locked
Outlook 2003 Attachment Security question

    Question

  • Ok, first off this is my first thread so let me know if this is the wrong place etc. I've searched for similar topics/threads but couldn't find anything.

    I'm looking after a Citrix enviroment within a domain containing Exchange 2003 servers and Outlook 2003 clients. Basically we are using a third party application (Archive Manager) and users are receiving an error when accessing some emails containing attachments. I need to change the security permissions on the 'Temporary Internet Files' folder (C:\Documents and Settings\username\Temporary Internet Files\OLKxx) within each user's profile as the attachments are saved into a random OLK folder temporarily when the user opens them and currently this isn't happening.

    My original fix was to enable the following GPO setting:
    'User Configuration\Administrative Templates\Microsoft Office Outlook 2003\Tools | Options\Security\Cryptography\Signature Status Dialog\Attachment Secure Temporary Folder.
    Editing it to point to C:\Documents and Settings\username\Temporary Internet Files (or any other location) works fine.
    Editing it to point to %UserProfile%\Temporary Internet Files (or any other location) does not work.
    The reason for this is that environment variables in the registry are not expanded by default, therefore it needs to be in a REG_EXPAND_SZ key in order to work (instead of a standard REG_SZ key).
    If I try and force an expandable string, it would just get overridden at logon by the default one.
    I need to be able to point it to each user's profile, not just a single user's profile. I also don't want to create a new folder on every Citrix server we have and point it to this new folder (Archive Manager suggested this as the fix as per http://support.microsoft.com/kb/305982 but this seems unnecessary).

    So my question basically is - Does anyone know how to alter the security on the 'Temporary Internet Files' folder, or even if you can? There is no security tab under the folder's properties. Is the security of Outlook attachments possibly handled by the IE security zones?

    Any help is much appreciated as I'm in quite a bind and can't find any other group policy settings to handle this. If anything is unclear please let me know. Thanks.

    Tuesday, September 30, 2008 11:05 PM

Answers

  • Hi,

    We find the below registry key:

    HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Security

    Value Name: OutlookSecureTempFolder
    Data Type: REG_SZ

    There we can specify the value of OutlookSecureTempFolder to the location that you want. Base on my research, you may need to specify a network location to center store temp attachment and for client to download attachment.

     

    Note: it may affect the network bandwidth.

     

    You can create GPO for that register key

     

    1.     Run “GPedit.exe”-“Computer settings”-“ windows settings” – “security settings”- “Registry”

    2.     Right click “Registry” –“Add”

    3.     “Machine\ Software\Microsoft\Office\11.0\Outlook\Security

     

    More information share with you:

     

    Attachments remain in the Outlook Secure Temporary File folder when you exit Outlook 2003 or Outlook 2007

    http://support.microsoft.com/kb/817878

     

    Hope it helps.

    Xiu

    Thursday, October 2, 2008 7:49 AM
  • Thanks for the info Xiu,

    I've tested changing the registry key and while it does work it only works for absolute paths, ie. I can't use an environment variable within it such as %userprofile% as the default registry key isn't an expandable one.
    Ideally I want to point it to each user's profile on the Citrix server and don't want the extra bandwidth necessary to use a network folder. It looks as though I will have to create a new local folder that all users can access and point it there...

    Thursday, October 2, 2008 7:42 PM

All replies

  • Hi,

    We find the below registry key:

    HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Security

    Value Name: OutlookSecureTempFolder
    Data Type: REG_SZ

    There we can specify the value of OutlookSecureTempFolder to the location that you want. Base on my research, you may need to specify a network location to center store temp attachment and for client to download attachment.

     

    Note: it may affect the network bandwidth.

     

    You can create GPO for that register key

     

    1.     Run “GPedit.exe”-“Computer settings”-“ windows settings” – “security settings”- “Registry”

    2.     Right click “Registry” –“Add”

    3.     “Machine\ Software\Microsoft\Office\11.0\Outlook\Security

     

    More information share with you:

     

    Attachments remain in the Outlook Secure Temporary File folder when you exit Outlook 2003 or Outlook 2007

    http://support.microsoft.com/kb/817878

     

    Hope it helps.

    Xiu

    Thursday, October 2, 2008 7:49 AM
  • Thanks for the info Xiu,

    I've tested changing the registry key and while it does work it only works for absolute paths, ie. I can't use an environment variable within it such as %userprofile% as the default registry key isn't an expandable one.
    Ideally I want to point it to each user's profile on the Citrix server and don't want the extra bandwidth necessary to use a network folder. It looks as though I will have to create a new local folder that all users can access and point it there...

    Thursday, October 2, 2008 7:42 PM
  • Since I've spent considerable time working this out, here is my solution; The outlk12.adm file does indeed provide a GPO option for the outlooksecuretempfolder key, but as stated above creates the key as REG_SZ.  I created a custom adm file using the details from the outlk12.adm file, but changed it so that the created key would be REG_EXPAND_SZ, which (as also stated above) allows environment variable expansion.

