Hi,

Using Outlook 2003 on MS Exchange. When users start Outlook it opens
requesting a password. However, if the user simply clicks the Cancel button
the password dialog disappears and he or she has access to all the existing
emails in the users inbox.

I don't think there is anything Outlook can do about this, it seems very
poor security.

Does anyone know of a third party Outlook add-in that will prevent access to
emails before a password is entered?

Many thanks.

"StepOne" <(E-Mail Removed)> wrote in message
news:56E51C88-A09D-4BC9-99D3-(E-Mail Removed)...
> Using Outlook 2003 on MS Exchange. When users start Outlook it opens
> requesting a password. However, if the user simply clicks the Cancel
> button
> the password dialog disappears and he or she has access to all the
> existing
> emails in the users inbox.
>
> I don't think there is anything Outlook can do about this, it seems very
> poor security.

Odd. What does the dialog box look like? Assuming you are logged into the
domain, you shouldn't be prompted for a password at all. Unless, in the
profile, you configure it to use None for security. And at that point, when
you click Cancel, you won't be able to send mail. But you'll be able to
access the OST, sure. And that's entirely secure. Why, you ask, would that
be secure? Because your OS should be locked when you aren't at your
computer. Your domain password should be secure. And, frankly, if your
password isn't secure, or your computer isn't locked, you're not secure
anyways.

> Does anyone know of a third party Outlook add-in that will prevent access
> to
> emails before a password is entered?

Not that I'd feel comfortable recommending, since the only think I can think
of would be to put mail in a PST and password protect that. But since most
users will just use their domain password there too, you're still not
secure.

Make sure that your users lock their workstations when they aren't at their
computer. If they do, sit at their computer, compose a mail that would be
embarassing and send it to their manager, cc'ing them. something like 'Hi,
I left my computer unlocked thereby jeopardizing security in the
organization. I now understand why the IT department requires us to lock
our computers and will, in the future, lock it.'

--
f.h.

Additionally, configure Outlook to open in a blank folder or a non-essential folder like Calendar.

--�
Milly Staples [MVP - Outlook]

Post all replies to the group to keep the discussion intact. All
unsolicited mail sent to my personal account will be deleted without
reading.

After furious head scratching, F. H. Muffman asked:

| "StepOne" <(E-Mail Removed)> wrote in message
| news:56E51C88-A09D-4BC9-99D3-(E-Mail Removed)...
|| Using Outlook 2003 on MS Exchange. When users start Outlook it opens
|| requesting a password. However, if the user simply clicks the Cancel
|| button
|| the password dialog disappears and he or she has access to all the
|| existing
|| emails in the users inbox.
||
|| I don't think there is anything Outlook can do about this, it seems
|| very poor security.
|
| Odd. What does the dialog box look like? Assuming you are logged
| into the domain, you shouldn't be prompted for a password at all.
| Unless, in the profile, you configure it to use None for security.
| And at that point, when you click Cancel, you won't be able to send
| mail. But you'll be able to access the OST, sure. And that's
| entirely secure. Why, you ask, would that be secure? Because your
| OS should be locked when you aren't at your computer. Your domain
| password should be secure. And, frankly, if your password isn't
| secure, or your computer isn't locked, you're not secure anyways.
|
|| Does anyone know of a third party Outlook add-in that will prevent
|| access to
|| emails before a password is entered?
|
| Not that I'd feel comfortable recommending, since the only think I
| can think of would be to put mail in a PST and password protect that.
| But since most users will just use their domain password there too,
| you're still not secure.
|
| Make sure that your users lock their workstations when they aren't at
| their computer. If they do, sit at their computer, compose a mail
| that would be embarassing and send it to their manager, cc'ing them.
| something like 'Hi, I left my computer unlocked thereby jeopardizing
| security in the organization. I now understand why the IT department
| requires us to lock our computers and will, in the future, lock it.'

