Subject: [NT] Ways to cope with active content in e-mail Date: Thu, 18 May 2000 21:19:48 +0200 Ways to cope with active content in e-mail -------------------------------------------------------------------------------- SUMMARY The last couple of days we IT people really didn't had a lot of fun, instead of hanging at the swimming-pool and getting a nice tan some of us had to fix "ILY" ('I Love You') and all of its variations. Some didn't have to delete even one ILY message from any of our users mailboxes. Why? Well, because they didn't allow potential files to be sent/received as attachments as part of the corporate security implementation. So last week while most of you have been busy they were relaxing (more or less). DETAILS While Melissa, ILY and all the other childish worms/viruses are nothing else than big red buttons that shall not be pressed, this new issue is that you don't even have to press a button, simply watching it will suffice to activate a possibly harmful procedure. It won't help to tell your users anymore not to open attachments they don't know - or not to execute *.exe, *.vbs files, and so on. While waiting for a fix for the problem, a few administrators decided it was high time to disable certain "features" of Outlook that can be used maliciously. Ways to disable these possibly harmful features are very well documented in the following web page: http://ntbugtraq.ntadvice.com/outlookviews.asp But if you are working with up to some 40,000 users, you know that no administrator will like to visit all of his users just to manually alter the security settings. So a way to quickly get mass-changes done has to be found. Two essential regions in the registry have to be altered: [HKCU\SW\MS\Windows\CV\Internet Settings\Zones\4] 1400=03 (DWORD) 1405=03 (DWORD) And [HKCU\SW\MS\Office\9.0\Outlook\Options\General] Security Zone=4 (DWORD) Have a look at this the Zones\4 part in the registry is the HIGH security zone. The value 1400 [1] is analog to Active Scripting while 1405 is corresponding for signed Active-X controls. The DWORD value 3 means disabled while 0 would stand for activated. If you wish to PROMPT the user then set the value to 1. (NOTE: Users often don't understand what they do, and we have to respect that. So it may be highly desirable to choose DWORD=3) In the registry value Office\9.0\Outlook\Options\General\Security Zone you can define the default content zone. A value of 3 is default and means "INTERNET". The value 4 is hence the "RESTRICTED" zone. Creating a merging registry file is one way of coping with this problem; another is to use an administrator policy: Merging registry: Create the following ASCII text file (using notepad, for example): **** Start of OL_AS_Sec_fix.reg **** REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] "1400"=dword:00000003 "1405"=dword:00000003 [HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Outlook\Options\General] "Security Zone"=dword:00000004 **** End of OL_AS_Sec_fix.reg **** (NOTE: These registry keys work for OL2000. On OL98 the 1400 and the 1405 keys are the same, but the Security Zone value might be found at a different place (8.0 or so). Now all that's left is to publish the OL_AS_Sec_fix.reg file to a location that can be reached by all domain users during the login process. In the login-script execute the following line: regedit /S %PathToRegFiles%\OL_AS_Sec_fix.reg For example: regedit /S \\Server1\hidden$\misc\reg\OL_AS_Sec_fix.reg The /S switch will make the operation quiet (silent). If you omit the switch the user will be prompted with an annoying little message box telling them the reg file was successfully merged into the registry (NT4) or will be asked if it's ok to merge the reg file into the registry (Win2k). Administrator policy: An easy way to make mass registry tweaks is to write a custom domain policy. All is required is a text editor, poledit.exe (provided in the Resource Kit, by Microsoft), and access to the netlogon shares of all the domain controllers in a domain. Domain policy is applied to a machine at boot and login. One can put out the \\dcname\netlogon\ntconfig.pol for NT4/Win2k machines and \\dcname\netlogon\config.pol for Win9x machines and wait for people to reboot/login to apply the settings. Or, forcibly sweep through and reboot them. A bunch of special customizations (Plain Text Password disabling, DHCP IP defaults, IP Source Routing disabling, clearing the pagefile on shutdown, Anonymous access restricting, etc) are available at: ftp://ftp.parc.xerox.com/transient/merchant/Gurdon.adm Make the changes and then copy out the ntconfig.pol. The size of the ntconfig.pol/config.pol can easily grow and thus impact login times. Therefore only put the settings into the default computer and default user and let that apply to everyone. For the infrastructure servers, have tighter policy where the servers pick up from an ntconfig.pol that they read from their local hard drive instead of from the netlogon share. (This is documented in the knowledge base. It is a convenient way to test new policy locally without deploying it.) Keeping things in two pieces like this keeps the *.pol's small and to have settings on the servers that differ from user machines. There is a number of Microsoft knowledge base articles documenting how to make custom domain policy as well as articles documenting most of the settings in the registry one might want to create policy for. Though incomplete, this article: Q182569: Description of Internet Explorer Security Zones Registry Entries is quite helpful. (The hidden "My Computer" zone is also interesting.) Most settings have been implemented as described (and some others that weren't listed) in Gurdon.adm. The file also contains the implementation of Internet Explorer's Zone 4 ("Restricted sites") on a per user basis. Microsoft's article explains how you can also go inside the HKLM registry key and change the interaction between the two, but you can use the Gurdon.adm to either disable or set to high security all settings present in Zone 4 and then force Outlook 98/2000 to use "Restricted sites" for the zone for email. Be aware that there are quite a few bugs (documented in the knowledge base articles) regarding the Internet Explorer zones to be aware of. Some of them can cause IE's zone to be interpreted incorrectly. For example, if people pick a silly name for the computer it may cause a problem as shown here: Q168617: Update Available for Dotless IP Address Security Issue Although a host with such a name shouldn't work anyhow: Q190294: Use of all Numeric NetBIOS Names Can Cause Problems ADDITIONAL INFORMATION The information has been provided by: Boris Pavalec and Merchant, Gurdon E Jr ======================================== DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.