|
This is the second of two articles focusing on ways to secure one of the world's most popular e-mail clients, Microsoft's Outlook. The first article offered a brief overview of Outlook, as well as some of the threats that undermine its security. It also discussed configuring Outlook for optimal security. This article will look at some more things that Outlook users can do to improve their e-mail security.
Microsoft Outlook has been the victim, over and over again, of security lapses and holes. Finally, after years of patches designed to fix problems after they occurred, Microsoft decided to act proactively to improve security in Outlook. Unfortunately, this came at the expense of functionality. Whether or not this tradeoff is appropriate for your needs is for you to decide.
Microsoft's big solution to the virus problem was the Outlook E-Mail Security Update. Available for Outlook 98 or 2000, unavailable for Outlook 97, and built-in to Outlook 2002, this update changes the behavior of Outlook in radical ways. What exactly does it do?
Blocks Unsafe Files
One change is immediately obvious: the update blocks your ability to receive e-mail attachments associated with what Microsoft calls "unsafe files", files that can execute code. If you receive an e-mail with an "unsafe file", you will see the following:
Figure 1: Unsafe file notification
And what files are blocked? The list is actually quite long - 37 file types in all - but some of the types you might recognize include Batch Files (.bat), Windows Installer Packages (.msi), DOS Applications (.com), Photo CD Images (.pcd), Registry Entries (.reg), Applications (.exe), Screen Savers (.scr), Windows Help Files (.hlp), Internet Shortcuts (.url), and Program Shortcuts (.lnk). For the full list of files, check out Microsoft's Outlook E-mail Security Update - Frequently Asked Questions.
You can still attach these files as an attachment to an e-mail; however, you will be warned that other Outlook users may not be able to access them. You can still send your attachment, but anyone using a version of Outlook with blocking enabled will not be able to access the files.
If you want to exchange documents in those formats, Microsoft suggests that you "post them to file shares, intranets, on-line hard drives, or community Web sites." Otherwise, you need to bundle the intended files together using a program such as WinZip, because the one type of file that is always allowed is .zip.
I don't dispute that many of the file types on the banned list belong there; after all, there is absolutely no reason why normal users should be receiving Windows Scripting Host (.wsh) or VBScript Script Files (.vbs) in their e-mail, except for nefarious purposes. But the inclusion of so many file types will lead to confusion for many people, and many people don't understand how to zip or unzip files. Critics have thus charged that Microsoft has used a sledgehammer where a scalpel would do.
The blocking of so many different e-mail attachments has resulted in a cottage industry designed to get around the restrictions. Probably the best overview of your options can be found on Slipstick's Opening .exe Attachments with the Outlook E-mail Security Update and Outlook 2002. Of course, there's one little detail that is important beware of: Outlook 2002 allows you to override the banning of certain attachment filetypes so that you can start sending and receiving those attachments again, without having to zip and unzip the files.
Another significant problem with the Update: once installed, you cannot uninstall it. The only way to remove the Update is to completely uninstall all of Office and then reinstall it again!
Before installing the Outlook E-Mail Security Update over your copy of Outlook 98/2000, you really should read Microsoft's explanation. If you use Outlook 98, you need to read (Q262618) OL98: Known Issues with the Outlook E-Mail Security Update; if Outlook 2000 is your tool of choice, read (Q262634) OL2000: Known Issues with the Outlook E-Mail Security Update.
Object Model Guard
Viruses and worms often propagate themselves by accessing the user's address book and then sending recipients e-mails that contain an attached copy of the virus. Most worms require the recipient to run the attachment; unfortunately, many worms now run merely if the user previews the e-mail in the Preview Pane. To prevent the automatic running of content, turn off the Preview Pane. Details are available in Securing Privacy: E-mail.
In an effort to prevent programs from accessing your address book without your knowledge or sending e-mail without your approval, Microsoft's E-Mail Security Update adds the "Object Model Guard". If a program does try to access your address book or send e-mail, Outlook warns you and then lets you choose whether or not to continue.
Figure 2: Warning that a program is trying to access the Outlook address book
Note that you can say "Yes" and then set a time limit for how long access is allowed. This allows people who use devices such as Palm or PocketPC to synchronize their address books with Outlook.
