Sdílet prostřednictvím


Set consistent Outlook 2007 cryptography options for an organization

Updated: April 16, 2012

Applies To: Office Resource Kit

This Office product will reach end of support on October 10, 2017. To stay supported, you will need to upgrade. For more information, see , Resources to help you upgrade your Office 2007 servers and clients.

 

Topic Last Modified: 2016-11-14

You can control many aspects of Microsoft Office Outlook 2007 cryptography features to help configure more secure messaging and message encryption for your organization. For example, you can configure a Group Policy setting that requires a security label on all outgoing mail or a setting that disables publishing to the Global Address List.

You can lock down the settings to customize cryptography by using the Outlook Group Policy template (Outlk12.adm). Or you can configure default settings by using the Office Customization Tool (OCT), in which case users can change the settings. The OCT settings are in corresponding locations on the Modify user settings page of the OCT.

The Outlook template and other ADM files can be downloaded from 2007 Office System Administrative Templates (ADM) on the Microsoft Download Center.

To customize cryptographic options by using Group Policy

  1. In Group Policy, load the Office Outlook 2007 template (Outlk12.adm).

  2. To customize cryptographic settings, under User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography, double-click the policy setting you want to set. For example, double-click Do not display 'Publish to GAL' button. (Some options are included in the Signature Status dialog box folder.)

  3. Click Enabled. When appropriate, choose an option that displays on the Setting tab.

  4. Click OK.

The settings you can configure for cryptography are shown below.

Cryptography option Description

Minimum encryption settings

Set to the minimum key length for an encrypted e-mail message.

S/MIME interoperability with external clients:

Specify the behavior for handling S/MIME messages.

Always use Rich Text formatting in S/MIME messages

Always use Rich Text for S/MIME messages instead of the format specified by the user.

S/MIME password settings

Specify the default and maximum amount of time that an S/MIME password is valid.

Message formats

Choose message formats to support: S/MIME (default), Exchange, Fortezza, or a combination of formats.

Message when Outlook cannot find the digital ID to decode a message

Enter a message to display to users.

Do not provide Continue option on Encryption warning dialog boxes

Disable the Continue button on encryption settings warning dialog boxes.

Run in FIPS compliant mode

Put Outlook into FIPS 140-1 mode.

Do not check e-mail address against address of certificates being using (sic)

Do not verify user's e-mail address with address of certificates used for encryption or signing.

Encrypt all e-mail messages

Encrypt outgoing e-mail messages.

Sign all e-mail messages

Sign outgoing e-mail messages.

Send all signed messages as clear signed messages

Use Clear Signed for signed outgoing e-mail messages.

Request an S/MIME receipt for all S/MIME signed messages

Request a security-enhanced receipt for outgoing e-mail messages.

URL for S/MIME certificates

Provide a URL at which users can obtain an S/MIME receipt. The URL can contain three variables (%1, %2, and %3), that will be replaced by the user's name, e-mail address, and language, respectively.

Ensure all S/MIME signed messages have a label

Require all S/MIME-signed messages to have a security label.

Do not display 'Publish to GAL' button

Disable the 'Publish to GAL' button on the E-mail Security page of the Trust Center.

Signature Warning

Specify an option for when signature warnings display to users.

S/MIME receipt requests

Specify an option for how S/MIME receipt requests are handled.

Fortezza certificate policies

Enter a list of policies allowed in the policies extension of a certificate showing that the certificate is a Fortezza certificate. List policies separated by semi-colons.

Require SUITEB algorithms for S/MIME operations

Use only Suite-B algorithms for S/MIME operations.

Enable Cryptography Icons

Display Outlook cryptography icons in the Outlook UI.

Retrieving CRLs (Certificate Revocation Lists)

Specify how Outlook behaves when CRL lists are retrieved.

Missing CRLs

Specify the Outlook response when a CRL is missing: display error or warning (default).

Missing root certificates

Specify the Outlook response when a root certificate is missing: display error or warning (default).

Promote Level 2 errors as errors, not warnings

Specify the Outlook response for Level 2 errors: display error or warning (default).

Attachment Secure Temporary Folder

Specify a folder path for the Secure Temporary Files Folder. This overrides the default path and is not recommended.

More information about setting Outlook cryptography options

The following sections provide additional information about configuration options for Outlook cryptography.

Outlook security policy settings

The following table lists the Windows registry settings you can configure for your custom installation. The Windows registry settings correspond to the Group Policy settings listed earlier. You add these value entries in the following subkey:

HKEY_CURRENT_USER\Software\\Microsoft\Office\12.0\Outlook\Security

Value name Value data (Data type) Description Corresponding UI option

AlwaysEncrypt

0, 1 (DWORD)

Set to 1 to encrypt outgoing messages. Default is 0.

Encrypt contents check box (E-mail Security page).

AlwaysSign

0, 1 (DWORD)

Set to 1 to sign outgoing messages. Default is 0.

Add digital signature check box (E-mail Security page).

ClearSign

0, 1 (DWORD)

Set to 1 to use Clear Signed for outgoing messages. Default is 0.

Send clear text signed message check box (E-mail Security page).

RequestSecureReceipt

0, 1 (DWORD)

Set to 1 to request security-enhanced receipts for outgoing messages. Default is 0.

Request S/MIME receipt check box (E-mail Security page).

ForceSecurityLabel

0, 1 (DWORD)

Set to 1 to require a label on outgoing messages. (The registry setting does not specify which label.) Default is 0.

None

ForceSecurityLabelX

ASN encoded BLOB (Binary)

This value entry specifies whether a user-defined security label must exist on outgoing signed messages. The string can optionally include label, classification, and category. Default is no security label required.

