Please consider donating: https://www.corelan.be/index.php/donate/


4,950 views

Outlook and OWA Tips & Tricks

1. Manage Attachment behaviour

1.1. Outlook 2007

Although you probably have deployed an antivirus solution in your messaging infrastructure, by default, Outlook blocks access to certain attachments, even if they have been scanned or not. After all, Outlook doesn’t really know if an attachment has been scanned and is safe for you to open.

The list of attachments that are being blocked out of the box can be found at http://office.microsoft.com/en-us/outlook/HP030850041033.aspx

There may be valid reasons why certain attachments should not be blocked, so if you want to allow attachment extensions from the list of Level1 attachments (see URL above), this is how you should do it :

  1. Close Outlook
  2. Edit registry
  3. Locate the key that corresponds with your Outlook version
    Outlook 2000 [HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Outlook\Security]
    Outlook 2002 [HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Security]
    Outlook 2003 [HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Security]
    Outlook 2007 [HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Security]
  4. Create a new REG_SZ value (String) and name the value Level1Remove
    Edit the newly created value and enter the extension including the “dot” that you want to allow in Outlook. For instance .crt
    If you need to enter more than one extension you’ll have to type separate them by a semicolon like this; .crt;.url
    Make sure the syntax is correct, otherwise the changes won’t have any effect.
  5. Save the changes
  6. Open Outlook and verify that these attachments now work

Note : you can also change the attachment behaviour by using OutlookTools from http://www.howto-outlook.com/products/outlooktools.htm

If you want to undo these customizations, simply remove them from the registry again and you should be all set.

You can use a GPO as well to deploy these customizations for all of your Outlook clients at once. For Outlook 2007, this is how this works :

Download the Outlook adm file from http://www.microsoft.com/downloads/details.aspx?FamilyID=92d8519a-e143-4aee-8f7a-e4bbaeba13e7&displaylang=en

Run the AdminTemplates.exe file, which will extract the necessary files to the location specified by you.

Open this folder and look for the ADM folder.

Open the ADM folder, select your language, and look for a file called outlk12.adm

Open your GPO editor. Since the attachment settings will apply to users, you will need to edit user settings and apply the outlook customizations to users. Create a GPO that targets your users.

Edit the GPO, open "User Configuration", right-click "Administrative Templates" and select "Add/Remove Templates"

Click Add, browse to the outlk12.adm file and click Open.

Verify that the file is in the list and click Close

 

Wait until the new Outlook settings are loaded into the GPO editor. Next, under Administrative Templates, open "Microsoft Office Outlook 2007" – "Security" – "Security Form Settings" – "Attachment Security"

Edit the "Remove file extensions blocked at level1" and set the GPO setting to "Enabled"
Add the list of extensions that should be allowed (separated with ;) and click "OK" to save. Don’t use a in this list !
 

You can find more information on this topic on Technet : http://technet.microsoft.com/en-us/library/cc178961.aspx

If the GPO is applied correctly, you can find the modified registry settings under HKCU\Software\Policies\Microsoft\Office\\Outlook

 

Last but not least, if you want to prohibit your end-users to make customizations themselves, in an attempt to bypass your security policies, then you need to create a registry key value (look for the key that corresponds with your Outlook version – see table above)

HKCU\Software\Policies\Microsoft\Office\\Outlook
Value name: DisallowAttachmentCustomization

Change the security on this value, so the local users cannot change this key. Alternatively, you can deploy this setting via GPO as well :  "Administrative Templates"  – "Microsoft Office Outlook 2007" – "Security" : Set "Prevent Users from customizing attachment security settings" to Enabled.
 

 

1.2. Outlook Web Access

Exchange 2007 based Outlook Web Access manages access to attachments in 2 layers. First of all, you’ll notice different behaviour when you log on to OWA and use the private vs  public computer profile.

image_2

If you log on with a public profile, you’ll see that OWA has blocked all access to attachments.  If you log on with a private computer profile, you’ll have access to some attachments (except for the Level1 attachments)

The second layer addresses these Level1 attachments. You can change the behaviour of the OWA web engine by changing the registry on the server that is hosting the OWA website.  In MS Exchange 2003, you could do this by editing the registry, navigate to HKLM\System\CurrentControlSet\Services\MSExchangeWeb\OWA\
Create a REG_SZ (string) called Level1FileTypes and add the file types that you want to allow, using the same syntax as explained in chapter 1.1 (for Outlook clients)

Under MS Exchange 2007, access to Attachments in fully manageable via the Exchange Management Console.

Open EMS, go to "Server Configuration", click "Client Access", select the OWA server in the lower pane, right click and choose properties.

