Access to Outlook email without entering a password?

[Guest]

Hi,

Using Outlook 2003 on MS Exchange. When users start Outlook it opens
requesting a password. However, if the user simply clicks the Cancel button
the password dialog disappears and he or she has access to all the existing
emails in the users inbox.

I don't think there is anything Outlook can do about this, it seems very
poor security.

Does anyone know of a third party Outlook add-in that will prevent access to
emails before a password is entered?

Many thanks.

 

[F. H. Muffman]

Using Outlook 2003 on MS Exchange. When users start Outlook it opens
requesting a password. However, if the user simply clicks the Cancel
button
the password dialog disappears and he or she has access to all the
existing
emails in the users inbox.

I don't think there is anything Outlook can do about this, it seems very
poor security.

Odd. What does the dialog box look like? Assuming you are logged into the
domain, you shouldn't be prompted for a password at all. Unless, in the
profile, you configure it to use None for security. And at that point, when
you click Cancel, you won't be able to send mail. But you'll be able to
access the OST, sure. And that's entirely secure. Why, you ask, would that
be secure? Because your OS should be locked when you aren't at your
computer. Your domain password should be secure. And, frankly, if your
password isn't secure, or your computer isn't locked, you're not secure
anyways.

Does anyone know of a third party Outlook add-in that will prevent access
to
emails before a password is entered?

Not that I'd feel comfortable recommending, since the only think I can think
of would be to put mail in a PST and password protect that. But since most
users will just use their domain password there too, you're still not
secure.

Make sure that your users lock their workstations when they aren't at their
computer. If they do, sit at their computer, compose a mail that would be
embarassing and send it to their manager, cc'ing them. something like 'Hi,
I left my computer unlocked thereby jeopardizing security in the
organization. I now understand why the IT department requires us to lock
our computers and will, in the future, lock it.'

 

[Milly Staples [MVP - Outlook]]

Additionally, configure Outlook to open in a blank folder or a non-essential folder like Calendar.

--
Milly Staples [MVP - Outlook]

Post all replies to the group to keep the discussion intact. All
unsolicited mail sent to my personal account will be deleted without
reading.

After furious head scratching, F. H. Muffman asked:

| || Using Outlook 2003 on MS Exchange. When users start Outlook it opens
|| requesting a password. However, if the user simply clicks the Cancel
|| button
|| the password dialog disappears and he or she has access to all the
|| existing
|| emails in the users inbox.
||
|| I don't think there is anything Outlook can do about this, it seems
|| very poor security.
|
| Odd. What does the dialog box look like? Assuming you are logged
| into the domain, you shouldn't be prompted for a password at all.
| Unless, in the profile, you configure it to use None for security.
| And at that point, when you click Cancel, you won't be able to send
| mail. But you'll be able to access the OST, sure. And that's
| entirely secure. Why, you ask, would that be secure? Because your
| OS should be locked when you aren't at your computer. Your domain
| password should be secure. And, frankly, if your password isn't
| secure, or your computer isn't locked, you're not secure anyways.
|
|| Does anyone know of a third party Outlook add-in that will prevent
|| access to
|| emails before a password is entered?
|
| Not that I'd feel comfortable recommending, since the only think I
| can think of would be to put mail in a PST and password protect that.
| But since most users will just use their domain password there too,
| you're still not secure.
|
| Make sure that your users lock their workstations when they aren't at
| their computer. If they do, sit at their computer, compose a mail
| that would be embarassing and send it to their manager, cc'ing them.
| something like 'Hi, I left my computer unlocked thereby jeopardizing
| security in the organization. I now understand why the IT department
| requires us to lock our computers and will, in the future, lock it.'

 

[Guest]

Hi,

The dialog looks just like any logon dialog with a box for entering the User
name which is filled with the name from the last time Outlook was used, and a
password box. Apart from that there is only an OK and Cancel button.

Yes, I agree the workstation should be locked if the user leaves, but that
doesn’t explain Outlook’s poor security on Exchange. At logon, if the user
clicks the Cancel button Outlook goes immediately offline but all the already
downloaded emails can be read. A password is only requested again if the
Send/Receive button is clicked or the user selects Outlook to go back online.
By default Exchange downloads completely all received emails when Outlook is
started and even if it's setup to download only the headers once the user
requests reading an email it has to be downloaded.