None

SigStatusNoCRL

0, 1 (DWORD)

Set to 0 to specify that a missing CRL during signature validation is a warning. Set to 1 to specify that a missing CRL is an error. Default is 0.

None

SigStatusNoTrustDecision

0, 1, 2 (DWORD)

Set to 0 to specify that a No Trust decision is allowed. Set to 1 to specify that a No Trust decision is a warning. Set to 2 to specify that a No Trust decision is an error. Default is 2.

None

PromoteErrorsAsWarnings

0, 1 (DWORD)

Set to 0 to promote Error Level 2 errors as errors. Set to 1 to promote Error Level 2 errors as warnings. Default is 1.

None

PublishtoGalDisabled

0, 1 (DWORD)

Set to 1 to disable the Publish to GAL button. Default is 0.

Publish to GAL button (E-mail Security page)

FIPSMode

0, 1 (DWORD)

Set to 1 to put Outlook into FIPS 140-1 mode. Default is 0.

None

WarnAboutInvalid

0, 1, 2 (DWORD)

Set to 0 to display the Show and Ask check box (Secure E-mail Problem dialog box). Set to 1 to always show the dialog box. Set to 2 to never show the dialog box. Default is 0.

Secure E-mail Problem dialog box.

DisableContinueEncryption

0, 1 (DWORD)

Set to 0 to show the Continue Encrypting button in the final Encryption Errors dialog box. Set to 1 to hide the button. Default is 0.

Continue Encrypting button on final Encryption Errors dialog box. This dialog box appears when a user tries to send a message to someone who cannot receive encrypted messages. This setting disables the button that allows users to send the message regardless. (The recipient cannot open encrypted mail messages sent by overriding the error.)

RespondtoReceiptRequest

0, 1, 2, 3 (DWORD)

Set to 0 to always send a receipt response and prompt for a password, if needed. Set to 1 to prompt for a password when sending a receipt response. Set to 2 to never send a receipt response. Set to 3 to enforce sending a receipt response. Default is 0.

None

NeedEncryptionString

String

Displays the specified string when the user tries unsuccessfully to open an encrypted message. Can provide information about where to enroll in security. Default string is used, unless the value is set to another string.

Default string

Options

0, 1 (DWORD)

Set to 0 to show a warning dialog box when a user attempts to read a signed message with an invalid signature. Set to 1 to never show the warning. Default is 0.

None

MinEncKey

40, 64, 128, 168 (DWORD)

Set to the minimum key length for an encrypted e-mail message.

None

RequiredCA

String

Set to the name of the required certificate authority (CA). When a value is set, Outlook disallows users from signing e-mail by using a certificate from a different CA.

None

EnrollPageURL

String

URL for the default certificate authority (internal or external) from which you wish your users to obtain new digital IDs. Note: Set in HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Security subkey if you do not have administrator rights on the user's computer.

Get Digital ID button (E-mail Security page).

When you specify a value for PromoteErrorsAsWarnings, potential Error Level 2 conditions include the following:

  • Unknown Signature Algorithm

  • No Signing Certification Found

  • Bad Attribute Sets

  • No Issuer Certificate Found

  • No CRL Found

  • Out of Date CRL

  • Root Trust Problem

  • Out of Date CTL

When you specify a value for EnrollPageURL, use the following parameters to send information about the user to the enrollment Web page.

Parameter Placeholder in URL string

User display name

%1

SMTP e-mail name

%2

User interface language ID

%3

For example, to send user information to the Microsoft enrollment Web page, set the EnrollPageURL entry to the following value, including the parameters:

www.microsoft.com/ie/certpage.htm?name=%1&email=%2&helplcid=%3

For example, if the user's name is Jeff Smith, e-mail address is someone@example.com, and user interface language ID is 1033, the placeholders are resolved as follows:

www.microsoft.com/ie/certpage.htm?name=Jeff%20Smith&email=someone@example.com&helplcid=1033

Security policy settings for general cryptography

The following table shows additional Windows registry settings that you can use for your custom configuration. These settings are contained in the following subkey:

HKEY_CURRENT_USER\Software\Microsoft\Cryptography\SMIME\SecurityPolicies\Default

Value name Value data (Data type) Description Corresponding UI option

ShowWithMultiLabels

0, 1, (DWORD)

Set to 0 to attempt to display a message when the signature layer has different labels set in different signatures. Set to 1 to prevent display of message. Default is 0.

None

CertErrorWithLabel

0, 1, 2 (DWORD)

Set to 0 to process a message with a certificate error when the message has a label. Set to 1 to deny access to a message with a certificate error. Set to 2 to ignore the message label and grant access to the message. (The user still sees a certificate error.) Default is 0.

None

Security policy settings for KMS-issued certificates

The values in the following table only apply to certificates issued by Microsoft Exchange Key Management Service (KMS). The table shows additional Windows registry settings that you can use for your custom configuration. These settings are contained in the following subkey:

HKEY_CURRENT_USER\Software\Microsoft\Cryptography\Defaults\Provider

Value name Value data (Data type) Description Corresponding UI option

MaxPWDTime

0, number (DWORD)

Set to 0 to remove the user's ability to save a password (the user is required to enter a password each time a key set is required). Set to a positive number to specify a maximum password time in minutes. Default is 999.

None

DefPWDTime

Number (DWORD)

Set to the default value for the amount of time a password is saved.

None

Download this book

This topic is included in the following downloadable books for easier reading and printing:

See the full list of available books at Office Resource Kit information.