Condividi tramite


Code Security Changes in Outlook 2007

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Summary: Learn how Outlook 2007 enhances code security to help protect Outlook users against malicious code while reducing security warnings for developers and users. Find out how these changes make developing and using Outlook solutions easier while maintaining security. This article applies to managed and unmanaged Outlook COM add-ins and cross-process applications that access Outlook by using the Outlook COM interfaces. (16 printed pages)

Ryan Gregg, Microsoft Corporation

June 2006

Applies to: Microsoft Office Outlook 2007

Contents

  • Overview of Code Security Changes

  • Code Security Defaults

  • Security Warnings

  • Administrator Options

  • Protected Members List

  • Conclusion

  • Additional Resources

Overview of Code Security Changes

To prevent malicious programs and viruses from propagating through e-mail messages, certain versions of Outlook have included the Object Model Guard to help protect against malicious use of the Outlook object model. Versions that have already been released include Microsoft Office Outlook 2003, Microsoft Outlook 2002, Microsoft Outlook 2000 Service Pack 3, Microsoft Outlook 2000 Service Pack 2, and Microsoft Outlook 2000 and Microsoft Outlook 98, which have been updated with the Outlook E-mail Security Update. Outlook solutions that access these protected properties and methods in the object model may invoke security warnings that the user must respond to before the solution can continue. Microsoft Office Outlook 2007 introduces several changes to the behavior of the Object Model Guard to improve the developer and user experience while helping to keep Outlook secure.

Code Security Defaults

As in Outlook 2003, Outlook 2007 continues to implicitly trust all in-process COM add-ins. Writing a trusted COM add-in continues to be the recommended approach to interact with Outlook data through the object model. The default trust behavior for all in-process COM add-ins works just as it did in Outlook 2003.

Security in Outlook 2007 takes advantage of the status of antivirus software installed on a computer. This change represents a major departure from the way the Object Model Guard worked in the past. If Outlook is able to detect that antivirus software is running with an acceptable status, Outlook disables security warnings for the user. This allows external applications that previously had to resort to Extended MAPI or third-party libraries to avoid security prompts under the appropriate conditions. This new behavior helps keep Outlook secure without overwhelming the user with excessive warning messages.

All out-of-process COM callers and add-ins run without security warnings if all of the following conditions are true:

  • The client computer is running Microsoft Windows XP Service Pack 2 (SP2) or Microsoft Windows Vista, and the Windows Security Center (WSC) indicates that antivirus software on the computer is in a "Good" health status. If the computer is joined to a domain, the health-status indicator may not be visible, but it is still maintained.

  • The antivirus software installed on the client computer is designed for Windows XP SP2 or Windows Vista.

  • Outlook 2007 is configured on the client computer in one of the following ways:

    • Uses the default security settings

    • Uses security settings defined by Group Policy and set to warn when antivirus software is inactive or out of date

    • Uses security settings defined by Group Policy but does not have a programmatic access policy applied

Additionally, Outlook 2007 suppresses security warnings when it is configured to Never warn me about suspicious activity (not recommended) through the Outlook Trust Center.

To detect the status of the antivirus software on client computers, Outlook 2007 depends on the WSC. Currently, antivirus products that are compatible with Windows XP SP2 and Windows Vista register status information with the WSC. Outlook first checks for the current status of antivirus software by querying the WSC. On computers running Microsoft Windows Server 2003, because the WSC is not available, Outlook is unable to detect the status of antivirus software and therefore does not disable security warnings.

In order for Outlook 2007 to disable security warnings, the antivirus software must report the following three conditions:

  • Antivirus software is installed and shares its status with third-party software through the WSC.

  • The antivirus software is up to date.

  • Virus scanning is enabled on access.

Outlook 2007 examines all of the antivirus products that are installed and registered with the WSC. If at least one of those products meets the previous three conditions, Outlook turns off the object model security warnings. Over a single session, Outlook 2007 continues to monitor the status of the antivirus software. At any point, if Outlook detects that no antivirus product on the computer meets all three conditions, Outlook immediately enables the security warnings. At any subsequent point, if Outlook detects that at least one antivirus product meets these criteria, Outlook disables the warnings again.

This new behavior applies to all programs that access Outlook 2007 through the Outlook object model. This includes add-ins and external COM callers. Programs that access Outlook data through other APIs (for example, Collaboration Data Objects, Exchange Client Extensions, or Simple MAPI) are not affected by this change. Solutions using Extended MAPI are not restricted by the Object Model Guard.