Hi,

The dialog looks just like any logon dialog with a box for entering the User
name which is filled with the name from the last time Outlook was used, and a
password box. Apart from that there is only an OK and Cancel button.

Yes, I agree the workstation should be locked if the user leaves, but that
doesn’t explain Outlook’s poor security on Exchange. At logon, if the user
clicks the Cancel button Outlook goes immediately offline but all the already
downloaded emails can be read. A password is only requested again if the
Send/Receive button is clicked or the user selects Outlook to go back online.
By default Exchange downloads completely all received emails when Outlook is
started and even if it's setup to download only the headers once the user
requests reading an email it has to be downloaded.

<rant> The reading pane should be blank or at the very least only the
headers should be displayed and it should not be possible to read complete
emails until a password has been entered. Otherwise, why bother with a
password at all? </rant>

Many thanks for taking the time to get back to me; incidentally, do you
happen to know if Outlook 2007 behaves in the same way?


"F. H. Muffman" wrote:

> "StepOne" <(E-Mail Removed)> wrote in message
> news:56E51C88-A09D-4BC9-99D3-(E-Mail Removed)...
> > Using Outlook 2003 on MS Exchange. When users start Outlook it opens
> > requesting a password. However, if the user simply clicks the Cancel
> > button
> > the password dialog disappears and he or she has access to all the
> > existing
> > emails in the users inbox.
> >
> > I don't think there is anything Outlook can do about this, it seems very
> > poor security.
>
> Odd. What does the dialog box look like? Assuming you are logged into the
> domain, you shouldn't be prompted for a password at all. Unless, in the
> profile, you configure it to use None for security. And at that point, when
> you click Cancel, you won't be able to send mail. But you'll be able to
> access the OST, sure. And that's entirely secure. Why, you ask, would that
> be secure? Because your OS should be locked when you aren't at your
> computer. Your domain password should be secure. And, frankly, if your
> password isn't secure, or your computer isn't locked, you're not secure
> anyways.
>
> > Does anyone know of a third party Outlook add-in that will prevent access
> > to
> > emails before a password is entered?
>
> Not that I'd feel comfortable recommending, since the only think I can think
> of would be to put mail in a PST and password protect that. But since most
> users will just use their domain password there too, you're still not
> secure.
>
> Make sure that your users lock their workstations when they aren't at their
> computer. If they do, sit at their computer, compose a mail that would be
> embarassing and send it to their manager, cc'ing them. something like 'Hi,
> I left my computer unlocked thereby jeopardizing security in the
> organization. I now understand why the IT department requires us to lock
> our computers and will, in the future, lock it.'
>
> --
> f.h.
>
>

"StepOne" <(E-Mail Removed)> wrote in message
news:5687364C-8376-406C-8986-(E-Mail Removed)...
>> > Using Outlook 2003 on MS Exchange. When users start Outlook it opens
>> > requesting a password. However, if the user simply clicks the Cancel
>> > button the password dialog disappears and he or she has access to all
>> > the
>> > existing emails in the users inbox.
>> >
>> > I don't think there is anything Outlook can do about this, it seems
>> > very
>> > poor security.
>>
>> Odd. What does the dialog box look like? Assuming you are logged into
>> the
>> domain, you shouldn't be prompted for a password at all. Unless, in the
>> profile, you configure it to use None for security. And at that point,
>> when
>> you click Cancel, you won't be able to send mail. But you'll be able to
>> access the OST, sure. And that's entirely secure. Why, you ask, would
>> that
>> be secure? Because your OS should be locked when you aren't at your
>> computer. Your domain password should be secure. And, frankly, if your
>> password isn't secure, or your computer isn't locked, you're not secure
>> anyways.
>>
>> > Does anyone know of a third party Outlook add-in that will prevent
>> > access
>> > to emails before a password is entered?
>>
>> Not that I'd feel comfortable recommending, since the only think I can
>> think
>> of would be to put mail in a PST and password protect that. But since
>> most
>> users will just use their domain password there too, you're still not
>> secure.
>>
>> Make sure that your users lock their workstations when they aren't at
>> their
>> computer. If they do, sit at their computer, compose a mail that would
>> be
>> embarassing and send it to their manager, cc'ing them. something like
>> 'Hi,
>> I left my computer unlocked thereby jeopardizing security in the
>> organization. I now understand why the IT department requires us to lock
>> our computers and will, in the future, lock it.'
>
> The dialog looks just like any logon dialog with a box for entering the
> User
> name which is filled with the name from the last time Outlook was used,
> and a
> password box. Apart from that there is only an OK and Cancel button.
>
> Yes, I agree the workstation should be locked if the user leaves, but that
> doesn’t explain Outlook’s poor security on Exchange. At logon, if the
> user
> clicks the Cancel button Outlook goes immediately offline but all the
> already
> downloaded emails can be read. A password is only requested again if the
> Send/Receive button is clicked or the user selects Outlook to go back
> online.

