Microsoft Outlook 2002 Developer Security Overview
Microsoft® Outlook® 2002
Summary: Learn about Outlook developer security features such as macro security, blocked e-mail file attachments, and blocked portions of the Outlook object model. (6 printed pages)
Outlook 2002 Security Summary
About HTML-Based E-Mail Messages and Security
About "One-Off" Forms
About Blocked E-Mail File Attachments
About the Outlook Object Model Guard
Using the Outlook Security Features Administrative Package
About the Outlook View Control
To respond to customers' needs for a more secure messaging environment, Microsoft Outlook® 2002 provides default security features such as:
- Sets the Internet security zone to Restricted sites to protect against HTML-based e-mail messages that contain viruses.
- Blocks e-mail attachments associated with specific file extensions to protect against potentially destructive code running unattended.
- Prevents code from accessing your address book or sending e-mail messages on your behalf without your express consent.
The remainder of this article helps you understand the impact of these and other security features on your Outlook solutions. For organizations that use Outlook 2002 in conjunction with Microsoft Exchange Server, you will learn how to customize Exchange Server to meet your organization's specific security requirements while still allowing your Outlook solutions to interoperate with these security features.
For a more thorough overview of Outlook 2002 security features, see the Microsoft Knowledge Base article Q290500, OL2002: Developer Information About E-Mail Security Features.
Also, be sure to visit the Office Product Updates Web site regularly to get the latest Office updates, including security enhancements.
Outlook developers may want to send HTML-based e-mail messages that contain scripts or ActiveX® controls as part of their solutions. However, Microsoft does not recommend this approach, as unfortunately, hackers can embed viruses inside of HTML-based e-mail messages as well. To protect against this threat, the Microsoft Outlook 2002 security zone is set to Restricted sites by default. This setting includes HTML e-mail message security measures, such as disabling ActiveX controls, disabling file downloads, disabling Java, disabling data access across domains, reducing IFRAME functionality, and disabling scripting. To view a computer's Outlook security zone setting, on the computer's Outlook Tools menu, click Options, click the Security tab, and view the Zone list.
An alternative approach to sending an HTML-based e-mail message that contains scripts or ActiveX controls is to put the content on a Web page and send a text link to the Web page in an e-mail message.
For more information on HTML-based e-mail messages and security, see the following articles:
- OL: Solutions Should Not Use Active Content in HTML E-Mail Messages (Q321847)
- OL2002: How Outlook 2002 Protects You From Viruses Contained in HTML Messages (Q295957)
When Outlook solution developers design custom Outlook forms, they can choose to directly embed the custom form—including Microsoft Visual Basic® Scripting Edition (VBScript) code—within items. These types of forms are called "one-off" forms. One-off forms are typically created by Outlook developers when form users don't have access to a specific form library, such as an Organizational Forms Library. One-off forms ensure that these users will see the custom form when the item is opened. By default in Outlook 2002, one-off form code is disabled.
The recommended approach for one-off forms is to publish them to a forms library so that the VBScript code in the form will run without custom security settings on the accompanying Microsoft Exchange Server. The Outlook Security Features Administrative Package allows Microsoft Exchange Server administrators to enable their Outlook 2002 users to run VBScript code in one-off forms. For details, see the Using the Outlook Security Features Administrative Package section later in this article. If you cannot customize the Exchange Server security settings, there is no way to run the VBScript code in a one-off form.
For more information about forms and security, see the following articles:
- OL2002: Working with Form Definitions and One-Off Forms (Q290657)
- OL2002: Cannot Preview Item Based on Custom Form (Q288754)
- OL: Do Not Use Message Security Features with Custom Forms (Q279106)
To prevent the spread of potentially destructive code inside of e-mail file attachments, Outlook 2002 enforces two file attachment security levels by default. Any file attachment that belongs to a Level 1 file extension is blocked and can't be viewed or programmatically accessed by a recipient. Additionally, if you try to send e-mail messages programmatically that contain Level 1 file attachments, Outlook will warn the user that recipients may not be able to view the attachments; there is no way to avoid this warning, even with customized security settings. Any e-mail message that contains a Level 2 file attachment prompts Outlook 2002 to ask users to save the file attachment to their hard disks. Level 2 file attachments cannot be opened directly from e-mail messages. If you use Outlook 2002 in conjunction with Microsoft Exchange Server, your network administrator can add and remove specific Level 1 and Level 2 file extensions.
For information on which file extensions are considered Level 1 and Level 2 by default, type attachments in the Outlook Type a question for help box, press ENTER, and click Attachment file types blocked by Outlook.
For information on how add and remove Level 1 and Level 2 file extensions in a Microsoft Exchange Server environment, see the Using the Outlook Security Features Administrative Package section later in this article.
For additional information about Outlook 2002 attachment security, see the following:
- You may receive an "Outlook blocked access to the following potentially unsafe attachments" message in Outlook
By default, Outlook 2002 blocks code that attempts to access certain portions of the Outlook object model. This security feature is commonly known as the Outlook Object Model Guard. By default, blocked actions include:
- Accessing the address book.
- Accessing address information.
- Accessing an Outlook item's Send method.
- Responding to meeting and task requests.
- Executing an Outlook item's SaveAs method.
- Accessing the UserProperty object's Formula property.
- Accessing address information using the UserProperties collection's Find method.
