Outlook 2002 Security Model
Microsoft Outlook® 2002 provides enhanced security features for sending and receiving secure e-mail messages over the Internet or local intranet.
Overview of the Outlook 2002 security model
Outlook 2002 supports S/MIME v3 security, which allows users to exchange secure e-mail messages with other S/MIME e-mail clients over the Internet, as well as within an organization.
The Outlook 2002 security model helps to ensure the security of Outlook e-mail messages by using public key encryption to send and receive signed and encrypted e-mail messages. This feature includes digital signing, which allows users to verify the identity of senders and the integrity of messages; and message encryption, which protects the contents of messages from being read by anyone except their intended recipients. Users can exchange signed and encrypted e-mail messages with other e-mail clients that support S/MIME.
E-mail messages encrypted by the user's public key can be decrypted using only the associated private key. When a user sends an encrypted e-mail message, the recipient's certificate (public key) is used to encrypt it; likewise, when a user reads an encrypted e-mail message, Outlook 2002 uses the user's private key to decrypt it.
Several new security features that are optional in Outlook 2000 Service Release 1 are standard in Outlook 2002. These features include support for security labels and signed receipts, which allow you to provide more secure e-mail communications within your organization and to customize security to your requirements. The new features also meet standards for secure e-mail messaging with other organizations.
With Outlook 2002 security profiles are configured automatically. Outlook 2002 also includes greater flexibility for customizing security settings. You can use registry settings to customize controls on secure messages to match your organization's security policies. These settings are listed in the table at the end of this topic.
Digital certificates
S/MIME features rely on digital certificates, which associate the user's identity with a public key. The associated private key is saved in a secure store on the user's computer. The combination of a certificate and private key is called a Digital ID. Outlook 2002 fully supports X.509v3 standard digital certificates, which must be created by a certificate authority.
Outlook 2002 supports public World Wide Web-based enrollment to certificate authorities such as VeriSign™ and Microsoft Certificate Server. Outlook 2002 also works with Microsoft Exchange Key Management Server to provide an integrated X.509v3-based public key infrastructure for corporate users. The sender only needs an X.509v3 certificate and private key to exchange digitally signed e-mail messages. For encrypted e-mail messages, the sender must also have each recipient's certificate.
Certificates can be exchanged by including them in a signed message. Certificates are stored in each Outlook user's Contacts. Microsoft Exchange Key Management Server automatically stores each user's certificate in the Global Address Book so that encrypted e-mail messages can be sent to other users in the organization. You can also add a default encryption certificate from another source to the Global Address List.
When you update digital certificates or other security profile information, users do not have to change their settings.
Security labels and signed receipts
Users can attach custom security labels to messages. Labels are created by each organization and made available to users.
A security label lets you add information to the message header about the sensitivity of the message content. The label can also restrict which recipients can open, forward, or send the message. You define one or more security policies for your organization and implement them programmatically. For example, an Internal Use Only label might be implemented as a security label to apply to mail that should not be sent or forwarded outside of your company.
Users can also send secure receipt requests with messages to verify that the recipients recognize the user's digital signature. When the message is received and saved (even if it is not yet read) and the signature is verified, a receipt is returned to the user's Inbox. If the user's signature is not verified, no receipt is sent.
Note Using secure receipts and custom security labels requires the Microsoft Windows® 2000 or an upgraded version of other versions of Windows operating systems.
See also
- Public key cryptography can help you
maintain secure e-mail systems. For more information about the use
of public key cryptography in Outlook, search for "Outlook 98
Security White paper" on the Knowledge Base Search page of the
Microsoft Product Support Services Web site at
http://search.support.microsoft.com/kb/c.asp..
- S/MIME is based on RSA Labs Public Key
Cryptography Standard documents. These documents were consolidated
in the Internet Engineering Task Force process to become the
Internet standard S/MIME. For more information, see the S/MIME
Central Web site at http://www.rsa.com/smime/.
- Microsoft Exchange Key Management Server version 5.5 issues keys for Microsoft Exchange Server security only. Microsoft Exchange Key Management Server 5.5, Service Pack 1 supports both Exchange security and S/MIME security. For more information, see the Microsoft Exchange Server version 5.5 Resource Guide in the Microsoft BackOffice Resource Kit, Second Edition.
