Outlook Express 6.0 and Resulting Internet Communication in Windows Server 2003 with Service Pack 1

Applies To: Windows Server 2003 with SP1

This white paper provides information about the communication that flows between components in Windows Server 2003 with SP1 and sites on the Internet, and it describes steps to take to limit, control, or prevent that communication in an organization with many users.

This section of the white paper provides:

  • A description of Microsoft Outlook Express 6 in Windows Server 2003 with Service Pack 1 (SP1). This section also provides a comparison of Outlook and Outlook Express.

  • Descriptions of new security-related features in Outlook Express 6 in Windows Server 2003 with SP1 (as compared to Outlook Express 5), with information about how these new features are configured at the desktop.

  • Information about controlling Outlook Express 6 through Group Policy to limit the risk associated with e-mail attachments. The Group Policy setting that you use for this is Block attachments that could contain a virus.

Note

This section of the white paper describes Outlook Express 6 in Windows Server 2003 with SP1, but does not describe related components such as Internet Explorer 6, the New Connection Wizard, or the tool that can report errors that occur in Outlook Express. For information about these components, see the respective sections of this white paper (the error reporting tool is described in Windows Error Reporting and Internet Communication).

It is beyond the scope of this white paper to describe all aspects of maintaining appropriate levels of security in an organization where users send and receive e-mail messages, open attachments in e-mail messages, and perform similar actions. This section, however, provides information about features and configuration methods in Outlook Express 6 that can reduce the inherent risks associated with sending and receiving e-mail messages.

For more information about Outlook Express, see the following resources:

  • Help for Outlook Express (which can be accessed in Outlook Express by clicking the Help menu and then selecting an appropriate option).

  • The section about Internet Explorer 6 in this white paper, which describes security zones in Internet Explorer 6. These security zones are also used in Outlook Express 6.

  • The Internet Explorer page on the Microsoft Web site at:

    https://www.microsoft.com/windows/ie/

  • The Resource Kit for Internet Explorer (specifically, the chapter describing what’s new in Internet Explorer 6). To learn about this and other Resource Kits, see the Microsoft TechNet Web site at:

    https://go.microsoft.com/fwlink/?linkid=29894

Benefits and Purposes of Outlook Express 6

Outlook Express 6 is designed to make it easy to send or receive e-mail messages and to browse or participate in newsgroups. It differs from many of the other components described in this white paper in that its main function is to communicate through the Internet or an intranet (in contrast to components that communicate with the Internet in the process of supporting some other activity).

Outlook Express is part of Windows Server 2003 with SP1, in contrast to Microsoft Outlook, which is an application included in Microsoft Office. Outlook provides comprehensive e-mail capabilities, including information management and collaboration capabilities, useful to a wide spectrum of users from home to small business to large enterprise. Outlook Express, part of Windows Server 2003 with SP1, offers standard Internet e-mail and news access, useful to many home and small-business users. Outlook Express supports Post Office Protocol 3 (POP3), Internet Message Access Protocol (IMAP), Simple Mail Transfer Protocol (SMTP), and Network News Transfer Protocol (NNTP).

Outlook Express 6 offers more security-related options and settings than were available in Outlook Express 5. The following subsections describe the new options and ways of configuring them.

The version of Outlook Express in Windows Server 2003 with SP1 includes additional security-related features as compared to earlier versions of Outlook Express including Outlook Express 5. The following list describes these features. The table that follows this list shows how each option is configured in Outlook Express.

  • Warning about harmful e-mail. To prevent e-mail messages from being sent without your knowledge, Outlook Express warns you when other programs, such as viruses or harmful attachments, attempt to send messages from your computer. This warning appears only if Outlook Express is configured as the default simple MAPI client, and another program attempts to use simple MAPI to programmatically send e-mail messages without presenting a visible user interface on the computer.

  • Blocking of potentially harmful attachments. If this option is enabled, Outlook Express 6 blocks the opening or saving of specific e-mail attachments that are considered "unsafe." To determine whether an attachment is unsafe, Outlook Express 6 uses an updated API in Windows Server 2003 with SP1, the Attachment Manager API. The Attachment Manager API provides functionality to give each attachment a risk rating based on the extension, content type, registered handlers, and other heuristics. By using Group Policy, you can customize some aspects of Attachment Manager, such as the lists of high, medium, and low risk files.

    In addition, the prompts that are used for mail attachments, file downloads, shell process execution, and program installation have been modified to be both more consistent and clearer than they were in Windows Server 2003 without SP1.

    Blocking of potentially harmful attachments can be enabled or disabled through Group Policy as well as at the local computer. For more information about using this setting, see the table that follows and "To Locate the Group Policy Setting for Blocking E-mail Attachments in Outlook Express 6," later in this section.

