Getting the Most Out of the Microsoft Outlook Client : Security Enhancements in Outlook 2007

3/1/2011 8:58:03 AM
Microsoft announced its Secure Computing initiative in 2002 and has continued to improve the security of their products ever since. For Outlook 2007, this means a great increase in the number of security and antispam features available when using the Outlook 2007 client partnered with Exchange Server. Similarly, improvements have been made in the area of preventing unwanted viruses or malicious scripts from executing when a message is received or previewed. Microsoft continues to integrate advanced email security features such as digital signing of messages, mail encryption, and Information Rights Management.

Support for Secured Messaging

Microsoft’s Outlook 2007 development team has taken the feedback from IT groups as well as from end users and has recognized the ever-increasing need for secured messaging. To stay ahead of competitors, Outlook 2007 expanded its support for secured messaging, including S/MIME, digital signing, message encryption, and smart card support.

S/MIME Support, Digital Signatures, and Email Encryption

Though S/MIME support has been available in previous versions of Outlook, Outlook 2007 provides updated support for the latest S/MIME functionality. Using S/MIME, email messages are encrypted by the recipient’s public key and can be decrypted, and, therefore, made accessible, only with the recipient’s private key. This private/public key exchange is critical for secure email correspondence.

Use of S/MIME support requires that the Outlook 2007 client have a certificate for cryptography on the client computer (and is stored locally either in the Microsoft Windows certificate store or on a smart card), and can be pushed through Registry settings or via Group Policy to easily implement S/MIME throughout an organization. This type of internal certificate use is usually performed via an internal Public Key Infrastructure (PKI). The creation of an internal PKI goes beyond the scope of this book and is not included here.

S/MIME support also includes digital signing. Digital signing allows for security labels and signed secure message receipts. This is a way for a message recipient to be sure that the message came from the person who claimed to send it. Using Outlook 2007, enterprisewide security labels are enforced such as “For Internal Use Only” or labeling messages to restrict the forwarding or printing of messages through Information Rights Management. In addition, users can now request S/MIME affirmation of receipt of a message. By requesting a receipt, the sender confirms that the recipient recognized and verified the digital signature because no receipt is received unless the recipient, who should have received the message, actually does receive the message. Only then does the sender receive the digitally signed read receipt. This allows email users to more safely trust the information they receive via email. This can be especially valuable when email is used for workflow or approval processes.

Setting Email Security on a Specific Message

Security such as payload encryption or digital signing can be set for an individual email using the options available when creating an email message. Clicking on the Options button opens the Message Options dialog box. There, the user can access the Security Properties page to set the security for the message. The user can choose to encrypt the message and/or add a digital signature, request S/MIME receipt, and configure the security settings.

To do this, follow these steps:

Open a new message.

Click the Options tab and click the arrow in the bottom-right corner of the More Options box.

Click the Security Settings button.

Add security settings as desired, similar to the ones shown in Figure 1.

Figure 1. Security Properties page in Outlook.

Click OK when you are finished.

Continue composing the message as normal.

Setting Email Security on the Entire Mailbox

Security settings can also be globally configured for the entire mailbox so that they apply at all times.

To do this, follow these steps:

Go to Tools, and select Trust Center.

Select Email Security from the left pane.

Enable the choices desired for security for the entire mailbox:

  • Encrypt Contents and Attachments for Outgoing Messages

  • Add Digital Signature to Outgoing Messages

  • Send Clear Text Signed Messages When Sending Signed Messages (picked by default). (This allows users who don’t have S/MIME security to read the message.)

  • Request S/MIME Receipt for All S/MIME Signed Messages

For all choices (except the third choice) to work properly, the user must get a digital certificate provided by the administrator. This can be imported by clicking on the Import/Export button at the bottom of the window beneath Digital IDs (Certificates) or by clicking on Get a Digital ID.

After you import the digital certificate, the security functionality is complete.

Click OK when you are finished.