<rant> The reading pane should be blank or at the very least only the
headers should be displayed and it should not be possible to read complete
emails until a password has been entered. Otherwise, why bother with a
password at all? </rant>

Many thanks for taking the time to get back to me; incidentally, do you
happen to know if Outlook 2007 behaves in the same way?

 

[F. H. Muffman]

The dialog looks just like any logon dialog with a box for entering the
User
name which is filled with the name from the last time Outlook was used,
and a
password box. Apart from that there is only an OK and Cancel button.

Yes, I agree the workstation should be locked if the user leaves, but that
doesn’t explain Outlook’s poor security on Exchange. At logon, if the
user
clicks the Cancel button Outlook goes immediately offline but all the
already
downloaded emails can be read. A password is only requested again if the
Send/Receive button is clicked or the user selects Outlook to go back
online.

???

Why is it poor security?

Your DOMAIN ACCOUNT is your access into Exchange.

The SAME PASSWORD that unlocks the workstation.

If someone can unlock your workstation, they can get into Outlook.

Heck. If someone can unlock your workstation, they don't even need to get
into your outlook. They can log into OWA if it's configured.

When you open a network share that is only secured for *you* to access it,
do you have to enter a password? You shouldn't, if you're logged into the
domain. Simply going to start-run \\server\share will open it. Is that bad
security? No, it's domain security. You have already identified yourself
to the servers responsible for security that you are who you say you are.

The only poor security is security that isn't used, or used effectively.

I've worked for companies where the password needs to be something akin to
aBlk#$#@aD34, I've worked for companies where blackwater would have been
acceptable. I've worked for companies that forced a 2 minute screensaver on
a machine and would fire you for installing software to circumvent that.

By default Exchange downloads completely all received emails when Outlook
is
started and even if it's setup to download only the headers once the user
requests reading an email it has to be downloaded.

If Outlook is asking for a domain password, it won't download mails until it
gets the password. The normal reason it asks for a domain password is that
either the domain authentication is set to none, or you aren't on the
domain.

<rant> The reading pane should be blank or at the very least only the
headers should be displayed and it should not be possible to read complete
emails until a password has been entered. Otherwise, why bother with a
password at all? </rant>

Then turn it off. I'm pretty sure there's a GPO that will disable the
reading pane. And again, you did have to provide a password to get there.
Otherwise, the machine wasn't locked.

And even then, a machine that you have physical access to is inherently
insecure. If someone has your HD, consider the data open.

Many thanks for taking the time to get back to me; incidentally, do you
happen to know if Outlook 2007 behaves in the same way?

It should. If you want 'better' security, set domain security to None and
turn off Cached mode. Then there isn't any local data to work with, all it
will see is the Exchange server. Of course, if you have regular network
outages, this will infuriate users since Outlook tends to do odd things like
hang the system for brief spurts. And if someone uses a laptop, they
wouldn't have the outlook data unless they have a connection to the server.

But, again, the user name and password they will be putting in to start
Outlook is the same one to unlock the system, so I'm not sure what sort of
improvement you're getting, apart from having a blank screen if someone
happens to leave their computer unlocked, but didn't start Outlook.
Otherwise, the data is there.

 

[Guest]

Hi,

The way my employers systems are set up, I don't have a domain password.
When my PC starts I enter a Windows password. When I start Outlook it asks
for a password but if I click Cancel, I have access to all previously
downloaded emails. No one has access to my OWA without my Outlook password.
If I'm daft enough to leave my PC open when I get up from my desk, anyone
who happens along has access to my email, as the Outlook password is
redundant, if they click Cancel at the Outlook logon - they're in.

Best regards,

SF

 

[F. H. Muffman]

The way my employers systems are set up, I don't have a domain password.
When my PC starts I enter a Windows password. When I start Outlook it
asks
for a password but if I click Cancel, I have access to all previously
downloaded emails. No one has access to my OWA without my Outlook
password.
If I'm daft enough to leave my PC open when I get up from my desk, anyone
who happens along has access to my email, as the Outlook password is
redundant, if they click Cancel at the Outlook logon - they're in.

Strictly speaking, OWA doesn't use an 'outlook' password, it uses a domain
password. You might not be using it to log into your workstation, and, I'll
be honest, that's a *bigger* security hole in my book, but, it's still a
domain password.

Turn off cached mode and you should get what you want, unless, of course,
you're putting your mail in a PST. But, again, if you're not connected to
the network, or if the Exchange server should be temporarily unavailable,
you won't have your email. At all.