S 4.165 Secure configuration of Outlook

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: User

General recommendations

It is recommended to have administrators specify the settings in the Microsoft Exchange/Outlook environment wherever this is possible. The settings should only be specified by the users in exceptional cases, i.e. when they cannot be specified by an administrator.

Settings configured centrally by administrators must be protected against changes by users so that the users cannot accidentally undermine the prescribed level of security through incorrect configuration. Unfortunately, this is not possible for all settings. However, if it is possible, the following recommendations will point this out.

Secure configuration of the underlying operating system

An initial prerequisite for the secure configuration of Microsoft Outlook is the secure configuration of the underlying operating system. Windows provides the policy mechanism for the general configuration and administration of clients. It is recommendable to use these policies, since central administration can be achieved this way.

Administration tools

Administration and/or configuration of Microsoft Outlook may take place at different times: even before the actual distribution and installation of Microsoft Outlook (so-called pre-configuration) or when Outlook has already been distributed. Administration tools for Outlook such as the Custom Installation Wizard provide the administrator with the ability to centrally generate a preconfigured version of the Outlook software for distribution and installation later on.

It is recommended for medium-sized and large companies and/or government agencies to use administration tools to configure and administer Outlook clients. The use of administration tools makes the work of administrators easier and helps to ensure that there is a consistently high level of security throughout the organisation. Small organisations should check if it is worthwhile to use administration tools.

Use of user profiles

If several users are to share one PC, it is possible to create a separate Outlook profile with user-specific settings for each user. In this case, the different Outlook profiles must be configured and isolated from each other by the administrator. The user profiles can be stored on the server or on the client in this case.

It is generally recommended to store the user profiles on the server. In this, it must be noted that offline work (in which case copies of the data are stored locally on the computer) is not possible when the profiles are stored on the server. If this is desired explicitly, the Outlook profiles must be stored on the client. It must be noted in this case that changes to the profile will only apply to the local computer, which means it may be possible for a user to work on different computers using different profiles under some circumstances.

Even if Outlook profiles are stored locally, it is recommended to have the Exchange administrator create and distribute the user profiles so that the pre-configuration process is secure and consistent.

Storing Outlook data securely

Outlook data is generally stored in mailboxes located on the Exchange server. However, it is also possible to store Outlook data locally on the client if, for example, users are working with offline folders (i.e. with a local copy of the mailbox on the server) or if users have created their own personal folders locally. The Outlook data stored on the clients is generally exposed to a higher level of risk than information stored on the server since the users are also responsible for its protection in this case. The users have to configure the security settings (e.g. file access rights) for their own personal folders themselves. The security policy for Outlook therefore needs to specify whether or not Outlook data is allowed to be stored on the user systems. It is recommended in principle not to store Outlook data on clients. However, this also rules out the possibility of working with offline folders.

If working with offline folders is unavoidable, then the following recommendations should be considered to protect the Outlook folders stored locally. Outlook stores information in personal folders (.pst files) as well as in offline folders (.ost files), which in this case are stored on the local hard disk of the client. It must be noted that additional data is stored in the system directories, the Outlook installation directories, and in the Windows user profiles. These directories should therefore be assigned restrictive access rights.

Encrypting local Outlook folders

It is recommended to encrypt local Outlook folders (i.e. personal folders and offline folders). As a matter of principle, safeguard S 4.131 Encryption of Lotus Notes databases must be implemented.

For additional protection, it is recommended to store the offline folders and personal folders in a separate directory and to then assign restrictive access rights to this directory. Only the corresponding user should be able to access this directory.

Do not use the password protection feature for local personal Outlook folders

Password protection can be enabled for personal folders, but using it is of little value. This password protection is weak and can be overridden using tools available on the internet.

If the security policy of the organisation additionally requires certain passwords to be stored at a central location, then the additional security gained through the use of password protection is negligible in comparison to the amount of additional administrative work required.

It is therefore not recommended to use this password protection.

Access authorisations for central Outlook folders

In an Exchange environment, personal folders can be made accessible to other users. It is generally recommended to grant access authorisations restrictively so that only those authorisations absolutely necessary are granted. The recommended basic security setting is to grant access to the owner of the folder and their substitute only.