Attaching Security Labels to Messages

Also a feature in Outlook 2007, security labels can be configured by the administrator and used by the end user to add security messages to the heading of any email messages. Security labels require digital certificates and denote the sensitivity and security of an email. This functionality leveraged Information Rights Management functions made possible by Exchange Server and Active Directory. Security labels include information in the email header such as “Do not forward outside of the company” or “Confidential.” They can be configured on a message-by-message basis or for the entire mailbox.

To configure a security label for a single message, follow these steps:

Open a new message.

Click the Options tab and click More Options.

Click Security Settings from the Message Options window.

Click the Add Digital Signature to This Message check box.

Choose the security label, classification, and privacy mark that apply to the message.

Click OK when you are finished.

To configure a security label for all messages in the mailbox, follow these steps:

Go to Tools, Trust Center.

Click Email Security in the left pane.

Click Settings.

Click Security Labels.

Choose the policy module, classification, and privacy mark that will apply to all messages.

Click OK three times when you are finished.

Using Junk Email Filters to Reduce Spam

Improved antispam and antiphishing filters have now been integrated into Outlook 2007. With these features, the end user can configure the level of antispam filtering desired and control the level of restriction in which messages will be checked. These local functions work in tandem with antispam settings on the Exchange server.

In today’s business environment, organizations often find that more than 90% of the mail coming into their environment is spam. Rather than burden the end user with the task of reviewing and deleting spam messages, Outlook 2007 is able to determine if a message is spam and prevent the user from having to deal with it. This can be especially helpful as spam messages are often infected with viruses or contain materials that would be inappropriate in the workplace. Occasionally, Outlook 2007 misses some messages that are actually spam, but the user has the ability to help improve the system when using Exchange Server. By tagging a message as spam, Exchange Server will be more likely to catch a similar spam message in the future. This can benefit an entire network when users tag spam messages in this way.

With the Outlook 2007 Junk E-mail filter, messages are reviewed when the client receives them to determine if the message should be treated as junk or valid email. To do this, the filter analyzes each message based on a class or criteria and imported spammer list. When Outlook is initially installed, the default setting is Low, which catches only the most obvious junk email. This setting is configurable by the end user and can be changed to increase the level of sensitivity on the junk email feature. This catches more unwanted email but increases the chance of false positives. False positives are valid messages that are mistakenly junked. It is important to occasionally check the Junk Mail folder to ensure that no valid messages were accidentally junked. Messages caught by the filter and determined to be junk mail are moved to a Junk E-mail folder in the Outlook 2007 client. The end user can and should review emails checking for false positive emails that were accidentally specified as junk. Optionally, the end user can configure the option to permanently delete junk email messages as they arrive and not save them to the folder at all. This setting should be used with caution.

To configure junk email filtering, follow these steps:

In Outlook 2007, select Actions, Junk E-mail, and then Junk E-mail Options.

On the Options tab shown in Figure 2, choose the level of blockage desired. Use caution when increasing the level of blockage because missing valid messages that are incorrectly categorized as spam can at times be more of a problem than removing a few spam messages per day from your inbox.

Figure 2. Junk E-Mail filtering options in Outlook.

Click OK when you are finished.

Utilizing the Safe Senders List

If the Outlook 2007 Junk E-mail filter incorrectly determines that a message is junk, the end user can add the sender’s email address to a Safe Senders list. This list prevents the filter from identifying any new emails from that sender to be classified as junk mail. This function is also referred to as a “whitelist.” The Safe Senders list supports both email addresses and wildcard domains for safe senders. So, a user could add andrew@companyabc.com to allow that individual to send them messages, or the user could add @companyabc.com to allow any user from companyabc.com to send them a message.

The Safe Senders tab has two additional useful options. The first is Also Trust E-mail from My Contacts that ensures that messages sent from email addresses in the user’s Contacts folder can bypass the Outlook antispam efforts. However, this useful feature can cause an often overlooked problem. Spammers rarely send out spam with a valid From address. They often spoof the address to match that of the person they are sending to—so a message sent TO mark@companyabc.com will also appear to be FROM mark@companyabc.com. Now—if this user has a contact for himself in his Contacts folder and selects Also Trust E-mail from My Contacts—any mail with this address in the From field will be whitelisted—including some of the most prevalent spam. When selecting this option, users should make sure they do not have a contact for themselves.