Working with security keys and certificates
Occasionally, you must renew, import, or export a set of security keys and digital certificates. For example, you might need to change computers and take your Digital ID (the combination of your certificate and public and private encryption key set) with you. Or you might need to get someone's public security key in order to send them encrypted e-mail messages. Outlook provides ways to manage your security keys and certificates so that you can keep your e-mail messages secure.
Components for your Digital ID are stored in the Windows registry on your computer. The key set is encrypted using a password that you supply. If you use more than one computer, you must copy your Digital ID to each computer that you use.
Tip Make a copy of your Digital ID for safekeeping. You can protect the file that contains the copy by encrypting it and by using a password.
Storing digital certificates
Certificates can be stored in three locations:
- Microsoft Exchange Global Address Book
- Lightweight Directory Access Protocol
(LDAP) directory service
- Windows registry
Microsoft Exchange Global Address Book
Users who enroll in Exchange Advanced Security have their certificates stored in the Global Address Book. Alternatively, users can open the Global Address Book by using their LDAP provider.
Only certificates generated by Microsoft Exchange Server Advanced Security or by Microsoft Exchange Key Management Server are automatically published in the Global Address Book. However, externally generated certificates can be manually published to the Global Address Book.
LDAP directory service
External directory services, certificate authorities, or other certificate servers may publish their users' certificates through an LDAP directory service. Outlook 2002 allows access to these certificates through LDAP directories.
Windows registry
If a user imports another user's certificate into Outlook 2002 (for example, by adding a contact or importing a file), the certificate is stored in the registry. It cannot be shared or published to a directory service directly.
Obtaining other users' certificates
In order to exchange secure e-mail messages with another user, you must have that user's public key. You gain access to the public key through the user's certificate. There are three ways to obtain another user's certificate:
- Digitally signed e-mail messages
- Directory services, such as the Exchange
Global Address Book
- Imported files
Obtain a certificate from a digitally signed e-mail message
When you receive a signed message from someone whose certificate you want to save, you can right-click the sender's name on the To line and then click Add to Contacts. The address information is saved in your Contacts, and the sender's certificate is saved in the registry.
Note If you export a contacts list, the corresponding certificates are not included. You must add the certificates from a received e-mail message on each computer that you use.
Obtain a certificate from a directory service
Using a standard LDAP server, you can automatically retrieve another user's certificate from an LDAP directory when you send an encrypted e-mail message. To gain access to a certificate this way, you must be enrolled in S/MIME security and you must have a Digital ID for your e-mail account.
Or you can obtain certificates from the Global Address Book. To do this, you must be enrolled in Exchange Advanced Security.
Obtain a certificate from a file
You can request that another user export a certificate to a file. To import this certificate provided by another user, click the Import/Export Digital ID button on the Security tab in the Options dialog box (Tools menu). You can also use the Import button on the Certificates tab in a contact item in your Contacts folder.
Renewing keys and certificates
A time limit is associated with each certificate and private key. When the keys given by the Microsoft Exchange Key Management Server approach the end of the designated time period, Outlook displays a warning message and offers to renew the keys. Outlook sends the renewal message to the server on your behalf.
Setting consistent security options for all users in the workgroup
You can control many aspects of the Outlook 2002 security features to properly configure messaging security and encryption for your organization's needs. To control these features, you specify settings in the Windows registry or through policies. For example, you can use Windows registry settings to require a security label on all outgoing mail or to disable publishing to the Global Address List.
Note A number of Outlook security registry settings have an equivalent setting on the Security tab in the Options dialog box (Tools menu). You can use the Windows registry to change these settings. However, setting the value in the user interface does not create or set the equivalent setting in the Windows registry.
The following table lists the Windows registry settings that you can configure for your custom installation. You add these value entries in the HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\10.0\Outlook\Security subkey.
