Some applications interact with Outlook 2007, most typically using the Address Book to address and send a message. In most cases, these applications will generate a security warning dialog box. The warning is built into Outlook 2007 to help you identify when unauthorized applications are attempting to access your Outlook 2007 data. For example, a worm that propagates itself by e-mail would likely generate the warning.
The section "Configuring Attachments in Exchange Server" earlier in this chapter explained how Exchange Server administrators can use Group Policy to configure security settings for Outlook 2007 users. That section covered how to configure attachment blocking. You can also use Group Policy to configure the behavior of specific types of applications in relation to the security features in Outlook 2007, as well as specify dynamic-link libraries (DLLs) that should be explicitly trusted and allowed to run without generating a security warning.
Note
If you have not already configured Group Policy to manage security settings, see "Configuring Attachments in Exchange Server" earlier in this chapter to learn how.
Just as with the other security settings that can be configured in Exchange Server, you can control programmatic access to Outlook 2007 via either Group Policy or the Exchange Security Form.
To configure the settings that determine how Outlook 2007 security features handle various types of applications, follow these steps:
Run Group Policy, and then go to User ConfigurationAdministrative TemplatesClassic Administrative Templates (ADM) Microsoft Office Outlook 2007SecuritySecurity Form SettingsProgrammatic Security settings.
Configure the Outlook 2007 object model–related settings as desired. Each of these policy items has the same Guard behavior options. Select Prompt User to have Outlook 2007 prompt the user to allow or deny the action. Select Automatically Approve to allow the program to execute the task without prompting the user. Select Automatically Deny to prevent the program from executing the task without prompting the user. Select Prompt User Based On Computer Security to use the Outlook 2007 security settings.
Configure Outlook Object Model Prompt When Sending Mail. Specifies the action that Outlook 2007 takes when an application tries to send mail programmatically with the Outlook 2007 object model.
Configure Outlook Object Model Prompt When Accessing An Address Book. Specifies the action that Outlook 2007 takes when an application tries to access an address book with the Outlook 2007 object model.
Configure Outlook Object Model Prompt When Reading Address Information. Specifies the action that Outlook 2007 takes when an application tries to access a recipient field, such as To or Cc, with the Outlook 2007 object model.
Configure Outlook Object Model Prompt When Responding To Meeting And Task Requests. Specifies the action that Outlook 2007 takes when an application tries to send mail programmatically by using the Respond method on task and meeting requests.
Configure Outlook Object Model Prompt When Executing Save As. Specifies the action that Outlook 2007 takes when an application tries to programmatically use the Save As command to save an item.
Configure Outlook Object Model Prompt When Accessing The Formula Property Of A Userproperty Object. Specifies the action that Outlook 2007 takes if a user has added a Combination or Formula custom field to a custom form and bound it to an Address Information field. Blocking access can prevent an application from indirectly retrieving the value of the Address Information field through its Value property.
Configure Outlook Object Model Prompt When Accessing Address Information Via UserProperties.Find. Specifies the action that Outlook 2007 takes when an application tries to search mail folders for address information using the Outlook 2007 object model.
Configure the Simple MAPI settings next as desired. Each of these policy items has the same set of options. You can select Prompt User to have Outlook 2007 prompt the user to allow or deny the action. Select Automatically Approve to allow the program to execute the task without prompting the user. Select Automatically Deny to prevent the program from executing the task without prompting the user.
Configure Simple MAPI Sending Prompt. Specifies the action that Outlook 2007 takes when an application tries to send mail programmatically with Simple MAPI.
Configure Simple MAPI Name Resolution Prompt. Specifies the action that Outlook 2007 takes when an application tries to access an address book with Simple MAPI.
Configure Simple MAPI Message Opening Prompt. Specifies the action that Outlook 2007 takes when an application tries to access a recipient field, such as To or Cc, with Simple MAPI.
When you have finished configuring programmatic settings, close Group Policy.
Part of the battle in getting an application past the Outlook 2007 security prompts is understanding what method it is using to access your Outlook 2007 data. If you’re not sure, you can simply change one setting, test, and if the change doesn’t enable the application to bypass the security prompts, change a different setting. This trial-and-error method isn’t the most direct, but it won’t take much time to test each of the possibilities. Remember that you must refresh Group Policy and then start Outlook 2007 for these changes to be applied.
In addition to (or as an alternative to) configuring security settings to allow various types of applications to bypass the Outlook 2007 security prompts, you can also identify specific applications that can bypass the Outlook 2007 security prompts. These applications must be specifically written to use the Outlook 2007 security trust model.
Before an unsigned application (for example, a noncommercial application) can be added to the trusted add-ins list, you must generate a hash key value to use when setting the Group Policy. The Outlook 2007 Security Hash Generator Tool is available from Microsoft by going to office.microsoft.com/downloads/ and searching for Outlook 2007 Security Hash Generator Tool. Once you have downloaded the hash generator, you have to install and register it before using it to create hash keys.
To install the hash generator, follow these steps:
On a computer running Windows XP, run OutlookSecHashGen.exe to start installation. Specify a folder for the extracted files, and then click OK.
Open a Command Prompt window, and then go to the folder with the extracted files.
Type CreateHash.bat /register, and then press Enter.
To register an add-in, follow these steps:
Open a Command Prompt window, and then go to the folder with the extracted files.
Type CreateHash.bat <filename>.dll (using the name of your file).
When the hash value is displayed, copy and paste it into the value field in Group Policy (or save it in a text file).
To add a trusted application, follow these steps:
Copy, to a location accessible to the computer where you will be modifying the Outlook 2007 security settings, the DLL or other executable file that loads the application to be trusted.
Generate a hash key, and note the value for use during installation.
Run Group Policy, and then go to User ConfigurationAdministrative TemplatesClassic Administrative Templates (ADM)Microsoft Office Outlook 2007SecuritySecurity FormProgrammatic SecurityTrusted Add-ins.
Select Enabled, and then click the Show button. In the Show Contents dialog box, click Add.
In the Add Item dialog box, fill in the Enter The Name Of The Item To Be Added field, enter the hash value you generated in the Enter The Value Of The Item To Be Added field, and then click OK.
Repeat the process for any other applications you want to add to the trusted list, and then close Group Policy.