Outlook Custom Forms Security Issues

Custom Outlook forms are subject to several layers of security that determine whether VBScript code behind the form can run and whether ActiveX controls (beyond those included with Outlook) are blocked.

In most cases, if VBScript code does run, it will not be subject to "object model guard" security prompts, as long as all Outlook objects are derived from the intrinsic Application and Item objects that custom form VBScript code supports. For information on these security prompts, see:

• Microsoft Outlook "Object Model Guard" Security Issues for Developers

This page covers strategies for dealing with other security issues related to Outlook custom forms in current versions.

Forms in Other Mailboxes

By default, items created with custom forms do not run code when the user opens them from a shared mailbox. You can change the setting by choosing Tools | Options | Other | Advanced Options and checking the box for Allow script in shared folders. You'll see that there is also an option for Allow script in public folders. In Outlook 2007, these settings are in the Tools | Trust Center dialog, under E-mail Security.

The corresponding registry values for Outlook 2003 are in the HKCU\Software\Microsoft\Office\11.0\Outlook\Security key -- SharedFolderScript and PublicFolderScript, both DWORD values. For Outlook 2007, replace 11.0 with 12.0.

Note that these settings affect both script in custom forms for items in public folders and script in folder home pages for such folders.

For more information, see:

• Explanation of the Allow Script Check Boxes in Outlook 2003

One-off forms

Code will not run on items created from unpublished or one-off forms. Also, some ActiveX controls will be blocked, as described below. The one-off issue affects:

• Items created with saved .oft file templates
• Items created with forms that were published with the Send form definition with item box on the form's (Properties) page checked
• Items created with properly published forms that later one-offed because of code behind the form or the additional of a custom property

To ensure that a form does not one-off:

• Make sure the Send form definition with item box on the (Properties) tab of the form is not checked. When you publish a message form in Outlook 2003, Outlook will suggest that you may want to check the Send form definition with item box to ensure that the recipient will have the form, especially if you're sending to someone via the Internet. In the current Outlook security environment, this suggestion is obsolete and misleading. Ignore it unless your form has no code behind it.

• For in-house corporate use with Exchange Server, publish a message form to the Organizational Forms library. Publish other types of forms to Organizational Forms or a public folder's forms library, as appropriate for your application.

• On a custom message form, on the (Actions) tab, set the custom form for the Forward action to the same class as the original form. In other words, publish the form, then go to the (Actions) tab, set the Forward action's form to the same class, and publish a second time.

Many things can cause one-off forms. If you are still getting one-offs after publishing as described above, see Saving and Publishing Microsoft Outlook Custom Forms for possible causes and cures.

Blocked ActiveX Controls

If a form is a one-off, only the basic form controls (text box, combo box, etc.), message body control, recipient control, and Outlook View Control will load. If a blocked control is present on a one-off form, when the user attempts to display the page showing that control, they'll see this error message:

To help prevent malicious code from running, one or more objects in this form were not loaded. For more information, contact your administrator.

The ideal solution for this issue is to avoid one-off forms completely. If you must use a one-off  and you are using Outlook 2003, you can use a registry entry or policy to control the behavior. (This option is not availble in Outlook 2002 SP3). To use a registry entry, add a DWORD value named AllowActiveXOneOffForms to the HKCU\Software\Microsoft\Office\11.0\Outlook\Security value and set it to one of these values:\

0		Load only the frm20.dll controls, the Outlook View Control, Outlook Recipient Control, and the docsite (message body) control
1		Allow only controls marked as "safe for initialization" to load
2		Allow all ActiveX controls to load

Note that published forms are not affected by this issue. If you're seeing the error message above, that's an almost certain indication that the form is now a one-off.