Value name |
Value data
(Data type)
|
Description |
Corresponding UI option |
AlwaysEncrypt |
0, 1 (DWORD) |
When you set the value to 1, all outgoing messages are encrypted. Default is 0. |
Encrypt contents check box |
AlwaysSign |
0, 1 (DWORD) |
When you set the value to 1, all outgoing messages are signed. Default is 0. |
Add digital signature check box |
ClearSign |
0, 1 (DWORD) |
When you set the value to 1, Clear Signed is used for all outgoing messages. Default is 0. |
Send clear text signed message check box |
RequestSecureReceipt |
0, 1 (DWORD) |
When you set the value to 1, secure receipts are requested for all outgoing messages. Default is 0. |
Request secure receipt check box |
ForceSecurityLabel |
0, 1 (DWORD) |
When you set this value to 1, a label is required on all outgoing messages. (Note that the registry setting does not specify which label.) Default is 0. |
None |
ForceSecurityLabelX |
ASN encoded BLOB (Binary) |
This value entry specifies whether a user-defined security label must be present on all outgoing signed messages. String can optionally include label, classification, and category. Default is no security label required. |
None |
SigStatusNoCRL |
0, 1 (DWORD) |
Set to 0 means a missing CRL during signature validation is a warning.
Set to 1 means a missing CRL is an error.
Default is 0.
|
None |
SigStatusNoTrustDecision |
0, 1, 2 (DWORD) |
Set to 0 means that a No Trust decision is allowed.
Set to 1 means that a No Trust decision is a warning.
Set to 2 means that a No Trust decision is an error.
Default is 0.
|
None |
PromoteErrorsAsWarnings |
0, 1 (DWORD) |
Set to 0 to promote Error Level 2 errors as errors.
Set to 1 to promote Error Level 2 errors as warnings.
Default is 0.
|
None |
PublishtoGalDisabled |
0, 1 (DWORD) |
Set to 1 to disable the Publish to GAL button.
Default is 0.
|
Publish to GAL button |
FIPSMode |
0, 1 (DWORD) |
Set to 1 to put Outlook into FIPS 140-1 mode.
Default is 0.
|
None |
WarnAboutInvalid |
0, 1, 2 (DWORD) |
Set to 0 to display the Show and Ask check box (Secure E-mail Problem pont dialog box).
Set to 1 to always show the dialog box.
Set to 2 to never show the dialog box.
Default is 2.
|
Secure E-mail Problem pont dialog box |
DisableContinueEncryption |
0, 1 (DWORD) |
Set to 0 to show the Continue Encrypting button on final Encryption Errors dialog box.
Set to 1 to hide the button.
Default is 0.
|
Continue Encrypting button on final Encryption Errors dialog box |
RespondtoReceiptRequest |
0, 1, 2, 3 (DWORD) |
Set to 0 to always send a receipt response and prompt for a password if needed.
Set to 1 to prompt for a password when sending a receipt response.
Set to 2 to never send a receipt response.
Set to 3 to enforce sending a receipt response.
Default is 0.
|
None |
NeedEncryptionString |
String |
Displays the specified string when the user tries unsuccessfully to open an encrypted message. Can provide information about where to enroll in security.
Default string is used unless value entry is set to another string.
|
Default string |
Options |
0, 1 (DWORD) |
Set to 0 to show a warning dialog box when a user attempts to read a signed message with an invalid signature.
Set to 1 to never show the warning.
Default is 0.
|
None. |
MinEncKey |
40, 64, 128, 168 (DWORD) |
Set to the minimum key length for an encrypted e-mail message. |
None. |
RequiredCA |
String |
Set to the name of the required certificate authority. |
None. |
EnrollPageURL |
String |
URL for the default certificate authority (internal or external) from which you wish your users to obtain a new digital ID.
Note: set in HKEY_CURRENT_USER\Software \Microsoft\Office\9.0\Outlook\Security subkey if you do not have administrator privileges on the user's computer.
|
Get Digital ID button in Security | Options |
The following table lists additional Windows registry settings that you can use for your custom configuration. These settings are contained in the HKEY_CURRENT_USER\Software\Microsoft\Cryptography\SMIME\SecurityPolicies\Default subkey.
Value name |
Value data
(Data type)
|
Description |
Corresponding UI option |
ShowWithMultiLabels |
0, 1, (DWORD) |
Set to 0 to attempt to display a message when the signature layer has different labels set in different signatures.
Set to 1 to prevent display of message.
