The Web    Google
Making Outlook Less Insecure

Making Outlook Less Insecure
September 8, 2003

Securing Outlook Itself

Now let's dive into the wonderful world of patches and configuration tweaks for Outlook/Outlook Express. In a nutshell, turn off everything everywhere: scripting, preview pane, HTML, etc. ! off, off, everything off.

There are something like eight different versions of Outlook. Whatever version you have, find the Security tab under Tools => Options. By the way, everything you do in this menu will affect Outlook, Internet Explorer, and Outlook Express.

Let's take a look at all the things to turn off in the Internet Zone. Accept no defaults; this is a custom job all the way. Select "Custom Level" and turn off all these options:

  • ActiveX: Never ever ever allow ActiveX to run. It is designed expressly to allow remote execution of code over the Internet. Why anyone thought this would be a good idea is a complete mystery. Ignore the nonsense about "ActiveX controls marked safe for scripting." Like, since it's signed ! by the author no less ! it will be any less questionable. Just say NO ! disable all the checkboxes for ActiveX.

  • Disable font and file downloads ! unless you actually anticipate needing a Chinese font, or some such spam trick.

  • Java: I have mixed feelings about Java. Sun claims Java applets are safe and have never been exploited. Me, I disable it just to be on the safe side.

  • Disable "Access data sources across domains" and "Drag and drop or copy and paste files." Neither one serves any useful purpose (except to spammers and viruses).

  • "Installation of desktop items" C NO! Turn it off.

  • "Launching programs and files in an iframe" C No, no, a hundred times NO. Oh, iframes are wonderful ! to a virus author who wishes to execute code on your system via Internet Explorer. (Outlook and Outlook Express use IE to render HTML-formatted mail).

  • Keep going on down the form, checking "Disable" for everything until you reach "Software channel permissions." Set "Software channel permissions" to "High safety." I have no idea if anyone is still trying to turn the Internet into TV ! like we are baby birds waiting to be force-fed regurgitated matter ! but in any case, take no chances. (This is assuming "High safety" actually helps, which I would not bank on, being an untrusting sort of human.)
Miscellaneous Fun

  • Attachment Security button: Yes, it's an oxymoron. This button is present only on older versions of Outlook. Your choices are "High" or "None." Obviously, choose High.

  • No Preview Pane. It's a shame, but many exploits don't even need the user to click on them ! just using the Preview Pane activates them. Kill it off via the View => Layout => Preview Pane menu.

  • No HTML mail. As you have been faithfully following my CrossNodes columns, you've doubtless already read my rants against HTML mail. In a nutshell, the HTML mail option allows malicious code to be executed on your computer, so again, just say no.
Choosing a Zone

On newer versions of IE and Outlook, you have the option to select which zone becomes the default Internet zone. Choose "restricted zone," and go through its options just like we did above. No, no, no, no, no, etc.

Notice the different zones, "Trusted Sites" and "Local Intranet," each of which can be configured differently. As viruses are spread by the millions from trusted sources, I'd say it's best to continue to say no to everything.

Security Updates

You could install the Outlook E-mail Security Update, which is supposed to quarantine certain executable attachments from running on your system. The update also will alert users when an outside program attempts to monkey with their address books. I've had mixed success with it, though; the major downside is that it's not something you can easily uninstall if you don't like it. I quote: "...this update integrates with your Outlook product and cannot be uninstalled without completely uninstalling Office."

Page 3: Securing Windows

  • Will Users of Word 97 'Bug' Out?
  • A Password Policy Primer
  • Free! Expert Help Fixing Your Top Security Problems
  • Virus Update: Lovgate Worm Still Out
  • AT&T on DoS: Early Detection Equals Prevention
  • CEO Warns Threats are Coming from the Inside
  • 11/23: BackDoor-CLK Trojan Copies Itself
  • Pedestal Adds Security Benchmark Score to Audit Software
  • 10/26: Famus-B Worm Sends Email About Iraq
  • 11/22: Swizzor-BQ Trojan Downloads, Runs Files
  • IM Security Under The Gun
  • Security Camera Product