The other tab, Automatically Add People I E-mail to the Safe Senders List, is also useful. When users have more stringent settings in their Junk E-mail options, selecting this option builds a whitelist of anyone that the user sends an email to–working on the premise of “If you send to them, you probably want to receive from them.”

Utilizing the Safe Recipients List

The Safe Recipients list performs a very similar function to the Safe Senders list. The Safe Recipients list allows the user to configure email lists or mail-enabled groups of which they are a member. Any messages sent from these email groups are automatically considered “safe” and bypass Outlooks antispam efforts.

Utilizing the Blocked Senders List

The opposite of the Safe Senders list is the Blocked Senders list. This concept is often referred to as a “blacklist.” By entering email addresses or wildcard domains, a user can tell Outlook 2007 to automatically junk any and all messages received from the blocked senders. This tab is not useful when it comes to fighting spam, however, because the worst offenders change their email addresses (and usually domain names) with every round of messages.


It is important to understand that Blocked Sender rules are based only on the Reply-to addresses given in the email. Reply-to addresses are usually forged in an attempt to slip around antispam systems.

Populating the Lists

To add users to the Safe Senders, Safe Recipients, or Blocked Senders lists, users can do the following:

In Outlook 2007, select Actions, Junk E-mail, and then Junk E-mail Options.

Choose one of the tabs (Safe Senders, Safe Recipients, Blocked Senders, or International), and then click Add to insert the user to the appropriate list.

Type in the SMTP email address of the sender (or their domain) in the following format: jdoe@companyabc.com or @companyabc.com.

Click OK when you finish.

Alternatively, any of these lists can be populated with an initial set of addresses by using a combination of Group Policy and the Office Outlook 2007 template. However, when added, administrators cannot REMOVE an entry using GPO. If an invalid entry is distributed, it can be deleted by the user or the entire list can be overwritten by pushing another list via GPO.

Some organizations have been known to add their own domain to the Safe Senders list and push it out to all users. This can be a huge mistake, as much of what the spam users are faced with are messages that are spoofed with a “from” address that matches the “to” address, and this setting leaves the door wide open.


Many services provide lists of junk senders for import into a Blocked Senders list. These lists are created based on known spammers. If your organization wants to provide the end users with a list of trusted or junk senders, the end user can easily import the list by clicking on the Import from File button. However, as previously stated, this option is of little value because the spammers change their address constantly.

Utilizing the International List

Outlook 2007 also has the ability to flag messages as junk based on where they came from. The International tab allows a user to block entire top-level domains or to block messages in particular languages. This is a more encompassing option than blocking by domain name but is often not an option for organizations with a large international presence.

Avoiding Web Beaconing

Web beaconing refers to the use of references to external content via email to identify a message as having been read. This allows a spammer to validate their list of addresses by identifying the messages that reached a valid user and were opened. When the end user opens the message or views it in the preview pane, the computer retrieves this external content. Outlook 2007 has the ability to block web beaconing, which can help reduce the chances of a user getting onto more spam lists.

To enable web beacon filtering from Outlook 2007, do the following:

Click Tools and then click Trust Center.

Select Automatic Download in the left pane.

Check the Don’t Download Pictures Automatically in HTML E-Mail Messages or RSS Items check box.

Click OK when you are finished.

