectNamesDialog |
Address Book |
New |
NoteItem |
Body |
Address Book |
|
NoteItem |
PropertyAccessor |
Address Book |
New |
PostItem |
Body |
Address Book |
|
PostItem |
HTMLBody |
Address Book |
|
PostItem |
PropertyAccessor |
Address Book |
New |
PostItem |
SaveAs() |
Address Book |
|
PostItem |
SenderName |
Address Book |
|
Recipient |
Everything (see Note above table) |
Address Book |
|
Recipient |
PropertyAccessor |
Address Book |
New |
Recipients |
Everything (see Note above table) |
Address Book |
|
RemoteItem |
Body |
Address Book |
|
RemoteItem |
PropertyAccessor |
Address Book |
New |
ReportItem |
Body |
Address Book |
|
ReportItem |
PropertyAccessor |
Address Book |
New |
SelectNamesDialog |
Recipients |
Address Book |
New |
SharingItem |
Allow() |
Sending Mail |
New |
SharingItem |
Bcc |
Address Book |
New |
SharingItem |
Body |
Address Book |
New |
SharingItem |
Cc |
Address Book |
New |
SharingItem |
HTMLBody |
Address Book |
New |
SharingItem |
PropertyAccessor |
Address Book |
New |
SharingItem |
ReceivedByName |
Address Book |
New |
SharingItem |
ReceivedOnBehalfOfName |
Address Book |
New |
SharingItem |
ReplyRecipientNames |
Address Book |
New |
SharingItem |
SaveAs() |
Address Book |
New |
SharingItem |
Send() |
Sending Mail |
New |
SharingItem |
SenderEmailAddress |
Address Book |
New |
SharingItem |
SenderEmailType |
Address Book |
New |
SharingItem |
SenderName |
Address Book |
New |
SharingItem |
SendOnBehalfOfName |
Address Book |
New |
SharingItem |
To |
Address Book |
New |
StorageItem |
Body |
Address Book |
New |
StorageItem |
PropertyAccessor |
Address Book |
New |
Store |
PropertyAccessor |
Address Book |
New |
TaskItem |
Body |
Address Book |
|
TaskItem |
ContactNames |
Address Book |
|
TaskItem |
Contacts |
Address Book |
|
TaskItem |
Delegator |
Address Book |
|
TaskItem |
Owner |
Address Book |
|
Store |
PropertyAccessor |
Address Book |
New |
TaskItem |
SaveAs() |
Address Book |
|
TaskItem |
Send() |
Sending Mail |
|
TaskItem |
StatusOnCompletionRecipients |
Address Book |
|
TaskItem |
StatusUpdateRecipients |
Address Book |
|
TaskItem |
PropertyAccessor |
Address Book |
New |
TaskRequestItem |
Body |
Address Book |
|
TaskRequestItem |
PropertyAccessor |
Address Book |
New |
TaskRequestAcceptItem |
Body |
Address Book |
|
TaskRequestAcceptItem |
PropertyAccessor |
Address Book |
New |
TaskRequestDeclineItem |
Body |
Address Book |
|
TaskRequestDeclineItem |
PropertyAccessor |
Address Book |
New |
TaskRequestUpdateItem |
Body |
Address Book |
|
TaskRequestUpdateItem |
PropertyAccessor |
Address Book |
New |
UserProperties |
Find() |
Address Book |
|
UserProperty |
Formula |
Address Book |
|
Conclusion
Outlook 2007 makes a substantial investment in Outlook as a platform. One important part of this investment is been to reduce excessive security warnings caused by the Outlook Object Model Guard. Outlook 2007, using the default security settings or Windows Group Policy, and valid and appropriately configured antivirus software on the client computer, allows legitimate in-process and out-of-process solutions to execute without overwhelming users with security warnings. This makes it easier for users and developers to take advantage of other platform investments while Outlook remains a secure application.
Outlook provides administrators with a unified scheme to enforce security and other policy decisions — all within Outlook. In addition, Group Policy allows administrators to lock down Outlook without requiring an Exchange server, making Outlook a more secure choice for more users. These features, in addition to other improvements, help make Outlook 2007 the most secure version of Outlook to date.