Secure use of the Outlook Journal

The Journal records a history of the activities performed with Outlook. The activities recorded include not only e-mails that have been sent and received, appointments, and tasks, but also activities relating to contacts and Office documents.

Journal entries can be entered manually or generated automatically. From a security perspective, it must be taken into consideration that the entries entered manually or generated automatically in the Journal may contain confidential information and file links. For this reason, it is not recommended to generate entries automatically.

The organisational security policy should specify which files are allowed to be entered as links in the Journal entries.

Protecting personal data from system administrators

Personal Outlook data (.pst files) stored locally can be read by administrators at any time. For this reason, information can only be kept confidential from administrators using encryption.

When using a file-based encryption system, it is recommended to define a security policy for the storage of the keys used so that the encrypted data can be accessed in an emergency.

Authentication

It is not recommended to use the automatic authentication procedures of the Microsoft operating systems used. In this case, users are prompted to enter their user name and password when they access the Exchange server. The user password must not be saved in any case. Otherwise, there is a risk that the passwords stored could be read when local access to the user system is available using tools available publicly on the internet.

Encryption of communications

If Outlook is used as a MAPI client of an Exchange server, the RPC (Remote Procedure Call) communication used in this case between the client and the Exchange server may be protected using encryption. Whether or not communication should be encrypted must be specified in the security policy for Outlook.

Encryption is especially recommended when the Outlook clients and the Exchange server communicate over insecure networks.

Handling potentially dangerous file attachments

As a general rule, file attachments in emails must not be allowed to open automatically.

The use of a filter on an email gateway or a security gateway (firewall) is generally recommended in order to check emails for potentially dangerous email attachments and to filter these out or delete them when necessary. However, if email encryption is used, the filters used on an email gateway are no longer effective. In this case, email filters checking emails after decryption can be used on the clients. The decision whether or not to use local email filters must be made on a case-by-case basis. It must be taken into consideration that additional administrative work is required to distribute, install, and maintain the filter software.

The additional use of so-called personal firewalls on the clients may increase the maximum level of security that can be reached. Personal firewalls allow for execution restrictions to be placed on the operating system level and provide quarantine zones or sandboxes (i.e. controlled runtime environments) for executable email attachments. In this case as well, the use of such products should be examined carefully since additional administrative work is required.

The use of products installed locally such as email filters or personal firewalls is not recommendable if:

Disabling the preview pane

If the Outlook preview pane and/or the auto-preview feature is used, emails are displayed automatically and any active content contained within the emails is also executed automatically. It is therefore recommended to disable the preview pane and the auto-preview feature.

Security settings for macro processing in Outlook

It is recommendable to only execute signed macros whose signatures can be checked using certain certificates. It must be taken into consideration that the Authenticode settings of Microsoft Internet Explorer are also used in this case. Due to this fact, any changes made here will affect all other programs using these settings.

It is recommended to administer the list of trusted publishers centrally and to distribute it using Windows group policies. The corresponding policy is a user policy so that different default settings can be specified for different user groups. It must be ensured that the default settings are protected against any modifications by the user. It must be taken into consideration that the macro settings are only applicable to VBA macros, i.e. for macros created with Visual Basic for Applications (VBA), but not for Visual Basic Script.

If users are allowed to create and change the list of trusted publishers themselves, the following behaviour may occur: if a signed VBA macro is opened and the corresponding certificate is not entered in the list of trusted sources, the user can decide whether or not to add the certificate to the list. Certificates already entered in the list can also be deleted by the user. These decisions are relevant to security and generally should not be made by users. This procedure is therefore not recommended for use in companies or government agencies.

The development of proprietary macro extensions is described in S 2.379 Software development by end users.

Configuring email filter rules

Unwanted emails such as spam may disrupt productive work. Outlook offers the option of filtering out such unwanted emails using special filter rules. However, it is not recommended to allow users to define the filter settings in the Outlook client software, and emails should be filtered on the server instead. The advantage of this is that all emails are filtered consistently and that the administrative work required is limited to a defined point. If filtering on the server is not desired, then it is recommended to have an administrator create the filter rules centrally.