???

Why is it poor security?

Your DOMAIN ACCOUNT is your access into Exchange.

The SAME PASSWORD that unlocks the workstation.

If someone can unlock your workstation, they can get into Outlook.

Heck. If someone can unlock your workstation, they don't even need to get
into your outlook. They can log into OWA if it's configured.

When you open a network share that is only secured for *you* to access it,
do you have to enter a password? You shouldn't, if you're logged into the
domain. Simply going to start-run \\server\share will open it. Is that bad
security? No, it's domain security. You have already identified yourself
to the servers responsible for security that you are who you say you are.

The only poor security is security that isn't used, or used effectively.

I've worked for companies where the password needs to be something akin to
aBlk#$#@aD34, I've worked for companies where blackwater would have been
acceptable. I've worked for companies that forced a 2 minute screensaver on
a machine and would fire you for installing software to circumvent that.


> By default Exchange downloads completely all received emails when Outlook
> is
> started and even if it's setup to download only the headers once the user
> requests reading an email it has to be downloaded.

If Outlook is asking for a domain password, it won't download mails until it
gets the password. The normal reason it asks for a domain password is that
either the domain authentication is set to none, or you aren't on the
domain.

> <rant> The reading pane should be blank or at the very least only the
> headers should be displayed and it should not be possible to read complete
> emails until a password has been entered. Otherwise, why bother with a
> password at all? </rant>

Then turn it off. I'm pretty sure there's a GPO that will disable the
reading pane. And again, you did have to provide a password to get there.
Otherwise, the machine wasn't locked.

And even then, a machine that you have physical access to is inherently
insecure. If someone has your HD, consider the data open.

> Many thanks for taking the time to get back to me; incidentally, do you
> happen to know if Outlook 2007 behaves in the same way?

It should. If you want 'better' security, set domain security to None and
turn off Cached mode. Then there isn't any local data to work with, all it
will see is the Exchange server. Of course, if you have regular network
outages, this will infuriate users since Outlook tends to do odd things like
hang the system for brief spurts. And if someone uses a laptop, they
wouldn't have the outlook data unless they have a connection to the server.

But, again, the user name and password they will be putting in to start
Outlook is the same one to unlock the system, so I'm not sure what sort of
improvement you're getting, apart from having a blank screen if someone
happens to leave their computer unlocked, but didn't start Outlook.
Otherwise, the data is there.

--
f.h.

Hi,

The way my employers systems are set up, I don't have a domain password.
When my PC starts I enter a Windows password. When I start Outlook it asks
for a password but if I click Cancel, I have access to all previously
downloaded emails. No one has access to my OWA without my Outlook password.
If I'm daft enough to leave my PC open when I get up from my desk, anyone
who happens along has access to my email, as the Outlook password is
redundant, if they click Cancel at the Outlook logon - they're in.