Trust Center Options for Code Security

Administrators can use the Trust Center in Outlook 2007 to change the default behavior. To access the Trust Center, open the Tools menu and click Trust Center. In the Trust Center, click Programmatic Access. The Programmatic Access Security dialog box provides options that differ from the default behavior, as shown in Figure 1.

Figure 1. Programmatic Access settings in the Outlook Trust Center

Programmatic Access settings

The three settings are as follows:

  • Warn me about suspicious activity when my antivirus software is inactive or out-of-date (recommended)

    This is the default setting, and it implements the behavior described earlier in this article. This setting is recommended for all users.

  • Always warn me about suspicious activity

    This setting enables Outlook 2007 to act like Outlook 2003, so that cross-process COM callers and untrusted add-ins invoke security warnings.

  • Never warn me about suspicious activity (not recommended)

    This setting prevents all security warnings and disables the Object Model Guard. Use this setting only in controlled environments where the risk of malicious code running on the computer is low.

These settings are available only if the current user is an administrator on the computer. Users without administrator privileges can view the current setting but cannot change it. Programmatic Access settings can also be controlled through Group Policy. For more information about configuring Outlook settings by using Group

COM Add-In Security Defaults

In Outlook 2007, all COM add-ins are trusted by default. Administrators can configure an alternate behavior by using Outlook 2007 Group Policy or the Outlook security form on a Microsoft Exchange Server.

As in previous versions, Outlook 2007 trusts only the Application object passed to the add-in during the OnConnection event of the add-in. If the add-in creates a new instance of the Application object, Outlook does not trust that object, even if the add-in is on the list of trusted add-ins. For more information about the OnConnection event, see the IDTExtensibility2 documentation on MSDN.

Object Model Guard

While Outlook 2007 defines new circumstances for untrusted callers to invoke security warnings, it inherits the set of protected objects and members from the Outlook 2003 Object Model Guard. In addition, Outlook 2007 displays warnings for code that attempts to access several new members added to the object model. Outlook raises warnings in five major scenarios, when untrusted code attempts to use the object model to retrieve data or execute certain methods:

  • Properties or methods that return address objects, including properties and members of these objects:

    • AddressEntries and AddressEntry

    • Recipient and Recipients

    • ExchangeDistributionList and ExchangeUser

    • SelectNamesDialog

    • PropertyAccessor

  • Properties of various objects that may contain addresses or address information, such as:

    • Alias

    • Address

    • Body and HTMLBody

    • ID

    • WordEditor

  • Methods that allow writing items to a storage location outside of Outlook, such as:

    • Item.SaveAs

    • CalendarSharing.SaveAsICal

  • Entry points that provide access to properties using explicit, built-in property names or references to namespaces, such as:

    • UserProperties.Find

    • ItemProperties.Item("IMAddress") and other protected properties

    • Table.Columns.Add

    • PropertyAccessor.GetProperties

    • PropertyAccessor.GetProperty

  • Programmatic sending of an item:

    • Item.Allow, Item.Send

    • Action.Execute

Security Warnings

Outlook 2007 displays one of three security warnings when an add-in that is not properly trusted or a cross-process COM client attempts to access a protected property or method. These messages are specific to the type of information or action that the program was attempting to access or execute. The messages have a new appearance and new button labels that are consistent with Windows XP and Windows Vista recommendations for security dialogs.

Address Book Warning

The address book warning, shown in Figure 2, is the most common prompt that a user sees when an untrusted program is accessing Outlook data. This prompt appears for members whose prompt type is "Address Book" in the Protected Members List later in this article.

Figure 2. Outlook 2007 address book access prompt

Outlook 2007 address book access prompt

This warning enables the user to allow or deny the action. The user can also choose to allow access to the address book for a period of time indicated in the drop-down box.

If the user clicks Deny, Outlook immediately blocks the call that invokes the warning and returns MAPI_E_NOT_SUPPORTED. Outlook does not return any data for the call. If the program does not properly handle the error, it might crash.

If the user clicks Allow without selecting the Allow access for check box, only the call that generated the warning will be allowed. Additional calls on the same line or calls for objects that derive from the blocked call may generate their own security warnings.

If the user clicks Allow after selecting the Allow access for check box, the call that generated the prompt, as well as future calls, will be allowed for the duration that the user has selected. During this time period, all callers to the object model — not just the program that originally invoked the security warning — are approved for address-book access. After this time period expires, security warnings may reappear.