Security Zone
The E-Mail Security Update also changes the Security zone used by Outlook to "Restricted". What we did manually in the previous article, in other words, Microsoft's update does for you.
Change System Settings: Securing Windows to Secure Outlook
Since Outlook is made by Microsoft, and since Microsoft continually attempts to integrate all of its products in order to make it harder to avoid using them, you can vastly improve the security of Outlook if you also make some changes to Windows as well.
Install and update antivirus software
The heading above says it all. Do it. No excuses.
Update Software Regularly
You are using Windows Update regularly, right? If you aren't, head over to http://windowsupdate.microsoft.com immediately and update your copy of Windows. After making sure that Windows itself is as safe as it can be, visit the Office Download Center if you're using Outlook 97/98 or the Office Product Updates site if you're using Outlook 2000/2002.
By default, Windows ships with file extensions turned off, in an attempt to emulate the Macintosh. This means that even if the real name of a file is "foo.jpg", Windows displays the file name as "foo". This becomes a real problem with e-mail attachments.
If your file extensions are turned off and you receive an e-mail with an attachment titled "SexyPicture.jpg", you may be tempted to click on the attachment to see it. Sure enough, a sexy picture is displayed on your computer; however, at the same time a program designed to grab your credit card numbers is installed on your computer behind your back.
That's because the name of the attachment wasn't really "SexyPicture.jpg". Instead, it was "SexyPicture.jpg.exe". Since you had file extensions turned off, the "exe" part didn't show up. But the bad guy was clever and used "jpg" in the file name in order to put you off your guard. If you had file extensions turned on, you would see that you were about to click on an executable program and would hopefully stop, no matter how great the temptation.
So how do you turn on file extensions? It's actually pretty easy, although it is a little detailed for this discussion. For the full directions, see Configuring Windows To Show Extensions, which includes instructions and screenshots.
If you're going to use Outlook, you really need to have a back-up regimen in place. If you are using Outlook to connect to an Exchange server, all of your data is really stored on the server, which presumably is backed up regularly. If, however, you connect to an Exchange server, but you also store your data on your machine (on your laptop, say, so you can read and reply to e-mail while you're on a plane), then the repository of data on your computer is in what Microsoft calls an "Offline Folder file", denoted by the file extension ".ost". Likewise, if you use Outlook in Internet Mail Only (IMO) mode, then your data is always stored on your machine, but in what Microsoft terms a "Personal Folders file", which ends in .pst.
You should realize that every bit of data managed by Outlook is in your PST or OST file. If the OST file gets corrupted, it is not a huge problem, as you can create a new one from your Exchange server. But if you delete the data on the Exchange server thinking you can still use the OST file, you're going to be sorely disappointed. As Microsoft's support site puts it, "Offline Folder files (OSTs) are considered slave replicas of the server-based folders. If you delete the master, the slave is orphaned ... the data in the OST is lost". Gulp.
If you're not using Exchange server, and you're therefore using IMO mode for Outlook, you need to protect that PST file as strongly as possible. That PST file contains all of your e-mail, your contacts, your calendar, your task list - everything. If that file gets corrupted, it is possible (and I mean "possible", not "certain") to recover your data using Microsoft's ScanPST tool, but it doesn't always work, which means all of your data is gone, or unusable. And since a PST file is a binary file, not a plain text file, you can't just open it up in a text editor to view your data, as you can with many other e-mail clients, like Mozilla and Eudora. Worse, PST files have a nasty habit of ballooning to truly gargantuan sizes unless you delete e-mail often (by the way, the fastest way to grotesquely distend the size of your PST file is to turn on Journaling, so I strongly recommend against enabling the Journaling feature in Outlook).
How you choose to back up your Outlook file is up to you. The brute force method would be to search your hard drive for your PST file - probably named "outlook.pst" - and then copy that file onto a Zip disk or CD. If you use an actual backup program to automate the process, add the folder containing your PST file to the list of archived items.