Best regards,

SF

"F. H. Muffman" wrote:

> "StepOne" <(E-Mail Removed)> wrote in message
> news:5687364C-8376-406C-8986-(E-Mail Removed)...
> >> > Using Outlook 2003 on MS Exchange. When users start Outlook it opens
> >> > requesting a password. However, if the user simply clicks the Cancel
> >> > button the password dialog disappears and he or she has access to all
> >> > the
> >> > existing emails in the users inbox.
> >> >
> >> > I don't think there is anything Outlook can do about this, it seems
> >> > very
> >> > poor security.
> >>
> >> Odd. What does the dialog box look like? Assuming you are logged into
> >> the
> >> domain, you shouldn't be prompted for a password at all. Unless, in the
> >> profile, you configure it to use None for security. And at that point,
> >> when
> >> you click Cancel, you won't be able to send mail. But you'll be able to
> >> access the OST, sure. And that's entirely secure. Why, you ask, would
> >> that
> >> be secure? Because your OS should be locked when you aren't at your
> >> computer. Your domain password should be secure. And, frankly, if your
> >> password isn't secure, or your computer isn't locked, you're not secure
> >> anyways.
> >>
> >> > Does anyone know of a third party Outlook add-in that will prevent
> >> > access
> >> > to emails before a password is entered?
> >>
> >> Not that I'd feel comfortable recommending, since the only think I can
> >> think
> >> of would be to put mail in a PST and password protect that. But since
> >> most
> >> users will just use their domain password there too, you're still not
> >> secure.
> >>
> >> Make sure that your users lock their workstations when they aren't at
> >> their
> >> computer. If they do, sit at their computer, compose a mail that would
> >> be
> >> embarassing and send it to their manager, cc'ing them. something like
> >> 'Hi,
> >> I left my computer unlocked thereby jeopardizing security in the
> >> organization. I now understand why the IT department requires us to lock
> >> our computers and will, in the future, lock it.'
> >
> > The dialog looks just like any logon dialog with a box for entering the
> > User
> > name which is filled with the name from the last time Outlook was used,
> > and a
> > password box. Apart from that there is only an OK and Cancel button.
> >
> > Yes, I agree the workstation should be locked if the user leaves, but that
> > doesn’t explain Outlook’s poor security on Exchange. At logon, if the
> > user
> > clicks the Cancel button Outlook goes immediately offline but all the
> > already
> > downloaded emails can be read. A password is only requested again if the
> > Send/Receive button is clicked or the user selects Outlook to go back
> > online.
>
> ???
>
> Why is it poor security?
>
> Your DOMAIN ACCOUNT is your access into Exchange.
>
> The SAME PASSWORD that unlocks the workstation.
>
> If someone can unlock your workstation, they can get into Outlook.
>
> Heck. If someone can unlock your workstation, they don't even need to get
> into your outlook. They can log into OWA if it's configured.
>
> When you open a network share that is only secured for *you* to access it,
> do you have to enter a password? You shouldn't, if you're logged into the
> domain. Simply going to start-run \\server\share will open it. Is that bad
> security? No, it's domain security. You have already identified yourself
> to the servers responsible for security that you are who you say you are.
>
> The only poor security is security that isn't used, or used effectively.
>
> I've worked for companies where the password needs to be something akin to
> aBlk#$#@aD34, I've worked for companies where blackwater would have been
> acceptable. I've worked for companies that forced a 2 minute screensaver on
> a machine and would fire you for installing software to circumvent that.
>
>
> > By default Exchange downloads completely all received emails when Outlook
> > is
> > started and even if it's setup to download only the headers once the user
> > requests reading an email it has to be downloaded.
>
> If Outlook is asking for a domain password, it won't download mails until it
> gets the password. The normal reason it asks for a domain password is that
> either the domain authentication is set to none, or you aren't on the
> domain.
>
> > <rant> The reading pane should be blank or at the very least only the
> > headers should be displayed and it should not be possible to read complete
> > emails until a password has been entered. Otherwise, why bother with a
> > password at all? </rant>
>
> Then turn it off. I'm pretty sure there's a GPO that will disable the
> reading pane. And again, you did have to provide a password to get there.
> Otherwise, the machine wasn't locked.
>
> And even then, a machine that you have physical access to is inherently
> insecure. If someone has your HD, consider the data open.
>
> > Many thanks for taking the time to get back to me; incidentally, do you
> > happen to know if Outlook 2007 behaves in the same way?
>
> It should. If you want 'better' security, set domain security to None and
> turn off Cached mode. Then there isn't any local data to work with, all it
> will see is the Exchange server. Of course, if you have regular network
> outages, this will infuriate users since Outlook tends to do odd things like
> hang the system for brief spurts. And if someone uses a laptop, they
> wouldn't have the outlook data unless they have a connection to the server.
>
> But, again, the user name and password they will be putting in to start
> Outlook is the same one to unlock the system, so I'm not sure what sort of
> improvement you're getting, apart from having a blank screen if someone
> happens to leave their computer unlocked, but didn't start Outlook.
> Otherwise, the data is there.
>
> --
> f.h.
>
>