Send Message Warning

The Send Message warning, shown in Figure 3, is invoked when an untrusted solution attempts to send an item programmatically. This prompt appears for members whose prompt type is "Sending Mail" in the Protected Members List later in this article.This dialog box has a built-in timer that prevents untrusted add-ins from sending messages rapidly and automatically. The user must wait five seconds before clicking Allow.

Figure 3. Outlook 2007 e-mail security prompt

Outlook 2007 e-mail security prompt

If the user clicks Deny, Outlook blocks the call that invoked the warning and returns the MAPI_E_NOT_SUPPORTED error. Subsequent calls to send messages programmatically will invoke additional warnings.

If the user clicks Allow, the call that invoked the warning, and only that call, is allowed. Subsequent calls from an untrusted solution to send messages programmatically will continue to generate warnings.

Execute Actions Warning

This warning, shown in Figure 4, is invoked when an untrusted solution executes a custom action from the Actions collection. This prompt appears for members whose prompt type is "Custom Action" in the Protected Members List later in this article. Outlook displays a message similar to the previous warning, indicating that an action is being executed.

Figure 4. Outlook 2007 execute actions security prompt

Outlook 2007 execute actions security prompt

If the user clicks Deny, Outlook blocks the call to the Execute method for that action and returns the MAPI_E_NOT_SUPPORTED error.

If the user clicks Allow, the call that invoked the warning, and only that call, is allowed. Subsequent calls from an untrusted solution to execute an action will continue to invoke warnings.

Administrator Options

In addition to the settings that are provided by default, administrators can use two methods in Outlook 2007 to lock down the Object Model Guard settings and alter the default behavior.

Group Policy Security for COM Add-Ins

Outlook 2007 supports using Windows Group Policy settings to manage code security settings. When Outlook is configured to load security settings from Group Policy, it may include a list of trusted add-ins. If this list is present, Group Policy has been configured to enable this list, and a COM add-in matches the hash information provided in the trusted list, Outlook provides a trusted Application object to the COM add-in. If an add-in is not in the list or has been updated since it was added to the list, Outlook does not trust the add-in.

Additionally, administrators can set how Outlook handles the security warnings generated by the Object Model Guard. Four options are available: automatically accept, automatically deny, prompt user, and prompt user without antivirus software. These settings apply to all add-ins not included in the list of trusted add-ins, and to external COM callers to the object model.

Exchange-Brokered Security for COM Add-Ins

There has been no change in the way Outlook 2007 trusts COM add-ins in a Microsoft Exchange environment where security settings are obtained from the Exchange server. You can still configure Outlook 2007 to locate the Outlook security form in a public folder. When Outlook is configured to load settings from this form, Outlook trusts, by default, only those add-ins that are listed in the security form. Administrators can use Group Policy settings to override this behavior and continue to trust all installed add-ins as necessary.

If Outlook 2007 is configured to use security settings from the security form, it does not leverage the status of antivirus software. In this scenario, there are only three prompt behaviors: prompt user; never prompt and automatically allow; and never prompt and automatically deny. To take advantage of the new code security behavior based on the status of antivirus software, Outlook must be configured to use Windows Group Policy or the Outlook 2007 default security settings.

Protected Members List

Table 1 lists the properties and methods that are protected in Outlook 2007. The third column, Prompt Type, indicates the type of security warning that appears when that member is accessed. Properties and methods that are new or newly protected in Outlook 2007 are identified as such in the Status column.

NoteNote

In the Members column, "Everything" includes all the properties and methods for the specified object except Application, Class, Session, and Parent.

Table 1. Properties and methods that are protected in Outlook 2007

Object/Interface

Member

Prompt Type

Status

Account

SmtpAddress

Address Book

New

Action

Execute()

Custom Action

 

AddressEntries

GetFirst()

Address Book

 

AddressEntries

GetLast()

Address Book

 

AddressEntries

GetNext()

Address Book

 

AddressEntries

GetPrevious()

Address Book

 

AddressEntries

Add()

Address Book

 

AddressEntries

Item()

Address Book

Newly protected

AddressEntry

Address

Address Book

 

AddressEntry

ID

Address Book

 

AddressEntry

Manager

Address Book

 

AddressEntry

Members

Address Book

 

AddressEntry

Parent

Address Book

 

AddressEntry

GetExchangeDistributionList()

Address Book

New

AddressEntry

GetExchangeUser()

Address Book

New

AddressEntry

Update()

