Allowing potentially dangerous attachments in Outlook

I’ve come up against this one before, but as its something I’ve had to look up on a few occasions, I thought I’d post it up here. You know the problem – someone e-mails you a useful script and Outlook blocks access to it; and rightly so as we have no real way of telling if the attachment could be malicious.

If you trust the sender and are sure you need to access the attachment, there is a quick registry hack you can employ:

  1. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Security\ (for Outlook 2003 – change 11.0 to 10.0 for Outlook 2002 or 9.0 for Outlook 2000).
  2. Add a new String Value called Level1Remove and add a semicolon-delimited list of file extensions to be allowed, e.g. .bat;.cmd;.com;.exe;.vbs.
  3. Restart Outlook and the offending attachments will be accessible.

Remember that this is disabling a security feature, so only enable potentially dangerous attachment types as an emergency workaround and remove the Level1Remove value once complete.

More details may be found in Microsoft knowledge base article 829982.

Tablet PCs rock! (with Windows XP SP2)

I’ve always been sceptical about the market for a tablet PC, but after having worked with some of the Microsoft consultants who use them, I’ve been converted to the idea that these are a really good business tool (for certain users).

It should be noted that tablet PC usability is greatly improved once Windows XP service pack 2 is applied as the full version of SP2 contains all the components necessary to update the operating system to the Tablet PC 2005 release (codenamed Lonestar).

The particular model that I’ve seen is the Toshiba Portégé M200. It seems to offer most of the features I would expect in a modern notebook PC (albeit without any legacy ports and with a separately attached optical drive), as well as a screen that rotates to hide the keyboard and convert the device to a tablet. As I write this, I’m trying to get my hands on a tablet PC to get some real life experience, but the following notes were taken as one of the Microsoft consultants demonstrated his M200 to me:

  • The stylus pen is pressure sensitive, allowing it to be used just like a conventional pen for bold or light text. A button allows right-clicking with the stylus, which also includes an eraser on the top end.
  • Ink annotations can be used to review a document and literally write on it in a variety of colours as well as to highlight text (as one would with a highlight marker pen). I was really impressed when I (as a non-tablet PC user) received a document that had been annotated in this way and Microsoft Office Word 2003 was able to read the document complete with all the annotations. One point to note – annotated with Word’s reading layout enabled, the annotations will not be anchored in the in the correct location for printing – annotating a document using the print layout will resolve this issue.
  • Searches may be made on words (even those written in digital ink), and it is possible to highlight digital ink and select a convert handwriting to text option. Pen-enabled applications such as Microsoft Office applications and Notepad will perform handwriting recognition as written, even suggesting alternatives where they are not clear as to the exact word being used (and learn new words as they are selected). As alternatives to continuous handwriting recognition, single character recognition and a soft keyboard are both available; and on non-SP2 tablet PCs, writing takes place anywhere on the page, rather than in a predefined area. A particularly neat feature is that annotations may be grabbed, copied as text and pasted.
  • The M200 has a series of additional buttons situated around the display which can be used for up, down, escape, etc., as well as context-sensitive items such as cut and paste. Additionally, with the use of an application called Symbol Commander, stylus symbols can be used to perform commands (e.g. exit).
  • With a tablet PC, Microsoft Office OneNote 2003 really becomes a killer application. I have started to use it in meetings on my notebook PC (and think it is probably the best thing that Microsoft have done to Office in years), but the tablet PC just makes it that little bit more usable – allowing the addition of diagrams and really using OneNote as a replacement to the Black ‘n Red wirebound A4 ruled notebook that I normally carry everywhere when I’m working!
  • There is still at least one usability issue – the cursor position in relation to the pen depends on the angle at which the tablet PC is being held (i.e. on a desk, or at an angle), and so when calibrating the stylus, it is important to calibrate in the position that the tablet PC will be used in most.
  • The installation of a few PowerToys (unsupported programs that developers work on after a product has been released to manufacturing) might be considered, including the Hold Tool (which allows holding down the pen for controls such as scroll bars, instead of a simple push on/off stylus action) and the Snipping Tool (which allows anything on screen to be cut out and pasted into a document – useful when researching). These are just two of the many PowerToys that are available from Microsoft.
  • One might think that battery life would be a concern, but real users are achieving between 3 and 3½ hours on a single charge (with no effort) and even more with tuned power settings (up to 6½ hours in one case). Screen timeout can be a nuisance, but there is a utility called monsus.exe that can be used as a shortcut to suspend the monitor, allowing approximately a 20% drop in power consumption when used habitually (e.g. when in an impromptu discussion).

I’m told that there were some significant issues with early tablet PCs but it seems that SP2, plus some PowerToys have allowed them to become a vehicle for increased productivity opening up features such as the ability to annotate documents and send electronic copy to clients or colleagues and unleashing OneNote to become a killer application.

More information about Windows XP tablet PCs is available at the Microsoft website.

Issues when editing Windows XP SP2 group policy objects

I’m working with Microsoft on a client site and one of the potential issues we raised today was around the impact of the new group policy settings supporting Windows XP SP2. SP2 provides administrators with .ADM templates for 1378 group policy settings (although only 87 seem to relate specifically to SP2; 1 more to computers with SP2 or BITS 2.0; and a further 518 to Internet Explorer 6.0 in Windows XP SP2). Full details are available from Microsoft; however there are issues that need to be resolved with a hotfix when editing policies that use the new .ADM templates on non-Windows XP SP2 computers, as described in Microsoft knowledge base article 842933.