If you use Outlook 2000, Microsoft has provided a free Personal Folders Back-up Add-in that you can download and install that will help to automate the backup process for your PST file. If you'd like more information about backing up your Outlook data, Microsoft's article on How to Back Up, Restore, or Move Outlook Data will be handy.
No matter what method you use, back up your Outlook files regularly.
Finally, if Outlook's history of problematic security concerns you, then perhaps you should consider switching to another e-mail program. Eudora is a fine program with a strong community of users. Mozilla and Netscape both offer an excellent e-mail program (Mozilla and Netscape are essentially the same program; AOL, which owns Netscape, periodically uses the latest open source Mozilla code as a base for a new release of Netscape). Pegasus Mail has a devoted user base that swears by it. All of these clients are free, although Eudora also offers Eudora Pro, a version of the software that includes additional features, for a modest price.
Some e-mail clients require you to buy them. The Bat is a relatively little known program that is well loved by its users. Mulberry is available for Mac, Windows, and Linux, one of the only truly cross-platform clients mentioned here (the other is Mozilla/Netscape), and it supports IMAP beautifully, as well as POP.
One client you probably should not consider switching to, however, is Outlook Express. Although it is confusingly named in a similar fashion to Outlook, the two programs really have nothing to do with each other, beyond one troubling aspect: security. Microsoft has released security patch after security patch for OE, making it almost as problematic as Outlook. And, since Internet Explorer is the underlying engine used to display HTML-based e-mail in OE, too often vulnerabilities in IE affect OE as well.
If you are ready to make the jump to Web-based e-mail, there are many options available for you. Yahoo! Mail has been around a long time and does a good job while offering you several services, like an address book and calendar that can be integrated with your e-mail. Netscape Mail has been around forever and works well. HushMail encrypts all e-mail sent to other HushMail users with PGP. All are free services, although you can pay for higher levels of service.
If you want a straight commercial service, there are several to choose from. Onebox consolidates e-mail, voice mail, and faxes in one place, which can be tremendously convenient. Net@ddress has garnered high praise from CNET and other publications, and has several nice features, including generous storage allotments. Mailshell enables you to create any number of disposable e-mail addresses in an effort to reduce spam.
If you are concerned about your security and privacy, then you probably shouldn't use Microsoft's Hotmail for Web-based e-mail. Microsoft requires users to sign in to Hotmail using its Passport authentication service. If you use Hotmail, notice that you don't actually sign in at www.hotmail.com; instead, you are redirected to hotmail.passport.com. Passport is Microsoft's scheme to centralize authentication for a huge number of Web sites. Beyond the obvious privacy implications - do we really want Microsoft to possess the world's largest database about our personal information, the Web sites we visit, and the items we buy on-line? - numerous authors have outlined in great detail the serious security flaws inherent in Passport. (See the Relevant Links section at the end of this article for more information.) At this time, it's just not safe enough to trust.
As you can see, Outlook is popular and does many things very well, but it is unfortunately saddled with quite a few security problems. With careful planning and even more careful attention to Outlook as it does its job, it is possible to use Outlook in a safe, effective way to manage e-mail and other information.
Here's a handy checklist to help you secure your copy of Outlook. The version of Outlook to which the checklist item applies is in parentheses.
Configure Outlook correctly
Set your security zone to "Restricted sites", and configure Restricted sites. (97, 98, 2000, 2002)
Outlook E-Mail Security Update
Install the Outlook E-Mail Security Update (98, 2000).
Configure the E-Mail Security Update to allow desired attachments (98, 2000, 2002).
Change System Settings
Install and update antivirus software (97, 98, 2000, 2002).
Update Windows regularly using Windows Update. (97, 98, 2000, 2002)
Update Outlook regularly using Office Download Center or Office Product Updates (97, 98, 2000, 2002).
Turn on file extensions (97, 98, 2000, 2002).
Delete old data from Outlook regularly (97, 98, 2000, 2002).
Back-up your data regularly (97, 98, 2000, 2002).
Consider Other E-mail Clients
If you're unhappy, investigate other e-mail clients (97, 98, 2000, 2002).
Acknowledgments
Thanks for Jeff Wilhelm of the WWWAC list for his help with this article.
|