Everyone loves email. It’s a fast, convenient way to communicate and send information. It is also a direct path to your computer for an attacker. If an attacker can get you to open an attachment or run an attached executable, you may be in real trouble. The Melissa virus affected 20 percent of all computers in the United States. The I Love You virus caused $15 billion worth of damage worldwide, and SQL Slammer infected more than 500,000 computers. These numbers should drive home the importance of securing email—the focus of this task.
Email security starts outside of the Outlook application. Windows systems have a nasty habit of turning off file extensions. This means that if you get an attachment titled MyVacationPhoto.jpg, it may really be MyVacationPhoto.jpg.exe, and you may never even know since file extensions are typically turned off by default.
Scenario
Last week, several computers in your network became infected with a new computer virus. Management is now very concerned about any vulnerability in the email system. The organization uses Microsoft Outlook and is most worried about what might slip by antivirus software. They would like you to harden the application.
Scope of Task
Duration
This task should take about 30 minutes.
Setup
For this task, you need a Windows computer, access to the Administrator account, and the Microsoft Outlook application.
Caveat
Securing email takes more than just technical expertise. End users must be trained to think before opening attachments and be taught good email practices.
Procedure
In this task, you will modify Windows to display file extensions, adjust Outlook for maximum security when handling graphics, and adjust the security zones.
Equipment Used
For this task, you must have:
- A Windows XP, Windows Visa, or Windows 7 computer
- Access to the Administrator account
- Microsoft Outlook installed
Details
This task will focus on securing email. It is an easy point of attack. If an attacker can get someone to run his attachment or code, he can take control of the user’s system. This task will focus on specific ways that Outlook can be hardened and made more secure for the end user.
Displaying File Extensions
1. Double-click the My Computer icon on the Desktop.
2. Select Tools ⇒ Folder Options to open the Folder Options dialog box.
3. Select the View tab.
4. On the View tab, uncheck Hide File Extensions For Known File Types. This will allow you to see file extensions and make more informed decisions when dealing with attachments. Click OK.
5. Close the Folder Options window.
Configuring Outlook Security for Graphics
1. A number of settings can be configured to increase the security of Outlook. The best place to start is to properly configure Outlook’s security preferences. Open Outlook and choose Tools ⇒ Options to open the Options dialog box.
2. Select the Security tab and click the Change Automatic Download Settings button.
3. The resulting dialog box will let you control how Outlook downloads and handles pictures. Blocking graphics can help protect your privacy. Malicious individuals can use graphics requests to verify your identity and detect if they have connected with a valid email account. Make sure that the Don’t Download Pictures and Warn Me Before Downloading Content check boxes have been selected.
4. Click OK to close the Automatic Picture Download Settings dialog box.
Adjusting Security Zones
1. On the Security tab, you will see the Security Zones area. This feature can be used to control the activity of content, such as scripts, Java, and ActiveX, that can cause problems. Click the Zone Settings button to open the Security dialog box.
2. Click the Custom Level button. This will open the Security Settings dialog box. Scroll down to Script ActiveX Controls Marked Safe For Scripting and change the setting from Enable to Prompt. Then click OK. This will return you to the Security dialog box.
3. In the Security dialog box, click the Internet icon and choose Custom Level. This will open the Security Settings dialog box.
4. In the Security Settings dialog box, you will make several changes to increase security:
- Run Components Not Signed With Authenticode: Prompt
- Font Download: Prompt
- User Authentication: Prompt For User Name And Password
5. After making these changes, click OK, then click OK again. On the Security tab, click OK to save your changes and exit the configuration.
Criteria for Completion
You have completed this task when you’ve modified Windows to display file extensions, adjusted Outlook for maximum security when handling graphics, and adjusted the security zones.