Microsoft
announced its Secure Computing initiative in 2002 and has continued to
improve the security of their products ever since. For Outlook 2007,
this means a great increase in the number of security and antispam
features available when using the Outlook
2007 client partnered with Exchange Server. Similarly, improvements
have been made in the area of preventing unwanted viruses or malicious
scripts from executing when a message is received or previewed.
Microsoft continues to integrate advanced email security features such
as digital signing of messages, mail encryption, and Information Rights
Management.
Support for Secured Messaging
Microsoft’s Outlook 2007
development team has taken the feedback from IT groups as well as from
end users and has recognized the ever-increasing need for secured
messaging. To stay ahead of competitors, Outlook 2007 expanded its
support for secured messaging, including S/MIME, digital signing,
message encryption, and smart card support.
S/MIME Support, Digital Signatures, and Email Encryption
Though S/MIME
support has been available in previous versions of Outlook, Outlook 2007
provides updated support for the latest S/MIME functionality. Using
S/MIME, email messages are encrypted by the recipient’s public key and
can be decrypted, and, therefore, made accessible, only with the
recipient’s private key. This private/public key exchange is critical
for secure email correspondence.
Use of S/MIME support
requires that the Outlook 2007 client have a certificate for
cryptography on the client computer (and is stored locally either in the
Microsoft Windows certificate store or on a smart card), and can be
pushed through Registry settings or via Group Policy to easily implement
S/MIME throughout an organization. This type of internal certificate
use is usually performed via an internal Public Key Infrastructure
(PKI). The creation of an internal PKI goes beyond the scope of this
book and is not included here.
S/MIME support
also includes digital signing. Digital signing allows for security
labels and signed secure message receipts. This is a way for a message
recipient to be sure that the message came from the person who claimed
to send it. Using Outlook 2007, enterprisewide security labels are
enforced such as “For Internal Use Only” or labeling messages to
restrict the forwarding or printing of messages through Information
Rights Management. In addition, users can now request S/MIME affirmation
of receipt of a message. By requesting a receipt, the sender confirms
that the recipient recognized and verified the digital signature because
no receipt is received unless the recipient, who should have received
the message, actually does receive the message. Only then does the
sender receive the digitally signed read receipt. This allows email
users to more safely trust the information they receive via email. This
can be especially valuable when email is used for workflow or approval
processes.
Setting Email Security on a Specific Message
Security such as
payload encryption or digital signing can be set for an individual email
using the options available when creating an email message. Clicking on
the Options button
opens the Message Options dialog box. There, the user can access the
Security Properties page to set the security for the message. The user
can choose to encrypt the message and/or add a digital signature,
request S/MIME receipt, and configure the security settings.
To do this, follow these steps:
1. | Open a new message.
|
2. | Click the Options tab and click the arrow in the bottom-right corner of the More Options box.
|
3. | Click the Security Settings button.
|
4. | Add security settings as desired, similar to the ones shown in Figure 1.
|
5. | Click OK when you are finished.
|
6. | Continue composing the message as normal.
|
Setting Email Security on the Entire Mailbox
Security settings can also be globally configured for the entire mailbox so that they apply at all times.
To do this, follow these steps:
1. | Go to Tools, and select Trust Center.
|
2. | Select Email Security from the left pane.
|
3. | Enable the choices desired for security for the entire mailbox:
- Encrypt Contents and Attachments for Outgoing Messages
- Add Digital Signature to Outgoing Messages
- Send
Clear Text Signed Messages When Sending Signed Messages (picked by
default). (This allows users who don’t have S/MIME security to read the
message.)
- Request S/MIME Receipt for All S/MIME Signed Messages
|
4. | For
all choices (except the third choice) to work properly, the user must
get a digital certificate provided by the administrator. This can be
imported by clicking on the Import/Export button at the bottom of the
window beneath Digital IDs (Certificates) or by clicking on Get a
Digital ID.
|
5. | After you import the digital certificate, the security functionality is complete.
|
6. | Click OK when you are finished.
|
Attaching Security Labels to Messages
Also a feature in
Outlook 2007, security labels can be configured by the administrator and
used by the end user to add security messages to the heading of any
email messages. Security labels require digital certificates and denote
the sensitivity and security of an email. This functionality leveraged
Information Rights Management functions made possible by Exchange Server
and Active Directory. Security labels include information in the email
header such as “Do not forward outside of the company” or
“Confidential.” They can be configured on a message-by-message basis or
for the entire mailbox.