    For more information about Attachment Manager and other changes that make the version of Outlook Express in Windows Server 2003 with SP1 more resistant than previous versions, see "Changes to Functionality in Microsoft Windows Server 2003 Service Pack 1" on the Microsoft Web site at:

    https://go.microsoft.com/fwlink/?LinkId=46278

    To learn about Group Policy settings with which you can adjust Attachment Manager, in Group Policy, go to User Configuration\Administrative Templates\Windows Components\Attachment Manager. For a detailed explanation of a setting, select the setting and click the Extended tab, or open the setting and click the Explain tab.

  • Plain text format option for reading of e-mail. Starting with Outlook Express 6.0 in Windows Server 2003 with SP1, Outlook Express can be configured to read all e-mail messages in plain text format. Some HTML e-mail messages may not appear correctly in plain text, but no active content in the e-mail message is run when this setting is enabled.

  • Blocking of downloads of external content (to help limit spam). If this option is enabled, Outlook Express 6 will not contact an external Web server when an e-mail contains a reference to an image that resides on that external Web server. Businesses that use spam sometimes incorporate such external references for the purpose of validating e-mail addresses that they use, after which they send repeated e-mails to the validated addresses. The image involved might be a single pixel image that is not visible to the e-mail recipient, who is unaware that his or her e-mail address has been validated. This option can be enabled or disabled at the local computer. For more information about using this setting, see the table that follows and "To Start Outlook Express 6 and View or Configure Security Settings," later in this section.

    This option is new in the version of Outlook Express in Windows Server 2003 with SP1. For more details about other changes that make this version of Outlook Express more resistant than previous versions, see "Changes to Functionality in Microsoft Windows Server 2003 Service Pack 1" on the Microsoft Web site at:

    https://go.microsoft.com/fwlink/?LinkId=46278

The following table shows how each option is configured in Outlook Express 6.

Options for Configuring Outlook Express 6

Option to Configure in Outlook Express 6 Menu to Click Menu Item to Click Tab to Click

Warning about harmful e-mail

Tools

Options

Security

Blocking of potentially harmful attachments (also configurable through Group Policy)

Tools

Options

Security

Blocking of the downloading of images and other external content in HTML e-mail (this helps limit spam)

Tools

Options

Security

Plain text format option for reading of all e-mail

Tools

Options

Read

Overview: Using Outlook Express 6 in a Managed Environment

Although there are inherent risks associated with sending and receiving e-mail (and e-mail attachments), with Windows Server 2003 SP1, you can use several different features and configuration methods in Outlook Express 6 to reduce the risks:

  • You can use the graphical user interface to configure the security-related features in Outlook Express 6. For more information, see "New Security-Related Features in Outlook Express 6," earlier in this section and "To Start Outlook Express 6 and View or Configure Security Settings," later in this section.

  • You can use a Group Policy setting, Block attachments that could contain a virus, to limit the risk associated with e-mail attachments in Outlook Express 6. For more information, see "To Locate the Group Policy Setting for Blocking E-mail Attachments in Outlook Express 6," later in this section.

Procedures for Working with Outlook Express 6

This subsection provides procedures for the following:

  • Opening the dialog box from which you can configure security settings for Outlook Express 6.

  • Locating the Group Policy setting, Block attachments that could contain a virus.

    You can use this Group Policy setting in situations where you want Outlook Express 6 to be available but where you want to limit the risk associated with e-mail attachments. For more information about this policy setting, see "New Security-Related Features in Outlook Express 6," earlier in this section.

To Start Outlook Express 6 and View or Configure Security Settings

  1. Click Start, point to All Programs or Programs, and then click Outlook Express.

  2. On the Tools menu, click Options.

  3. Click the Security tab and view or configure the settings, including the check boxes for the following options:

    • Warn me when other applications try to send mail as me.

    • Do not allow attachments to be saved or opened that could potentially be a virus.

    • Block images and other external content in HTML e-mail.

    You can also view or configure the security zones setting. Outlook Express 6 uses two of the same security zones that you configure in Internet Explorer 6. For more information about security zones, see Internet Explorer 6.0 and Resulting Internet Communication in Windows Server 2003 with Service Pack 1 in this white paper.

  4. Click the Read tab, and view or configure the settings, including the check box for Read all messages in plain text.

To Locate the Group Policy Setting for Blocking E-mail Attachments in Outlook Express 6

  1. See Appendix B: Resources for Learning About Group Policy, for information about using Group Policy. Ensure that your Administrative templates have been updated, and then edit an appropriate GPO.

  2. Click User Configuration, click Administrative Templates, click Windows Components, and then click Internet Explorer.

    In the details pane, double-click Configure Outlook Express.

  3. If you enable this policy, you can select or clear the check box for Block attachments that could contain a virus.