    ###################

    CLASS USER
    CATEGORY !!Outlook12Custom
        POLICY !!L_AttachmentSecureTemporaryFolder
            KEYNAME Software\Policies\Microsoft\Office\12.0\Outlook\Security
            PART !!L_EntertheSecureFolderpath EDITTEXT EXPANDABLETEXT
                VALUENAME OutlookSecureTempFolder
            END PART
            EXPLAIN !!L_AttachmentSecureTemporaryFolderExplain
        END POLICY
    END CATEGORY

    [strings]
    Outlook12Custom="Outlook 2007 custom"
    L_AttachmentSecureTemporaryFolder="Attachment Secure Temporary Folder"

    L_EntertheSecureFolderpath="Enter the Secure Folder path"
    L_AttachmentSecureTemporaryFolderExplain="This policy setting allows you to specify a folder path for the Secure Temporary Files folder rather than using the one that is randomly generated by Outlook 2007.\n\nIf you enable this policy setting, you can specify a folder path for the Security Temporary Files folder rather than using the one that is randomly generated by Outlook 2007.\n\nIf you disable or do not configure this policy setting, Outlook 2007 will assign the Secure Temporary Files folder a different random name for each user.\n\nImportant - If you must use a specific folder for Outlook attachments, Microsoft recommends that you use a local directory (for best performance), that you place the folder under the Temporary Internet Files folder (to benefit from the enhanced security on that folder), and that the folder name is unique and difficult to guess."
    #################

    • Proposed as answer by JuliusPIV Monday, October 14, 2013 12:20 PM
    Thursday, July 7, 2011 8:56 PM
  • Since I've spent considerable time working this out, here is my solution; The outlk12.adm file does indeed provide a GPO option for the outlooksecuretempfolder key, but as stated above creates the key as REG_SZ.  I created a custom adm file using the details from the outlk12.adm file, but changed it so that the created key would be REG_EXPAND_SZ, which (as also stated above) allows environment variable expansion.

    ###################

    CLASS USER
    CATEGORY !!Outlook12Custom
        POLICY !!L_AttachmentSecureTemporaryFolder
            KEYNAME Software\Policies\Microsoft\Office\12.0\Outlook\Security
            PART !!L_EntertheSecureFolderpath EDITTEXT EXPANDABLETEXT
                VALUENAME OutlookSecureTempFolder
            END PART
            EXPLAIN !!L_AttachmentSecureTemporaryFolderExplain
        END POLICY
    END CATEGORY

    [strings]
    Outlook12Custom="Outlook 2007 custom"
    L_AttachmentSecureTemporaryFolder="Attachment Secure Temporary Folder"

    L_EntertheSecureFolderpath="Enter the Secure Folder path"
    L_AttachmentSecureTemporaryFolderExplain="This policy setting allows you to specify a folder path for the Secure Temporary Files folder rather than using the one that is randomly generated by Outlook 2007.\n\nIf you enable this policy setting, you can specify a folder path for the Security Temporary Files folder rather than using the one that is randomly generated by Outlook 2007.\n\nIf you disable or do not configure this policy setting, Outlook 2007 will assign the Secure Temporary Files folder a different random name for each user.\n\nImportant - If you must use a specific folder for Outlook attachments, Microsoft recommends that you use a local directory (for best performance), that you place the folder under the Temporary Internet Files folder (to benefit from the enhanced security on that folder), and that the folder name is unique and difficult to guess."
    #################

    Brilliant!

    Was looking for a solution this morning after running into this 'problem' over the weekend.


    Because this represents an enterprise wide change, I have to submit a change request and go through that process.  However, in the mean time, I have two centralized solutions that will get users, and our help desk, to the proper location.

    Method 1 - Batch file to read directory name from registry & open path in Explorer.

    @echo off
    
    setlocal enabledelayedexpansion
    
    set _reg1="HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Security"
    set _reg2="HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security"
    
    for %%i in (!_reg1! !_reg2!) do (
    	for /F "usebackq tokens=2*" %%j in (`reg query %%i /v OutlookSecureTempFolder 2^>nul`) do (
    		rem j is reg_sz
    		rem k is the full path
    
    		if exist "%%k" (
    			echo. & echo Temp Folder is:
    			echo %%k
    
    			echo. & echo Opening "%%k"
    			explorer.exe "%%k"
    		) else (
    			echo. & echo Temp Folder is Empty:
    			echo %%k
    		)
    	)
    )
    
    echo. & echo. & pause
    
    set _reg1=
    set _reg2=
    
    exit /b

    Method 2 - Create a universal shortcut to parent directory

    • C:\Windows\explorer.exe "%localappdata%\Microsoft\Windows\Temporary Internet Files\Content.Outlook\"



    • Edited by JuliusPIV Monday, October 14, 2013 12:48 PM
    Monday, October 14, 2013 12:21 PM