Making Outlook Less Insecure
Securing Outlook Itself
Now let's dive into the wonderful world of patches and configuration tweaks for Outlook/Outlook Express. In a nutshell, turn off everything everywhere: scripting, preview pane, HTML, etc. — off, off, everything off.
There are something like eight different versions of Outlook. Whatever version you have, find the Security tab under Tools => Options. By the way, everything you do in this menu will affect Outlook, Internet Explorer, and Outlook Express.
Let's take a look at all the things to turn off in the Internet Zone. Accept no defaults; this is a custom job all the way. Select "Custom Level" and turn off all these options:
- ActiveX: Never ever ever allow ActiveX to run. It is designed expressly to allow remote execution of code over the Internet. Why anyone thought this would be a good idea is a complete mystery. Ignore the nonsense about "ActiveX controls marked safe for scripting." Like, since it's signed — by the author no less — it will be any less questionable. Just say NO — disable all the checkboxes for ActiveX.
- Disable font and file downloads — unless you actually anticipate needing a Chinese font, or some such spam trick.
- Java: I have mixed feelings about Java. Sun claims Java applets are safe and have never been exploited. Me, I disable it just to be on the safe side.
- Disable "Access data sources across domains" and "Drag and drop or copy and paste files." Neither one serves any useful purpose (except to spammers and viruses).
- "Installation of desktop items" – NO! Turn it off.
- "Launching programs and files in an iframe" – No, no, a hundred times NO. Oh, iframes are wonderful — to a virus author who wishes to execute code on your system via Internet Explorer. (Outlook and Outlook Express use IE to render HTML-formatted mail).
- Keep going on down the form, checking "Disable" for everything until you reach "Software channel permissions." Set "Software channel permissions" to "High safety." I have no idea if anyone is still trying to turn the Internet into TV — like we are baby birds waiting to be force-fed regurgitated matter — but in any case, take no chances. (This is assuming "High safety" actually helps, which I would not bank on, being an untrusting sort of human.)
- Attachment Security button: Yes, it's an oxymoron. This button is present only on older versions of Outlook. Your choices are "High" or "None." Obviously, choose High.
- No Preview Pane. It's a shame, but many exploits don't even need the user to click on them — just using the Preview Pane activates them. Kill it off via the View => Layout => Preview Pane menu.
- No HTML mail. As you have been faithfully following my CrossNodes columns, you've doubtless already read my rants against HTML mail. In a nutshell, the HTML mail option allows malicious code to be executed on your computer, so again, just say no.
On newer versions of IE and Outlook, you have the option to select which zone becomes the default Internet zone. Choose "restricted zone," and go through its options just like we did above. No, no, no, no, no, etc.
Notice the different zones, "Trusted Sites" and "Local Intranet," each of which can be configured differently. As viruses are spread by the millions from trusted sources, I'd say it's best to continue to say no to everything.
You could install the Outlook E-mail Security Update, which is supposed to quarantine certain executable attachments from running on your system. The update also will alert users when an outside program attempts to monkey with their address books. I've had mixed success with it, though; the major downside is that it's not something you can easily uninstall if you don't like it. I quote: "...this update integrates with your Outlook product and cannot be uninstalled without completely uninstalling Office."
The fun is not over. Keeping Windows patched and updated is important, yet not foolproof. I cannot count the number of times installing a patch or upgrade created new problems. Regardless, keeping up-to-date is important. See Windows Update for Windows patches and updates. (Amusingly, you'll find the site proclaims that "Windows Update can only be accessed by Internet browsers that support ActiveX Controls.")
Windows installs with file extensions hidden by default. Turn this back on, duh; if you can't see the file extension, how can you tell what it is? This particular command gets moved around on different versions of Windows. Try My Computer => Tools => Folder Options => View. Un-check "Hide file extensions for known file types." Set it to "Show hidden files and folders" and "Display the full path on the title bar/address bar."
Eyes and Ears Open
Finally, make sure your abuse@ and postmaster@ addresses are working, and even better, being read by real live humans. If something malicious is being spewed forth from your systems, the unhappy recipients need to be able to tell you.
Well I don't know about you, but I feel pretty tired after all that. This column was brought to you by Libranet Debian Linux 2.7, Abiword, and Kmail.
Giptables – An excellent front-end for building iptables rules
Filtering E-Mail with Postfix and Procmail, Part One
Filtering E-Mail with Postfix and Procmail, Part Two
Filtering E-Mail with Postfix and Procmail, Part Three
Filtering E-Mail with Postfix and Procmail, Part Four
Microsoft Bulletin on iframes
SuSE OpenExchange: More Than a Mere Mail Server
Egress Filtering for a Healthier Internet