Address Book

Newly protected

AddressEntry

PropertyAccessor

Address Book

New 

AddressLists

Item()

Address Book

Newly protected

AddressList

PropertyAccessor

Address Book

New

AddressList

AddressEntries

Address Book

 

AddressList

ID

Address Book

 

AppointmentItem

Body

Address Book

 

AppointmentItem

NetMeetingOrganizerAlias

Address Book

 

AppointmentItem

OptionalAttendees

Address Book

 

AppointmentItem

Organizer

Address Book

 

AppointmentItem

PropertyAccessor

Address Book

New

AppointmentItem

RequiredAttendees

Address Book

 

AppointmentItem

Resources

Address Book

 

AppointmentItem

Respond()

Sending Mail

 

AppointmentItem

SaveAs()

Address Book

 

Attachment

PropertyAccessor

Address Book

New

CalendarSharing

SaveAsICal()

Address Book

New

Columns

Add()

Address Book

New

ContactItem

Body

Address Book

 

ContactItem

Email1Address

Address Book

 

ContactItem

Email1AddressType

Address Book

 

ContactItem

Email1DisplayName

Address Book

 

ContactItem

Email1EntryID

Address Book

 

ContactItem

Email2Address

Address Book

 

ContactItem

Email2AddressType

Address Book

 

ContactItem

Email2DisplayName

Address Book

 

ContactItem

Email2EntryID

Address Book

 

ContactItem

Email3Address

Address Book

 

ContactItem

Email3AddressType

Address Book

 

ContactItem

Email3DisplayName

Address Book

 

ContactItem

Email3EntryID

Address Book

 

ContactItem

IMAddress

Address Book

 

ContactItem

NetMeetingAlias

Address Book

 

ContactItem

PropertyAccessor

Address Book

New

ContactItem

ReferredBy

Address Book

 

ContactItem

SaveAs()

Address Book

 

DistListItem

Body

Address Book

 

DistListItem

GetMember()

Address Book

 

DistListItem

PropertyAccessor

Address Book

New

DistListItem

SaveAs()

Address Book

 

DocumentItem

Body

Address Book

 

DocumentItem

PropertyAccessor

Address Book

New

ExchangeDistributionList

Address

Address Book

New

ExchangeDistributionList

Alias

Address Book

New

ExchangeDistributionList

GetExchangeDistributionList()

Address Book

New

ExchangeDistributionList

GetExchangeUser()

Address Book

New

ExchangeDistributionList

GetMemberOfList()

Address Book

New

ExchangeDistributionList

GetExchangeDistributionListMembers()

Address Book

New

ExchangeDistributionList

GetOwners()

Address Book

New

ExchangeDistributionList

ID

Address Book

New

ExchangeDistributionList

Parent

Address Book

New

ExchangeDistributionList

PrimarySmtpAddress

Address Book

New

ExchangeDistributionList

PropertyAccessor

Address Book

New

ExchangeDistributionList

Update()

Address Book

New

ExchangeUser

Address

Address Book

New

ExchangeUser

Alias

Address Book

New

ExchangeUser

GetDirectReports()

Address Book

New

ExchangeUser

GetExchangeDistributionList()

Address Book

New

ExchangeUser

GetExchangeUser()

Address Book

New

ExchangeUser

GetExchangeUserManager()

Address Book

New

ExchangeUser

GetMemberOfList()

Address Book

New

ExchangeUser

ID

Address Book

New

ExchangeUser

Parent

Address Book

New

ExchangeUser

PrimarySmtpAddress

Address Book

New

ExchangeUser

PropertyAccessor

Address Book

New

ExchangeUser

Update()

Address Book

New

Folder

GetCalendarExporter()

Address Book

New

Folder

PropertyAccessor

Address Book

New

Inspector

HTMLEditor

Address Book

 

Inspector

WordEditor

Address Book

 

ItemProperties

Any protected property for an item

Address Book

 

JournalItem

Body

Address Book

 

JournalItem

ContactNames

Address Book

 

JournalItem

PropertyAccessor

Address Book

New

JournalItem

SaveAs()

Address Book

 

MailItem

Bcc

Address Book

 

MailItem

Body

Address Book

 

MailItem

Cc

Address Book

 

MailItem

HTMLBody

Address Book

 

MailItem

PropertyAccessor

Address Book

New

MailItem

ReceivedByName

Address Book

 

MailItem

ReceivedOnBehalfOfName

Address Book

 

MailItem

Recipients

Address Book

 

MailItem

ReplyRecipientNames

Address Book

 