To configure a security label for a single message, follow these steps:
1. | Open a new message.
|
2. | Click the Options tab and click More Options.
|
3. | Click Security Settings from the Message Options window.
|
4. | Click the Add Digital Signature to This Message check box.
|
5. | Choose the security label, classification, and privacy mark that apply to the message.
|
6. | Click OK when you are finished.
|
To configure a security label for all messages in the mailbox, follow these steps:
1. | Go to Tools, Trust Center.
|
2. | Click Email Security in the left pane.
|
3. | Click Settings.
|
4. | Click Security Labels.
|
5. | Choose the policy module, classification, and privacy mark that will apply to all messages.
|
6. | Click OK three times when you are finished.
|
Using Junk Email Filters to Reduce Spam
Improved antispam and
antiphishing filters have now been integrated into Outlook 2007. With
these features, the end user can configure the level of antispam
filtering desired and control the level of restriction in which messages
will be checked. These local functions work in tandem with antispam
settings on the Exchange server.
In today’s business
environment, organizations often find that more than 90% of the mail
coming into their environment is spam. Rather than burden the end user
with the task of reviewing and deleting spam messages, Outlook 2007 is
able to determine if a message is spam and prevent the user from having
to deal with it. This can be especially helpful as spam messages are
often infected with viruses or contain materials that would be
inappropriate in the workplace. Occasionally, Outlook 2007 misses some
messages that are actually spam, but the user has the ability to help
improve the system when using Exchange Server. By tagging a message as
spam, Exchange Server will be more likely to catch a similar spam
message in the future. This can benefit an entire network when users tag
spam messages in this way.
With the Outlook
2007 Junk E-mail filter, messages are reviewed when the client receives
them to determine if the message should be treated as junk or valid
email. To do this, the filter analyzes each message based on a class or
criteria and imported spammer list. When Outlook is initially installed,
the default setting is Low, which catches only the most obvious junk
email. This setting is configurable by the end user and can be changed
to increase the level of sensitivity on the junk email feature. This
catches more unwanted email but increases the chance of false positives.
False positives are valid messages that are mistakenly junked. It is
important to occasionally check the Junk Mail folder to ensure that no
valid messages were accidentally junked. Messages caught by the filter
and determined to be junk mail are moved to a Junk E-mail folder in the
Outlook 2007 client. The end user can and should review emails checking
for false positive emails that were accidentally specified as junk.
Optionally, the end user can configure the option to permanently delete
junk email messages as they arrive and not save them to the folder at
all. This setting should be used with caution.
To configure junk email filtering, follow these steps:
1. | In Outlook 2007, select Actions, Junk E-mail, and then Junk E-mail Options.
|
2. | On the Options tab shown in Figure 2,
choose the level of blockage desired. Use caution when increasing the
level of blockage because missing valid messages that are incorrectly
categorized as spam can at times be more of a problem than removing a
few spam messages per day from your inbox.
|
3. | Click OK when you are finished.
|
Utilizing the Safe Senders List
If the Outlook 2007 Junk
E-mail filter incorrectly determines that a message is junk, the end
user can add the sender’s email address to a Safe Senders list. This
list prevents the filter from identifying any new emails from that
sender to be classified as junk mail. This function is also referred to
as a “whitelist.” The Safe Senders list supports both email addresses
and wildcard domains for safe senders. So, a user could add andrew@companyabc.com
to allow that individual to send them messages, or the user could add
@companyabc.com to allow any user from companyabc.com to send them a
message.