Microsoft have also published a white paper providing best practice for managing Windows XP SP2 features using group policy.

Finally entering the world of mobility…

Today, I got my first smartphone – a Nokia 6600 connected to Orange. For a few years now, I’ve used a succession of Compaq iPAQs (as nothing more than expensive diaries and address books really) and whilst I have connected to services using my PDA with a mobile phone on occasion, I figured it was about time I made a move towards the true mobility. So far I’ve only made phone calls and sent a test e-mail (at which point I wished I’d gone for a phone with a full keyboard). I know the new Orange SPV C500 is reported to be a great smartphone, but I really like Nokia handsets and when I saw the 6600 last week I knew I “had” to have one.

I switched to Vodafone from Orange about 5 years ago (I had been with them since 1994 – pretty much as soon as they started up). To be honest I’d still be with Vodafone if they didn’t charge for itemised billing and if I could get the handset and tariff deal I wanted (the “customer loyalty” team at my previous service provider, Carphone Warehouse, failed to call me back and then told me they couldn’t do me an upgrade to the Nokia 6600 for less than £59 when I chased them), but my original reason for leaving Orange was poor customer service and it seems that not a lot has changed. My phone came with instructions to activate it using one of two numbers – the first one was only available from an Orange phone, and so was barred until I could activate the account (chicken… egg…) and the second led to an Orange salesperson who just gave me the full 11 digit version of the original number, which I rang from my old phone. Only after about 20 minutes on hold did I finally get to speak to someone who could activate my phone. A great start for a returning customer hey! Let’s just see if they can successfully port my number…

I can recommend the reseller I used ( – they were really helpful when I called them and did me a good deal: free handset (the Orange shop wanted £30); free shipping (by Royal Mail Special Delivery); 3 months free insurance; £30 cashback after 6 months; free accessory pack (leather case, car charger and personal hands free kit); plus the current Orange offer of double minutes and double SMS.

Anyway, let’s see if I actually use any of the smartphone capabilities now…

Tackling spam in Exchange with the RegEx SURBL

Last week, I read an interesting e-mail from the Windows and .NET magazine network Exchange and Outlook update, discussing Spam URL Realtime Block Lists (SURBLs), which examine message contents to block spam. This week’s e-mail highlights a free Exchange Server SURBL – the RegEx filter.

The basic idea behind the RegEx Filter, is the ability to filter email based on any arbitrary text pattern. It is implemented as an event sink that hooks into the Exchange SMTP engine (by default, the filter works only with the first virtual server instance, but this can easily be changed) and applies regular expression tests against the message sender, recipient, or contents.

It is possible to specify any number of individual filters to run against incoming messages and the filter also includes:

  • A large filter file that tests for common patterns found in adult-oriented spam.
  • A whitelist of expressions to be allowed; by customizing this list, it is possible to easily whitelist addresses or senders.
  • A list of blocked recipients; the filter drops blocked recipients as soon as it sees the SMTP rcpt to verb, instead of waiting until the mail has been accepted for delivery.
  • A list with expressions commonly found in “Nigerian scam” messages.

Any or all of these capabilities can be used to roll in additional filtered expressions (by editing XML files, as long as there is a regular expression that will match the messages to be accepted or dropped). The XML schema for the filtering language includes the ability to specify IP address ranges, perform DNS lookups and filter according to the results, slow down the sending mail server by imposing a timeout (for punishing repetitive spammers), and a host of other features.

I haven’t tested the filter yet (I need to move my e-mail service over to Exchange first), but in Paul Robichaux’s original article (from which the information in this post is taken) he suggested that the filter didn’t add any significant performance overhead and that it also includes a set of Performance Monitor counters that can be registered to assist in assessing any performance issues as a result of filtering.

Robichaux also highlighted that RegEx isn’t perfect: its documentation is pretty opaque, and there’s no real step-by-step guide to installing the filter on an Exchange server. Also (and potentially worrying) the default filter configuration logs all accepted messages to disk, exposing all valid, accepted mail in plain text form. Apart from the obvious security implications, these logs also consume a large amount of disk space. Fortunately, the logging can be turned off.

This looks to me, to be a useful (free) tool in the battle to prevent spam.

Deploying Windows XP SP2 using Software Update Services

Windows XP SP2 is big and administrators planning to deploy SP2 should be considering the impact on their networks. Microsoft has published an article on deploying SP2 via SUS, including throttling bandwidth usage and preventing the XP SP2 distribution from effectively killing all other network activity.

New version of MBSA for Windows XP SP2 users

Users of Windows XP Service Pack 2 will need to update the Microsoft Baseline Security Analyser (MBSA) to version 1.2.1 for compatibility with SP2 security improvements. According to Microsoft, Windows XP SP2 users who are running MBSA 1.2 will be automatically notified of the update when they run the utility whilst connected to the Internet.

The first post-Windows XP SP2 hotfix

Steven Bink reports that Microsoft have released their first post-SP2 hotfix (just 14 days after SP2 was released!). The problem relates to programs that connect to IP addresses that are in the loopback address range and further details are contained in Microsoft knowledge base article 884020.