"StepOne" <(E-Mail Removed)> wrote in message
news:A9922569-D693-4054-9077-(E-Mail Removed)...
>> >> > Using Outlook 2003 on MS Exchange. When users start Outlook it
>> >> > opens
>> >> > requesting a password. However, if the user simply clicks the
>> >> > Cancel
>> >> > button the password dialog disappears and he or she has access to
>> >> > all
>> >> > the
>> >> > existing emails in the users inbox.
>> >> >
>> >> > I don't think there is anything Outlook can do about this, it seems
>> >> > very
>> >> > poor security.
>> >>
>> >> Odd. What does the dialog box look like? Assuming you are logged
>> >> into
>> >> the
>> >> domain, you shouldn't be prompted for a password at all. Unless, in
>> >> the
>> >> profile, you configure it to use None for security. And at that
>> >> point,
>> >> when
>> >> you click Cancel, you won't be able to send mail. But you'll be able
>> >> to
>> >> access the OST, sure. And that's entirely secure. Why, you ask,
>> >> would
>> >> that
>> >> be secure? Because your OS should be locked when you aren't at your
>> >> computer. Your domain password should be secure. And, frankly, if
>> >> your
>> >> password isn't secure, or your computer isn't locked, you're not
>> >> secure
>> >> anyways.
>> >>
>> >> > Does anyone know of a third party Outlook add-in that will prevent
>> >> > access
>> >> > to emails before a password is entered?
>> >>
>> >> Not that I'd feel comfortable recommending, since the only think I can
>> >> think
>> >> of would be to put mail in a PST and password protect that. But since
>> >> most
>> >> users will just use their domain password there too, you're still not
>> >> secure.
>> >>
>> >> Make sure that your users lock their workstations when they aren't at
>> >> their
>> >> computer. If they do, sit at their computer, compose a mail that
>> >> would
>> >> be
>> >> embarassing and send it to their manager, cc'ing them. something like
>> >> 'Hi,
>> >> I left my computer unlocked thereby jeopardizing security in the
>> >> organization. I now understand why the IT department requires us to
>> >> lock
>> >> our computers and will, in the future, lock it.'
>> >
>> > The dialog looks just like any logon dialog with a box for entering the
>> > User
>> > name which is filled with the name from the last time Outlook was used,
>> > and a
>> > password box. Apart from that there is only an OK and Cancel button.
>> >
>> > Yes, I agree the workstation should be locked if the user leaves, but
>> > that
>> > doesn’t explain Outlook’s poor security on Exchange. At logon, if the
>> > user
>> > clicks the Cancel button Outlook goes immediately offline but all the
>> > already
>> > downloaded emails can be read. A password is only requested again if
>> > the
>> > Send/Receive button is clicked or the user selects Outlook to go back
>> > online.
>>
>> ???
>>
>> Why is it poor security?
>>
>> Your DOMAIN ACCOUNT is your access into Exchange.
>>
>> The SAME PASSWORD that unlocks the workstation.
>>
>> If someone can unlock your workstation, they can get into Outlook.
>>
>> Heck. If someone can unlock your workstation, they don't even need to
>> get
>> into your outlook. They can log into OWA if it's configured.
>>
>> When you open a network share that is only secured for *you* to access
>> it,
>> do you have to enter a password? You shouldn't, if you're logged into
>> the
>> domain. Simply going to start-run \\server\share will open it. Is that
>> bad
>> security? No, it's domain security. You have already identified
>> yourself