The Safe Senders tab has
two additional useful options. The first is Also Trust E-mail from My
Contacts that ensures that messages sent from email addresses in the
user’s Contacts folder can bypass the Outlook antispam efforts. However,
this useful feature can cause an often overlooked problem. Spammers
rarely send out spam with a valid From address. They often spoof the address to match that of the person they are sending to—so a message sent TO mark@companyabc.com will also appear to be FROM mark@companyabc.com.
Now—if this user has a contact for himself in his Contacts folder and
selects Also Trust E-mail from My Contacts—any mail with this address in
the From field will be whitelisted—including some of the most prevalent
spam. When selecting this option, users should make sure they do not
have a contact for themselves.
The other tab,
Automatically Add People I E-mail to the Safe Senders List, is also
useful. When users have more stringent settings in their Junk E-mail
options, selecting this option
builds a whitelist of anyone that the user sends an email to–working on
the premise of “If you send to them, you probably want to receive from
them.”
Utilizing the Safe Recipients List
The Safe Recipients
list performs a very similar function to the Safe Senders list. The
Safe Recipients list allows the user to configure email lists or
mail-enabled groups of which they are a member. Any messages sent from
these email groups are automatically considered “safe” and bypass
Outlooks antispam efforts.
Utilizing the Blocked Senders List
The opposite of the
Safe Senders list is the Blocked Senders list. This concept is often
referred to as a “blacklist.” By entering email addresses or wildcard
domains, a user can tell Outlook 2007 to automatically junk any and all
messages received from the blocked senders. This tab is not useful when
it comes to fighting spam, however, because the worst offenders change
their email addresses (and usually domain names) with every round of
messages.
Tip
It is important to
understand that Blocked Sender rules are based only on the Reply-to
addresses given in the email. Reply-to addresses are usually forged in
an attempt to slip around antispam systems.
Populating the Lists
To add users to the Safe Senders, Safe Recipients, or Blocked Senders lists, users can do the following:
1. | In Outlook 2007, select Actions, Junk E-mail, and then Junk E-mail Options.
|
2. | Choose
one of the tabs (Safe Senders, Safe Recipients, Blocked Senders, or
International), and then click Add to insert the user to the appropriate
list.
|
3. | Type in the SMTP email address of the sender (or their domain) in the following format: jdoe@companyabc.com or @companyabc.com.
|
4. | Click OK when you finish.
|
Alternatively, any of
these lists can be populated with an initial set of addresses by using a
combination of Group Policy and the Office Outlook 2007 template.
However, when added, administrators cannot REMOVE an entry using GPO. If
an invalid entry is distributed, it can be deleted by the user or the
entire list can be overwritten by pushing another list via GPO.
Some organizations
have been known to add their own domain to the Safe Senders list and
push it out to all users. This can be a huge mistake, as much of what
the spam users are faced with are messages that are spoofed with a
“from” address that matches the “to” address, and this setting leaves
the door wide open.
Tip
Many
services provide lists of junk senders for import into a Blocked
Senders list. These lists are created based on known spammers. If your
organization wants to provide the end users with a list of trusted or
junk senders, the end user can easily import the list by clicking on the
Import from File button. However, as previously stated, this option is
of little value because the spammers change their address constantly.
Utilizing the International List
Outlook 2007 also has
the ability to flag messages as junk based on where they came from. The
International tab allows a user to block entire top-level domains or to
block messages in particular languages. This is a more encompassing
option than blocking by domain name but is often not an option for
organizations with a large international presence.
Avoiding Web Beaconing
Web beaconing refers
to the use of references to external content via email to identify a
message as having been read. This allows a spammer to validate their
list of addresses by identifying the messages that reached a valid user
and were opened. When the end user opens the message or views it in the
preview pane, the computer retrieves this external content. Outlook 2007
has the ability to block web beaconing, which can help reduce the
chances of a user getting onto more spam lists.
To enable web beacon filtering from Outlook 2007, do the following:
1. | Click Tools and then click Trust Center.
|
2. | Select Automatic Download in the left pane.
|
3. | Check the Don’t Download Pictures Automatically in HTML E-Mail Messages or RSS Items check box.
|
4. | Click OK when you are finished.
|