Restrictive delegation of authorisations

Outlook/Exchange allows substitutes or "delegates" to be named for periods of absence (e.g. vacation or illness) who can then process emails on behalf of the user who is absent. These delegates are granted access to the mailbox or individual Outlook folders belonging to the corresponding user and can send emails on their behalf. The access authorisations for delegates can be assigned separately for each of the elements of the Outlook folder (calendar, contacts, inbox, etc.). The settings are configured in the object properties of the corresponding object. The rules for delegates should be laid down in the organisation- and/or government agency-wide policies.

Do not forward or automatically move emails

The Rules Wizard used to define the filter rules can also be used to forward emails automatically to other users. However, if the forwarding option is configured carelessly, there is a risk of a loss of data or of data confidentiality. For example, this may occur if emails contain unexpected confidential messages and are forwarded to third parties on the basis of incorrect rules. Therefore, it is recommended to not forward emails automatically.

Disabling extended functionality in Outlook

The Outlook Form Designer is a development environment for workflow applications based on Outlook directories. Security problems may arise through the use of the Form Designer since, for example, ActiveX control elements are available to it. Normal email users do not need to use the Form Designer. It is therefore recommended to disable the Outlook Form Designer on the clients.

Prohibiting the use of folder add-ins and COM add-ins

Outlook allows users by default to install their own add-ins in order to expand the range of functions available in Outlook. Since executable code is generally integrated in the form of .exe or .dll files, extensions always need to be approved for use.

Organisational policies must be enacted to prohibit users from downloading add-ins from the Internet and using them.

Automatically emptying the Deleted Items folder

There are both advantages and disadvantages to automatically emptying the Deleted Items folder when exiting Outlook. The main advantage is that the folder does not contain any "deleted" confidential data in this case and that no additional storage space is consumed. The primary disadvantage is that it is possible to lose data as a result. The Deleted Items folder should be emptied automatically in environments in which confidential data is frequently exchanged by email.

Handling special messages

The automatic sending of delivery and read receipts can result in (possibly unintentional) denial of service attacks. If the email policy of an organisation does not explicitly require the use of email confirmation messages, it is recommended to not to use such read and receipt confirmations.

Automatically generated out-of-office messages inform outsiders that a certain employee is absent and can also be used as a starting point for a denial-of-service attack. For this reason, a decision must be made internally in the organisation whether or not this function should be used.

Avoid using Word as an e-mail editor

In Microsoft Outlook, Word is used as email editor by default. Since Word macros may also be a problem for security, it is not recommended to use Microsoft Word as an e-mail editor. There should be a policy specifying which editor should be used for e-mails in the company or government agency.

Other aspects

If an e-mail encryption mechanism such as S/MIME is used, then the encrypted messages will normally also be backed up in encrypted form. In order to ensure that it will still be possible to access this information later, for example in connection with repair measures after an emergency, the keys used must also be included in the data backup. Additional information on this subject can be found in S 6.82 Creation of a contingency plan for the failure of Exchange systems.

Removing detailed information requiring protection from one's own e-mail headers

The headers of outgoing e-mails can contain information that may not be suitable for disclosure to the outside. Such information includes, for example, information on the operating system and on the e-mail software used by the e-mail server. On the server side, detail information may be removed, see also S 4.162 Secure configuration of Exchange servers.

Using a virus scanner

The use of anti-virus software is recommended in all cases. Maximum protection in this cased is obtained using a combined gateway/client solution containing both server and client components. It must be ensured that all file attachments in an e-mail are checked. This also applies to compressed and encrypted attachments.

Software and system maintenance

The administrators responsible for the system should check the internet regularly to stay informed of any newly discovered vulnerabilities in Exchange/Outlook. The patches available should be installed in a test environment first before installation in the productive environment.

Furthermore, it is recommendable to use the information from Microsoft Technet regarding the specific implementation of the requirements from this safeguard. For example, the secure configuration of Microsoft Outlook 2010 is described in the security guideline for Microsoft Office 2010: "Security and protection for Office 2010 Beta". Security requirements result directly from the administrator instructions for Microsoft Outlook in "Configuration and deployment of Office 2010 Beta".

Review questions:

© Federal Office for Information Security. All rights reserved.