In addition to the Outlook Object Model Guard behaviors, by default Outlook 2002 blocks any code that tries to:
- Send items by using Collaboration Data Objects (CDO) or Simple Mail Application Programming Interface (Simple MAPI) calls.
- Access the address book by using CDO calls.
- Resolve names by using Simple MAPI calls.
- Access address information by using CDO calls.
- Open e-mail messages by using Simple MAPI calls.
By default, Outlook prompts users if they want to execute an address book action or send e-mail action that is blocked by Outlook. When Outlook 2002 is used in conjunction with Microsoft Exchange Server, network administrators can customize this default behavior by not blocking any actions, blocking all actions and not prompting the user to unblock, or a combination of both.
Additionally, regardless of the Exchange Server settings, it is no longer possible to use the Action object's Execute method to programmatically click the Outlook toolbar's Send button.
For information on how to change Exchange Server settings to modify default Outlook 2002 behavior in an Exchange Server environment, see the Using the Outlook Security Features Administrative Package section later in this article.
Alternative Development Solutions
If you cannot develop a COM add-in, or perhaps are not working in an Exchange environment, you may want to consider using a different application programming interface (API). However, using different APIs may or may not be appropriate depending on the environment for which you are developing a solution or the type of solution you wish to create.
If you are trying to programmatically send e-mail messages without encountering the Outlook object model guard, consider using the Collaboration Data Objects for Windows 2000 (CDOSYS) library, which is based on Simple Mail Transfer Protocol (SMTP) and can be used with Visual Basic languages. This library is included with the Microsoft Windows® 2000 and Microsoft Windows XP operating systems. The CDOSYS library is primarily designed to send e-mail messages from Web servers, but if you have a limited number of computers that need to send e-mail messages, this library may be appropriate for your solution. Documentation for CDOSYS is available in the MSDN Library. See: About CDO for Windows 2000.
Note The CDO 1.21s library, included with Microsoft Outlook 2002 and available as a patch for both Microsoft Outlook 98 and Microsoft Outlook 2000, is subject to the Outlook Object Model Guard.
If you are trying to access e-mail message recipient information, the only non-restricted API you can use is Messaging API (MAPI), but this requires that you program in the C or C++ programming languages.
Note More recent versions of Outlook have supported more and more non-MAPI account types. So you need to take this into account when you consider using MAPI. For example, if a user's computer is configured to use HTTP-based mail, you cannot use MAPI at all. If a user's computer is configured from Post Office Protocol (POP) mail, you can use MAPI to access the data in a personal folders (.pst) file because that is a MAPI-based store. But other areas of MAPI may not function because, in this case, Outlook is not using a MAPI-based account.
For more information on MAPI, see:Messaging Application Programming Interface (MAPI) .
Network administrators can use the Outlook Security Features Administrative Package to modify default Outlook 2002 security behaviors in a Microsoft Exchange Server environment.
To install and run the Outlook Security Features Administrative Package, network administrators must perform the following actions on the Exchange Server computer:
- Open the Admpack.exe file from one of the following locations:
- The Outlook Security Features Administrative Package download page at the Microsoft Office XP Resource Kit Web site
- The Office Resource Kit CD folder \File\PFiles\ORKTools\ORK10\Tools\Admpack\
- The Office Enterprise Edition CD folder \ORK\Files\PFiles\ORKTools\ORK10\Tools\Admpack\
- For those users who will be customizing the security settings, register the Trusted Code control, Hashctl.dll, into the %SYSTEM%\system32\ folder. (The Trusted Code control is included in the Outlook Security Features Administrative Package download.)
- Create a public folder named Outlook Security Settings in the root folder of the Exchange Server public folder tree.
- Open the OutlookSecurity.oft file (included in the Outlook Security Features Administrative Package download), and publish the form to the Outlook Security Settings public folder.
- Create a new item based on the administrator form.
- Modify the default security settings and save the custom settings.
For the changes to take effect, each computer running Outlook 2002 must have a specific registry key deployed.
For more information, see the following:
The Outlook 2002 View Control is an ActiveX control that allows you to view Outlook e-mail folders on Web pages, both inside and outside of Outlook 2002. The Office XP Service Pack 1 update prevents the Outlook 2002 View Control from being invoked by potentially destructive code on a Web page. Office XP Service Pack 1 also adds an additional safeguard against potentially dangerous file types.
Tip If possible, use the Outlook View Control on an Outlook folder home page instead of in a Web browser. This will provide the most functionality when you use the Outlook View Control in your solution.
For more information about Outlook View Control security in general, see Microsoft Security Bulletin MS01-038: Outlook View Control Exposes Unsafe Functionality.
For more information about Outlook 2002 View Control security, see OL2002: Overview of the Outlook 2002 Update: Aug 16, 2001 (Q303825)
To download the Outlook 2002 View Control security patch, which is part of Office XP Service Pack 1, see Outlook 2002 Update: August 16, 2001.
In this article, you were introduced to Outlook 2002 default security features, such as:
- Scripts and ActiveX controls that are blocked in HTML-based e-mail messages.
- VBScript code that doesn't run in one-off forms.
- COM add-ins that won't run unless they are digitally signed and expressly designated by users as coming from trusted sources.
- Blocked e-mail file attachments.
- Blocked code that accesses particular portions of the Outlook object model and other programmatic restrictions.
You also learned about Outlook View Control security enhancements.
Finally, if your organization uses Outlook 2002 in a Microsoft Exchange Server environment, you also learned how to modify these default security behaviors to address your organization's specific security needs.