  •  Getting the Most Out of the Microsoft Outlook Client : Highlighted Features in Outlook 2007
  •  Sharepoint 2010 : Deploying Transport-Level Security for SharePoint
  •  sharepoint 2010 : Verifying Security Using the Microsoft Baseline Security Analyzer
  •  sharepoint 2010 : Utilizing Security Templates to Secure a SharePoint Server
  •  Integrating Office Communications Server 2007 in an Exchange Server 2010 Environment : Web Conferencing
  •  Integrating Office Communications Server 2007 in an Exchange Server 2010 Environment : Installing and Using the Communicator 2007 Client
  •  Integrating Office Communications Server 2007 in an Exchange Server 2010 Environment : Exploring Office Communications Server Tools and Concepts
  •  SharePoint 2010 : Securing SharePoint’s SQL Server Installation
  •  SharePoint 2010 : Physically Securing SharePoint Servers
  •  SharePoint 2010 : Identifying Isolation Approaches to SharePoint Security
  •  Exchange Server 2010 : Installing OCS 2007 R2 (part 5) - Starting the OCS Services on the Server & Validating Server Functionality
  •  Exchange Server 2010 : Installing OCS 2007 R2 (part 4) - Configuring the Server & Configuring Certificates for OCS
  •  Exchange Server 2010 : Installing OCS 2007 R2 (part 3) - Configuring Prerequisites & Deploying an OCS 2007 Server
  •  Exchange Server 2010 : Installing OCS 2007 R2 (part 2) - Prepping the Domain & Delegating Setup and Administrative Privileges
  •  Exchange Server 2010 : Installing OCS 2007 R2 (part 1) - Extending the Active Directory (AD) Schema & Preparing the AD Forest
  •  Integrating Office Communications Server 2007 in an Exchange Server 2010 Environment - Understanding Microsoft’s Unified Communications Strategy
  •  Protecting SharePoint 2010 from Viruses Using Forefront Protection 2010 for SharePoint
  •  Protecting SharePoint with Advanced Antivirus and Edge Security Solutions : Securing SharePoint Sites Using Forefront UAG
  •  Developing Applications for the Cloud on the Microsoft Windows Azure Platform : Accessing the Surveys Application - Geo-Location
  •  Developing Applications for the Cloud on the Microsoft Windows Azure Platform : DNS Names, Certificates, and SSL in the Surveys Application
    Top 10
    Nikon 1 J2 With Stylish Design And Dependable Image And Video Quality
    Canon Powershot D20 - Super-Durable Waterproof Camera
    Fujifilm Finepix F800EXR – Another Excellent EXR
    Sony NEX-6 – The Best Compact Camera
    Teufel Cubycon 2 – An Excellent All-In-One For Films
    Dell S2740L - A Beautifully Crafted 27-inch IPS Monitor
    Philips 55PFL6007T With Fantastic Picture Quality
    Philips Gioco 278G4 – An Excellent 27-inch Screen
    Sony VPL-HW50ES – Sony’s Best Home Cinema Projector
    Windows Vista : Installing and Running Applications - Launching Applications
    Most View
    Bamboo Splash - Powerful Specs And Friendly Interface
    Powered By Windows (Part 2) - Toshiba Satellite U840 Series, Philips E248C3 MODA Lightframe Monitor & HP Envy Spectre 14
    MSI X79A-GD65 8D - Power without the Cost
    Canon EOS M With Wonderful Touchscreen Interface (Part 1)
    Windows Server 2003 : Building an Active Directory Structure (part 1) - The First Domain
    Personalize Your iPhone Case
    Speed ​​up browsing with a faster DNS
    Using and Configuring Public Folder Sharing
    Extending the Real-Time Communications Functionality of Exchange Server 2007 : Installing OCS 2007 (part 1)
    Google, privacy & you (Part 1)
    iPhone Application Development : Making Multivalue Choices with Pickers - Understanding Pickers
    Microsoft Surface With Windows RT - Truly A Unique Tablet
    Network Configuration & Troubleshooting (Part 1)
    Panasonic Lumix GH3 – The Fastest Touchscreen-Camera (Part 2)
    Programming Microsoft SQL Server 2005 : FOR XML Commands (part 3) - OPENXML Enhancements in SQL Server 2005
    Exchange Server 2010 : Track Exchange Performance (part 2) - Test the Performance Limitations in a Lab
    Extra Network Hardware Round-Up (Part 2) - NAS Drives, Media Center Extenders & Games Consoles
    Windows Server 2003 : Planning a Host Name Resolution Strategy - Understanding Name Resolution Requirements
    Google’s Data Liberation Front (Part 2)
    Datacolor SpyderLensCal (Part 1)