[ Team LiB ] Understanding Outlook's Security

[ Team LiB ] Understanding Outlooks Security One of Outlooks strengths is its programmability. Outlook supports VBA, enabling you to use procedures to automate many mundane tasks. When you need more than VBA provides, you can install COM add-ins to provide features that Microsoft didnt build into Outlook. A Component Object Model (COM) add-in is an application that uses the host programs object model to access the host programs interface. COM add-ins add features missing from the program or improve on existing features. Extended Reminders (www.slovaktech.com) is an example of a COM add-in that adds a feature that Outlook is...
Nội dung trích xuất từ tài liệu:
[ Team LiB ] Understanding Outlooks Security[ Team LiB ]Understanding Outlooks SecurityOne of Outlooks strengths is its programmability. Outlook supports VBA, enabling youto use procedures to automate many mundane tasks. When you need more than VBAprovides, you can install COM add-ins to provide features that Microsoft didnt build intoOutlook. A Component Object Model (COM) add-in is an application that uses the host programs object model to access the host programs interface. COM add-ins add features missing from the program or improve on existing features. Extended Reminders (www.slovaktech.com) is an example of a COM add-in that adds a feature that Outlook is missing—the ability to use reminders in any folder. After a COM add-in is installed, its listed in Tools, Options, Other, Advanced Options, COM Add-ins.This programmability comes with a high price tag: Anything you can do, virus writerscan do too, and they usually have destruction on their minds, not helping Outlook userswork smarter.Outlook 2003 provides a good mix of security and usability. Microsoft assumes that youknow not to install add-ins or use VBA code that comes from questionable sources, so itallowed Outlook to trust COM add-ins and project code. That means code now runswithout triggering annoying dialogs, such as the one shown in Figure 8.1.Figure 8.1. The object model security dialog warns you when a program is trying to send mail on your behalf.The responsibility to ensure that unsafe add-ins arent installed now falls on yourshoulders, not Microsofts. Plenty of safeguards are still built in, but in the end, keepingyour system secure and free from viruses, trojan horses, and worms is your responsibility,and thats how it should be. Even though Outlook is very secure, dont use it as an excuse to stop using common sense when you receive questionable messages. Dont open attachments you dont need. Always use an antivirus program and keep the virus definitions current. Auto-protect settings will protect you if a virus tries to run.Outlooks first line of defense is Outlook Object Model (OOM) security. If youre using aCOM add-in thats not updated for Outlook 2003, youll notice the most visible effect ofthe OOM security: A warning dialog alerts you that something is trying to access emailaddresses or send mail on your behalf (see Figure 8.2).Figure 8.2. A second warning dialog displays as new messages are created. After the green bar completes, you need to choose Yes or No to send the message.As you can see from this figure, the dialog asks whether you want to allow it to sendemail. In most cases, youll want to choose Yes and allow it access for 1 to 10 minutes.However, if youre not sure whats causing the warning dialog to appear, play it safe andchoose No.Outlook Object Model SecurityOutlooks object model security protects you by preventing untrusted code fromaccessing your messages and address lists. When a program attempts to access yourOutlook data, youll see one or both of the dialogs shown in the previous section inFigures 8.1 and 8.2.However, published Outlook forms, Visual Basic for Applications code, and properlywritten Outlook COM add-ins wont trigger the security prompts for standalone users.Exchange administrators will still be able to manage Outlook security through theOutlook Security Settings folder and form. The Office Resource Kit (available online at Microsoft) includes the security form for Exchange Server and instructions on using it. Exchange administrators install and administer the form, giving permission to selected domain users and groups to avoid the security prompt. If you use Exchange Server and want to avoid the security prompts, youll need to speak with your administrator. Any attachment type thats executable is blocked by default. That means any attachment that the computer can run directly, and shortcuts to programs are blocked. This includes attachments with exe, scr, and pif extensions. Files such as text files (txt) and images (jpg, gif) open, but cant be run directly. You can edit Windows Registry to unblock the extensions you need to access. Refer to Hour 6, Working with Email Attachments, to learn more.Security in the Reading PaneThe Reading Pane is secure because it doesnt support active content. All potentiallydangerous attachments are blocked (including scripts) and Outlook no longer allowsiframes to display in email.Open messages offer the same level of protection that you have with the Reading Pane,so if you like using the Reading Pane, go ahead and use it.Many HTML elements are disabled in email, including forms, submissions, and otheractive content. Open the message and choose View, View in Internet Zone if you need tomake the content. The message is displayed using the Internet Zone settings normallyused for browsing the Internet.Never lower the security settings using the Tools, Options, Security tab—its not safe todo so. If the source is trustworthy, use the View, View in Internet Zone menu selectionwhen you need to reduce the security level on your email. Dont view messages fromunknown sources in the Internet zone.Understanding Web BeaconsAlso known as Web bugs, Web beacons are images with a URL that includes a code toidentify the email address it was sent to. Every time the image loads, the sender isinformed of the email address that viewed the message. This lets the sender know that theemail address is active and ripe for future mailings.Although Web beacons are often used by spammers to verify valid email addresses, ...