MailItem

SaveAs()

Address Book

 

MailItem

Send()

Sending Mail

 

MailItem

SenderEmailAddress

Address Book

 

MailItem

SenderEmailType

Address Book

 

MailItem

SenderName

Address Book

 

MailItem

SendOnBehalfOfName

Address Book

 

MailItem

To

Address Book

 

MeetingItem

Body

Address Book

 

MeetingItem

PropertyAccessor

Address Book

New

MeetingItem

SaveAs()

Address Book

 

MeetingItem

SenderName

Address Book

 

MeetingItem

Recipients

Address Book

 

NameSpace

CurrentUser

Address Book

 

NameSpace

GetAddressEntryFromID()

Address Book

New

NameSpace

GetRecipientFromID()

Address Book

 

NameSpace

SelectNamesDialog

Address Book

New

NoteItem

Body

Address Book

 

NoteItem

PropertyAccessor

Address Book

New

PostItem

Body

Address Book

 

PostItem

HTMLBody

Address Book

 

PostItem

PropertyAccessor

Address Book

New

PostItem

SaveAs()

Address Book

 

PostItem

SenderName

Address Book

 

Recipient

Everything (see Note above table)

Address Book

 

Recipient

PropertyAccessor

Address Book

New

Recipients

Everything (see Note above table)

Address Book

 

RemoteItem

Body

Address Book

 

RemoteItem

PropertyAccessor

Address Book

New

ReportItem

Body

Address Book

 

ReportItem

PropertyAccessor

Address Book

New

SelectNamesDialog

Recipients

Address Book

New

SharingItem

Allow()

Sending Mail

New

SharingItem

Bcc

Address Book

New

SharingItem

Body

Address Book

New

SharingItem

Cc

Address Book

New

SharingItem

HTMLBody

Address Book

New

SharingItem

PropertyAccessor

Address Book

New

SharingItem

ReceivedByName

Address Book

New

SharingItem

ReceivedOnBehalfOfName

Address Book

New

SharingItem

ReplyRecipientNames

Address Book

New

SharingItem

SaveAs()

Address Book

New

SharingItem

Send()

Sending Mail

New

SharingItem

SenderEmailAddress

Address Book

New

SharingItem

SenderEmailType

Address Book

New

SharingItem

SenderName

Address Book

New

SharingItem

SendOnBehalfOfName

Address Book

New

SharingItem

To

Address Book

New

StorageItem

Body

Address Book

New

StorageItem

PropertyAccessor

Address Book

New

Store

PropertyAccessor

Address Book

New

TaskItem

Body

Address Book

 

TaskItem

ContactNames

Address Book

 

TaskItem

Contacts

Address Book

 

TaskItem

Delegator

Address Book

 

TaskItem

Owner

Address Book

 

Store

PropertyAccessor

Address Book

New

TaskItem

SaveAs()

Address Book

 

TaskItem

Send()

Sending Mail

 

TaskItem

StatusOnCompletionRecipients

Address Book

 

TaskItem

StatusUpdateRecipients

Address Book

 

TaskItem

PropertyAccessor

Address Book

New

TaskRequestItem

Body

Address Book

 

TaskRequestItem

PropertyAccessor

Address Book

New

TaskRequestAcceptItem

Body

Address Book

 

TaskRequestAcceptItem

PropertyAccessor

Address Book

New

TaskRequestDeclineItem

Body

Address Book

 

TaskRequestDeclineItem

PropertyAccessor

Address Book

New

TaskRequestUpdateItem

Body

Address Book

 

TaskRequestUpdateItem

PropertyAccessor

Address Book

New

UserProperties

Find()

Address Book

 

UserProperty

Formula

Address Book

 

Conclusion

Outlook 2007 makes a substantial investment in Outlook as a platform. One important part of this investment is been to reduce excessive security warnings caused by the Outlook Object Model Guard. Outlook 2007, using the default security settings or Windows Group Policy, and valid and appropriately configured antivirus software on the client computer, allows legitimate in-process and out-of-process solutions to execute without overwhelming users with security warnings. This makes it easier for users and developers to take advantage of other platform investments while Outlook remains a secure application.

Outlook provides administrators with a unified scheme to enforce security and other policy decisions — all within Outlook. In addition, Group Policy allows administrators to lock down Outlook without requiring an Exchange server, making Outlook a more secure choice for more users. These features, in addition to other improvements, help make Outlook 2007 the most secure version of Outlook to date.

Additional Resources