Default is 0.
|
None |
CertErrorWithLabel |
0, 1, 2 (DWORD) |
Set to 0 to process a message with a certificate error when the message has a label.
Set to 1 to deny access to a message with a certificate error.
Set to 2 to ignore the message label and grant access to the message. (The user still sees a certificate error.)
Default is 0.
|
None |
The following table lists additional Windows registry settings that you can use for your custom configuration. These settings are contained in the HKEY_CURRENT_USER\Software\Microsoft\Cryptography\Defaults\Provider subkey.
Value name |
Value data
(Data type)
|
Description |
Corresponding UI option |
MaxPWDTime |
0, number (DWORD) |
Set to 0 to remove user's ability to save a password (user is required to enter a password each time a key set is required).
Set to a positive number to specify a maximum password time in minutes.
Default is 999.
|
None |
DefPWDTime |
Number (DWORD) |
Set to the default value for the amount of time a password is saved. |
None |
When you specify a value for PromoteErrorsAsWarnings, note that potential Error Level 2 conditions include the following:
- Unknown Signature Algorithm
- No Signing Certification Found
- Bad Attribute Sets
- No Issuer certificate found
- No CRL Found
- Out of Date CRL
- Root Trust Problem
- Out of Date CTL
When you specify a value for EnrollPageURL, use the following parameters to send information about the user to the enrollment Web page.
Parameter |
Placeholder in URL string |
User display name |
%1 |
SMTP e-mail name |
%2 |
User interface language ID |
%3 |
For example, to send user information to the Microsoft enrollment Web page, set the EnrollPageURL entry to the following value, including the parameters:
www.microsoft.com/ie/certpage.htm?name=%1&email=%2&helplcid=%3
If the user's name is Jeff Smith, his e-mail address is someone@microsoft.com, and his user interface language ID is 1033, then the placeholders are resolved as follows:
www.microsoft.com/ie/certpage.htm?name=Jeff%20Smith&email=someone@
microsoft.com&helplcid=1033
System Policy Tip You can use system policies to set security levels in Outlook. In the System Policy Editor, set the Required Certificate Authority, Minimum encryption settings, S/MIME interoperability with external clients, and Outlook Rich Text in S/MIME messages policies under Microsoft Outlook 2002\Tools | Options\Security\Cryptography . For more information about the System Policy Editor, see Using System Policies.
Setting security for Outlook Folder Home Pages
In Microsoft Outlook 2002, you can associate a Web page with any personal or public folder. These Folder Home Pages use the following security modes:
- Use zone security and allow script access
to Outlook object model
- Use zone security only
Use zone security and allow script access to Outlook object model
This mode, which is the default for Outlook 2002, gives scripts on a Web page access to the Outlook object model and also ensures that the Outlook Today ActiveX® control is running continuously. For all other aspects of the Web page, the appropriate Microsoft Internet Explorer zone security settings are used.
For example, if the Internet Explorer zone security settings specify that ActiveX controls are not allowed to run, then no ActiveX controls run for a Folder Home Page except the Outlook Today ActiveX control.
Access to the object model allows scripts to manipulate all of the user's Outlook information on the computer. The primary security ramification of this mode is that it allows anyone who creates a public folder for a home page to include scripts that can manipulate data in user mailboxes. Although it provides the opportunity to create powerful public folder applications, access to the object model also exposes users to some security risks.
Use zone security only
Zone security mode is activated directly through the Windows registry or indirectly through a system policy. In this mode, scripts on the Web page do not have access to the Outlook object model, and the Outlook Today ActiveX control is subject to the same Internet Explorer zone security settings as all other ActiveX controls.
For example, if the Internet Explorer zone security settings specify that ActiveX controls are not allowed to run, then the Outlook Today ActiveX control does not run on the computer.
System Policy Tip You can tighten security by using a system policy to disable Folder Home Pages for all of your users. In the System Policy Editor, in the Microsoft Outlook 2002\Miscellaneous\Folder Home Pages for Outlook special folders category, select the Disable Folder Home Pages policy and then select Disable Folder Home Pages for all folders in the Settings for Disable Folder Home Pages area.For more information about the System Policy Editor, see Using System Policies.For more information about the System Policy Editor, see Using System Policies.
|