Configuring Outlook for Maximum Security


Configuring Microsoft Outlook to use it’s maximum security settings depends on a few factors. The first is which version of Outlook you are using. By default, Outlook 2007 is configured for high (but not maximum) security. The second factor is whether you are a corporation (or small business) or just a single user (or a small home network type). Finally an important factor is whether you have an Exchange Server running on your network.

Corporate Users and Scope of This Article

If you are in a corporation or small business (or have Exchange Server installed on your network) then you need to decide whether using Group Policy, the Exchange Server Security settings, or individual settings on each affected computer is the way to go. Microsoft has templates and forms that you can download to configure the Group Policy or Exchange Server Security, so I will not be discussing those in this article. This article will cover how to configure individual copies of Microsoft Outlook for maximum security. I will also be assuming that you are using Outlook 2007, however the individual settings should be available to you in Outlook 2003 as well.

Configuration Steps Part 1

Configuring Outlook for maximum security takes place in the Trust Center (Tools->Trust Center). I will list each step based on which tab you will be working under..

  • On the Add-ins tab, you should disable all non Microsoft add-ins (except those related to your Antivirus software or other necessary add-ins).
  • Under the E-mail Security tab, you should choose the option to “Read all Messages in Plain Text” (Read all Standard Mail in Plain Text and Read All Digitally Signed Messages in Plain Text (Optional)). If your users have Digital Certificates, then you should sign all messages with them. Un-check the option to Allow Script in Public Folders.
  • Under the Attachment Handling Tab, you should Turn off Attachment Preview.
  • In the Automatic Download tab, make sure that all of the “Permit download” items are unchecked. This should require the user to manually download the items.
  • Under Macro Security, you want to set this to “No warnings and disable all macros.” Under Programmatic Access, you want to set this to “Always warn me about suspicious activity.” Under my security settings, I am unable to change the setting for Programmatic Access, however if you can, you should make this change if you are able to.

Other Steps That You Can Take

Outlook blocks certain file types (.exe, .bat, .scr, etc) by default. You can specify what file types are allowed and what file types require the user to save them to the computer in the registry. For maximum security, you will not want to allow any of the Level 1 (blocked) file types. In order to prevent the end users from changing what file types are blocked, you will need to add a new REG_DWORD value named DisallowAttachmentCustomization to the Outlook key at HKCU\Software\Policies\Microsoft\Office\11.0\Outlook. When this value is present, Outlook will ignore the Level1Add and Level1Remove keys mentioned earlier. It does not matter whether there is a 0, 1, or other value listed. The existence of the value is all that is required.

Final Thoughts

Combining these steps with sound practices in e-mail and online safety will help to ensure that you won’t fall victim to e-mail based threats.

This post is part of the series: Configuring E-mail Clients for Maximum Security

The three main E-mail clients in use on Windows are Outlook, Outlook Express, and Mozilla Thunderbird. But are they as secure as they should be? This three-part series will explore configuring each to their maximum levels.
  1. Configuring Microsoft Outlook for Maximum Security
  2. How to Configure Outlook Express for Maximum Security