You can modify the behaviour for both the Public Computer and the Private Computer profile

image_4

Under "Private Computer File Access", in the "Direct File Access" section, click "Customize".

This is where you can change the behaviour of the attachment handling for OWA

image_6

 

 

2. Speed up Outlook Web Access

Open Exchange Management Shell (Powershell) and execute the following commands :

[PS] C:\>set-OwaVirtualDirectory -identity "Owa (Default Web Site)" -gziplevel high
WARNING: For these configuration changes to take effect, you must restart Internet Information Services (IIS). To restart IIS, run the following command: "iisreset /noforce".
[PS] C:\>iisreset /noforce

Attempting stop…
Internet services successfully stopped
Attempting start…
Internet services successfully restarted
[PS] C:\>

Because setting the gziplevel to high will put additional load to the CPU of the OWA server, make sure to verify that you are not choking the server to death.

 

3. Outlook Web Access Forms Authentication : Custom logo/Branding

You can use the following procedure to change the layout of the OWA 2007 Forms Authentication page, and include your own logo.  You will have to make the modifications to every OWA server separately.  You can find the procedure how to create custom themes at http://msexchangeteam.com/archive/2006/08/30/428793.aspx

 

 

4. Outlook Dumpster : recover deleted items that have been removed from "Deleted Items"

This feature can be managed on 2 fronts :

First of all, you need to enable this feature in the Outlook client.  Edit the registry and create a new DWORD value under HKLM\Software\Microsoft\Exchange\Client\Options

Value : DumpsterAlwaysOn

Edit the value and set this parameter to 1

image_8

This will enable the Dumpster on the client.

Open Outlook, go to "Tools". You should find a menu item called "Recover Deleted Items"

image_10

 

The second setting needs to be configured on the Exchange server. 

First of all, make sure that, if you have defined a Managed Default Folder policy, that it allows for recovery in the first place.

Open the Exchange Management Console.  Open "Organization Configuration" – "Mailbox"

Open the "Managed Default Folders" tabsheet.  Locate "Deleted Items" and see if there is a Managed Content Policy tied to the folder.

If so, verify that the policy allows for recovery

image_12

Finally, define how long you want deleted items to be recoverable by end users. This setting is defined on the mailbox store.

In the Exchange Management Console, go to "Server Configuration" – "Mailbox". Select the Mailserver, then select the Mailbox database in the lower part of the window and edit the properties.

In the "Limits" tabsheet, you can define the number of days deleted items should be kept available for recovery :

image_14

 

 

5. AutoComplete for Email Addresses

I’m sure you have noticed that Outlook keeps track of email addresses that have been entered in the address fields. These addresses are stored in a cache file in your profile folder, called .nk2 (where is in fact the Outlook profile name). By default, the file is saved under AppData\Roaming\Microsoft\Outlook
So if your profile is called "Outlook", the file is called Outlook.NK2 : 
image_16

You can enable or disable this behaviour using the following procedure :

Click "Tools" – "Options". Go to the Preferences tab and click "E-mail options" in the E-mail section 
image_18

Next, click "Advanced E-mail options"

image_20

To enable this feature (it is enabled by default), select "Suggest names while completing…"

 image_22
To disable, turn this setting off

 

If you want to remove a name from the cache, then
– start a new mail message and start typing the first characters of the name that you want to remove
– When outlook displays the popup menu with addresses, select the address that needs to be removed and press Delete (Don’t click on the name, but use the up/down arrows to position the current selection and then press the Delete button)

If you want to remove the entire cache (in case it gets corrupted or something like that), you can just close Outlook and remove the nk2 file.   When outlook is started again, a new (empty) file will be recreated.

Tip : you can easily copy & transfer this file to another computer or back it up (so you can restore it in case of crash)

 

© 2008 – 2021, Peter Van Eeckhoutte (corelanc0d3r). All rights reserved.

Comments are closed.

Corelan Training

We have been teaching our win32 exploit dev classes at various security cons and private companies & organizations since 2011

Check out our schedules page here and sign up for one of our classes now!

Donate

Want to support the Corelan Team community ? Click here to go to our donations page.

Want to donate BTC to Corelan Team?



Your donation will help funding server hosting.

Corelan Team Merchandise

You can support Corelan Team by donating or purchasing items from the official Corelan Team merchandising store.

Protected by Copyscape Web Plagiarism Tool

Corelan on Slack

You can chat with us and our friends on our Slack workspace:

  • Go to our facebook page
  • Browse through the posts and find the invite to Slack
  • Use the invite to access our Slack workspace
  • Categories