>> to the servers responsible for security that you are who you say you are.
>>
>> The only poor security is security that isn't used, or used effectively.
>>
>> I've worked for companies where the password needs to be something akin
>> to
>> aBlk#$#@aD34, I've worked for companies where blackwater would have been
>> acceptable. I've worked for companies that forced a 2 minute screensaver
>> on
>> a machine and would fire you for installing software to circumvent that.
>>
>>
>> > By default Exchange downloads completely all received emails when
>> > Outlook
>> > is
>> > started and even if it's setup to download only the headers once the
>> > user
>> > requests reading an email it has to be downloaded.
>>
>> If Outlook is asking for a domain password, it won't download mails until
>> it
>> gets the password. The normal reason it asks for a domain password is
>> that
>> either the domain authentication is set to none, or you aren't on the
>> domain.
>>
>> > <rant> The reading pane should be blank or at the very least only the
>> > headers should be displayed and it should not be possible to read
>> > complete
>> > emails until a password has been entered. Otherwise, why bother with a
>> > password at all? </rant>
>>
>> Then turn it off. I'm pretty sure there's a GPO that will disable the
>> reading pane. And again, you did have to provide a password to get
>> there.
>> Otherwise, the machine wasn't locked.
>>
>> And even then, a machine that you have physical access to is inherently
>> insecure. If someone has your HD, consider the data open.
>>
>> > Many thanks for taking the time to get back to me; incidentally, do you
>> > happen to know if Outlook 2007 behaves in the same way?
>>
>> It should. If you want 'better' security, set domain security to None
>> and
>> turn off Cached mode. Then there isn't any local data to work with, all
>> it
>> will see is the Exchange server. Of course, if you have regular network
>> outages, this will infuriate users since Outlook tends to do odd things
>> like
>> hang the system for brief spurts. And if someone uses a laptop, they
>> wouldn't have the outlook data unless they have a connection to the
>> server.
>>
>> But, again, the user name and password they will be putting in to start
>> Outlook is the same one to unlock the system, so I'm not sure what sort
>> of
>> improvement you're getting, apart from having a blank screen if someone
>> happens to leave their computer unlocked, but didn't start Outlook.
>> Otherwise, the data is there.
>
> The way my employers systems are set up, I don't have a domain password.
> When my PC starts I enter a Windows password. When I start Outlook it
> asks
> for a password but if I click Cancel, I have access to all previously
> downloaded emails. No one has access to my OWA without my Outlook
> password.
> If I'm daft enough to leave my PC open when I get up from my desk, anyone
> who happens along has access to my email, as the Outlook password is
> redundant, if they click Cancel at the Outlook logon - they're in.

Strictly speaking, OWA doesn't use an 'outlook' password, it uses a domain
password. You might not be using it to log into your workstation, and, I'll
be honest, that's a *bigger* security hole in my book, but, it's still a
domain password.

Turn off cached mode and you should get what you want, unless, of course,
you're putting your mail in a PST. But, again, if you're not connected to
the network, or if the Exchange server should be temporarily unavailable,
you won't have your email. At all.


--
f.h.