Saturday, 31 March 2007

Information Security: Outlook 2002, 2003 Read as Plain Text

I have a hard time with HTML in e-mail. It presents such a huge opening in network security.

With client's permission, starting with Outlook 2002/XP we have set a mandatory "Read as Plain Text" on all e-mail coming into the organization.

We came up with this, because eliminating the Preview Pane for some key users just wasn't going to happen.

They could accept that they could click on the Grey Security Warning Bar in the e-mail to enable HTML content.

With a little training, our users are aware of what to watch out for when it comes to the content of e-mail.

A bank URL that has a www.mydomain.sk/www.royalbank.ca/logon.do or whatever is BAD. The bad URL actually shows up beside the original link in brackets. They have picked up on that.

This has paid off in many ways over the years. The single most way?

We have networks that are virus free. Downtime due to a bad infection, or because someone allowed a Trojan to take root in their system is something to be avoided at all costs.

The reason I am bringing up is because of an article I read at Information Security Sell Out: 0day! Microsoft ANI Code Execution.

The link to the following articles on the vulnerability:

Brutal! One doesn't even need to click and that's all folks! Owned.

To configure Outlook 2002 to utilize plain text for e-mail reading: Microsoft KB 307594: Description of a new feature that users can use to read non-digitally-signed e-mail or nonencrypted e-mail as plain text in Office XP SP-1.

Service pack Office 2002/XP. Then:

  1. Click Start, and then click Run.
  2. In the Open box, type regedit.
  3. Locate the following registry key: HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Options\Mail
  4. On the Edit menu, point to New, and then click DWord Value.
  5. With the new Dword value selected, type ReadAsPlain.
  6. Double-click the new value to open it. In the Value Data box, type 1, and then click OK.
  7. Click OK, and then quit Registry Editor.
You may need to log off and log back on to have Outlook pick up the new settings.

Outlook 2003 can be setup to read as plain text via Group Policy.

  1. Create and link a new GPO at the domain level, and name it something like: Default Domain Office 2003 Policy.
  2. Go to the Office 2003 Resource Kit site and download the Office 2003 GP ADM files.(EXE File)
  3. Extract the downloaded file to a location you can remember.
  4. Edit your new GPO
  5. Right click on Administrative Templates.
  6. Left Click on Add/Remove Templates.
  7. Click the Add button.
  8. Navigate to your ADM files.
  9. Highlight them all and click the Open button.
  10. The new templates will show up in your GPO.
  11. Go to User-->ADministrative Templates-->MS Office Outlook 2003-->Tools Options-->Preferences-->E-mail Options.
  12. Therein lies the "Read email as plain text". Enable it.
Here is a screen shot of one of our GPOs for Office 2003:


Here is a screen shot of where to find the "Read email as plain text" in the Office 2003 GP:



You can enable other policy settings for security reasons, but get the client's approvals for those changes first, including this one.

A good bit of preparation to explain the reasons behind implementing any kind of restrictive policies must be done beforehand.

And, remember, speak English ... not technicalese! ;)

Oh, and btw, make sure to test your GPO settings in a virtual environment before heading off into a production environment to set it up.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

No comments: