Outlook 2010 - Allowing or blocking attachments with Group Policy

Hi All

if you need to allow or disallow a set of attachment files in Outlook 2010 with an Exchange 2010 back end this is the way to do it with Group Policy.

Download the ADMX files

First thing to do is to go and download the ADMX files the Office team have released for managing Office products with Group Policy. You can get the Office ADMX files here http://go.microsoft.com/fwlink/?LinkId=189316.

The ADMX files you will download can be added to your Central Store (which in a contoso.org AD domain would be hosted here \\contoso.org\sysvol\contoso.org\policies\PolicyDefinitions). The Office ADMX download will have both ADMX, and ADML files. The ADML files are the language specific parts of the administrative templates for Office, and these will be located in a language specifc folder. In my test environment, which is using a English US OS version, the ADML files exist in the en-us folder. I copied the ADMX files to the root of the PolicyDefinitions folder in SYSVOL and copied the en-us ADML files to the \\contoso.org\sysvol\contoso.org\policies\PolicyDefinitions\en-us folder.

If you want to know more about setting up a Central Store (PolicyDefinitions folder) to host your ADMX files have a look at this article http://support.microsoft.com/kb/929841

Create a Group Policy object to manage the Outlook Security Settings

Now that you have uploaded the Office ADMX files to your Central Store, using GPMC v2 (in RSAT on Windows 7 or Windows Server 2008 R2) you will be able to see the additional Office Group Policy settings.

In the "Group Policy Objects" node in GPMC, create a new Group Policy (not linked to an OU yet). Edit the GPO you just created, the Outlook Security attachment settings are "User Configuration" settings so navigate to User Configuration\Policies\Administrative Templates\Microsoft Outlook 2010\Security\Security Form Settings.

Enable the "Outlook Security Mode" Setting

The first setting we need to enable to use Group Policy based Outlook security settings is the "Outlook Security Mode" highlighted above. In the "Outlook Security Mode" setting, Enable the setting and select the "Use Outlook Security Group Policy".

Please note if you forget to enable the "Use Outlook Security Group Policy" option, changing the Level 1 or Level 2 add or remove settings will have no affect on Outlook. Hopefully you won't fall into this trap like I did recently, so remember this when troubleshooting settings not being applied.

Leverage Outlook Security Settings - Allow subset of Level 1 attachments

Outlook 2010 default security settings uses two levels for controlling attachments that are blocked from being accessed from within Outlook. There are 94 Level 1 attachments disabled from access in Outlook 2010 out of the box. The complete list of Level 1 attachments can be found here http://technet.microsoft.com/en-au/library/cc179163.aspx. Level 2 is the other level used by Outlook. Level 2 file types can be accessed by Outlook but cannot be double clicked from within the application, but instead are given the option to "Save to disk". There are no Level 2 file types configured automatically by Outlook, this list needs to be populated by an administrator.

If you have a business requirement to enable staff to access one of the Level 1 attachment types, we can do this with an additional Outlook GPO setting. Before we do that though I just want to make sure I emphasise that the files in the Level 1 attachment list are there as there are potential risks in allowing access to these files. Before enabling any of these file types in your system, make sure you fully understand the risks.

We remove attachment types from the Level 1 list by adjusting the "Remove file extensions blocked as Level 1" setting. Enable the GPO setting and in the "Removed Extensions" field enter in a semi-colon separated list of attachment types you wish to allow. In my example below I have added PST and PS1 files so that they can be accessed from within Outlook.

Once I have enabled the "Remove file extensions blocked as Level 1" setting, I am ready to link the GPO. In my test environment, I linked the GPO to my Staff OU where each of the mail enabled user accounts are hosted.

I am now ready to log on to Outlook with a test account to see the impact of my change. I logged onto Windows 7 with my test account (non-administrator). As you can see from the results of the test, the PowershellRocks.ps1 attachment can now be accessed from Outlook. The other email I opened had a KillerApp.exe attachment which remained blocked by the Level 1 file attachment blocking. Note in the blocked message, Outlook informs me that "Outlook blocked access to the potentially unsafe attachments: KillerApp.exe".

The other important thing to highlight is the impact of allowing the .ps1 file type, by leveraging the "Remove file extensions blocked as Level 1" setting is that if I double click the PS1 file now I am prompted with the dialog below. The only option I am given to use the file type is to "Save to Disk". For these Level 1 file types saving to disk should be an acceptable approach, in my case I'll fire up the Powershell script once I have Powershell up and running so Save to Disk is just fine. The overall impact of this change is to make the .PS1 file, which was originally a Level 1 file type, behave as thought it was a Level 2 file type.

The intent of Outlook requiring that I save to disk is that once the file is saved to disk, if it contains a virus or malware the desktop AV solution should pick it up as suspect.

Leverage Outlook Security Settings - Block attachments by adding file types to the Level 1 list

If you would like to add additional file types to the level 1 file type list, so they are not accessible via Outlook you can use the "Add file extensions to block as Level 1". In the diagram below I have elected to disable .mp3 and .avi files from being accessed within Outlook.

The impact of this change is that now I can no longer access .mp3 or .avi files from within Outlook. You can see below in Outlook that my test account can no longer access the .mp3 sent to me from the Administrator account.

I hope this info helps, happy messaging