Plan attachment settings in Outlook 2010

 

Applies to: Office 2010

Topic Last Modified: 2012-02-29

Banner stating end of support date for Office 2010 with link to more info

In Microsoft Outlook 2010, you can specify that attachments to Outlook items (such as e-mail messages or appointments) are restricted based on the file type of the attachment. A file type can have either a Level 1 or Level 2 restriction. You can also configure what users can do with attachment restrictions. For example, you could allow users to change the restrictions for a group of attachment file types from Level 1 (user cannot view the file) to Level 2 (user can open the file after saving it to disk).

Note

To enforce attachment settings, you must first configure the method that Outlook 2010 uses to enforce security settings by using Group Policy. For information about how to set the Outlook 2010 method to enforce security settings, see Specifying how security settings are enforced in Outlook in Choose security and protection settings for Outlook 2010.

In this article:

  • Overview

  • Add or remove Level 1 file name extensions

  • Add or remove Level 2 file name extensions

  • Configure additional attachment file restrictions

Overview

There is restricted access to some attachments in items (such as e-mail messages or appointments) in Outlook 2010. Files that have specific file types can be categorized as Level 1 (the user cannot view the file) or Level 2 (the user can open the file after saving it to disk).

By default, Outlook 2010 classifies several file types as Level 1 and blocks files that have those extensions from being received by users. Examples include .cmd, .exe, and .vbs file name extensions. As an administrator, you can use Group Policy to manage how a file type is categorized for e-mail attachment blocking. For example, you can change a file type categorization from Level 1 to Level 2 or create a list of Level 2 file types. There are no Level 2 file types by default.

You can configure Outlook 2010 attachment security settings by using Group Policy and the Outlook 2010 template (Outlk14.adm). Most of the attachment security settings are the found under User Configuration\Administrative Templates\Microsoft Outlook 2010\Security\Security Form Settings\Attachment Security. Settings to prevent users from customizing attachment security settings and to use Protected View for attachments received from internal senders are found under User Configuration\Administrative Templates\Microsoft Outlook 2010\Security. Attachment security settings cannot be configured by using the Office Customization Tool (OCT).

For more information about Protected View, see Plan Protected View settings for Office 2010.

For information about how to download the Outlook 2010 adminstrative template, and about other Office 2010 Administrative Templates, see Office 2010 Administrative Template files (ADM, ADMX, ADML) and Office Customization Tool. For more information about Group Policy, see Group Policy overview for Office 2010 and Use Group Policy to enforce Office 2010 settings.

Add or remove Level 1 file name extensions

Level 1 files are hidden from the user. The user cannot open, save, or print a Level 1 attachment. (If you specify that users can demote a Level 1 attachment to a Level 2 attachment, Level 2 restrictions apply to the file.) If a user receives an e-mail message or appointment that has a blocked attachment, the InfoBar at the top of the item displays a list of the blocked files. (The InfoBar does not appear on a custom form.) When you remove a file type from the Level 1 list, attachments that have that file type are no longer blocked. For the default list of Level 1 file types, see Attachment file types restricted by Outlook 2010.

The settings in the following table let you add or remove Level 1 file types from the default list. In Group Policy, these settings are found under User Configuration\Administrative Templates\Microsoft Outlook 2010\Security\Security Form Settings\Attachment Security. These settings cannot be configured by using the OCT.

Option Description

Add file extensions to block as Level 1

Specifies the file types (usually three letters) you want to add to the Level 1 file list. Do not enter a period before each file name extensions. If you enter multiple file name extensions, separate them with semicolons.

Remove file extensions blocked as Level 1

Specifies the file types (usually three letters) you want to remove from the Level 1 file list. Do not enter a period before each file type. If you enter multiple file types, separate them with semicolons.

Add or remove Level 2 file name extensions

With a Level 2 file type, the user is required to save the file to the hard disk before the file is opened. A Level 2 file cannot be opened directly from an item.

When you remove a file type from the Level 2 list, it becomes a regular file type that can be opened, saved, and printed in Outlook 2010. There are no restrictions on the file.

The settings in the following table let you add or remove Level 2 file types from the default list. In Group Policy, these settings are found under User Configuration\Administrative Templates\ Microsoft Outlook 2010\Security\Security Form Settings\Attachment Security. These settings cannot be configured by using the OCT.

Option Description

Add file extensions to block as Level 2

Specifies the file name extension (usually three letters) you want to add to the Level 2 file list. Do not enter a period before each file name extension. If you enter multiple file name extensions, separate them with semicolons.

Remove file extensions blocked as Level 2

Specifies the file name extension (usually three letters) you want to remove from the Level 2 file list. Do not enter a period before each file name extension. If you enter multiple file name extensions, separate them with semicolons.

Configure additional attachment file restrictions

The settings in the following table are additional settings that you can configure for attachments in Group Policy. In Group Policy, these settings are found under User Configuration\Administrative Templates\Microsoft Outlook 2010\Security\Security Form Settings\Attachment Security. These settings cannot be configured by using the OCT.

Option Description

Display Level 1 attachments

Enables users to access all attachments that have Level 1 file types by first saving the attachments to disk, and then opening them (as with Level 2 attachments).

Allow users to demote attachments to Level 2

Enables users to create a list of attachment file name extensions to demote from Level 1 to Level 2. If you do not configure this Group Policy setting, the default behavior in Outlook is to ignore the user’s list. The registry key in which users create the list of file types to demote is: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Security\Level1Remove. In the registry key, users specify the file name extensions (usually three letters) to remove from the Level 1 file list, separated with semicolons.

Do not prompt about Level 1 attachments when sending an item

Prevents users from receiving a warning when they send an item that contains a Level 1 attachment. This option affects only the warning. Once the item is sent, recipients might be unable to view or access the attachment, depending on their security settings. If you want users to be able to post items to a public folder without receiving this prompt, you must enable this setting and the Do not prompt about Level 1 attachments when closing an item setting.

Do not prompt about Level 1 attachments when closing an item

Prevents users from receiving a warning when they close an e-mail message, appointment, or other item that contains a Level 1 attachment. This option affects only the warning. Once the item is closed, the user cannot view or gain access to the attachment. If you want users to be able to post items to a public folder without receiving this prompt, you must enable this setting and the Do not prompt about Level 1 attachments when sending an item setting.

Display OLE package objects

Displays OLE objects that have been packaged. A package is an icon that represents an embedded or linked OLE object. When you double-click the package, the program that was used to create the object either plays the object (for example, if the object is a sound file) or opens and displays the object. Allowing Outlook to display OLE package objects can be problematic, because the icon can be easily changed and used to disguise malicious files.

The settings in the following table are found in Group Policy under User Configuration\Administrative Templates\Microsoft Outlook 2010\Security. These settings cannot be configured by using the OCT.

Action Description

Prevent users from customizing attachment security settings

When enabled, users cannot customize the list of file types that are allowed as attachments in Outlook, regardless of how you have configured other Outlook security settings.

Use Protected View for attachments received from internal senders

When enabled, attachments received from senders within your organization open in Protected View. This setting only applies to Microsoft Outlook accounts that connect to a Microsoft Exchange Server computer.