Taking full advantage of the newer features of Internet Explorer, Windows Mail arrives with a heightened focus on security. Features relegated only to Outlook or Internet Explorer are now a part of the application and are even enabled by default. The powerful SmartScreen filter used by Exchange is at work within Windows Mail, making the filtering capabilities of the application extend far beyond those of simple filters, and the Phishing Filter recently introduced in the latest Internet Explorer delivers up-to-date security checks from the blacklists maintained at Microsoft.
More than just another version of Outlook Express, Windows Mail delivers robust features and a usability that will be a “first” for many users. In this chapter, we’ll take a look at some of these structural changes to the built-in mail client of Windows Vista, and we’ll compare these to the shortcomings of Outlook Express. We’ll also examine the powerful security tools incorporated to secure the Windows Mail experience.
Comparing Windows Mail with Outlook Express
When Microsoft released Outlook Express in November 1997, the user community had just undergone a seismic shift brought about by the earlier release of Microsoft’s first graphical-based OS, Windows 95. For more than two years, personal computers, thought to be forever tied to their owners’ drab and dreary cubicles for tasks limited only to work, were now making their way into homes and dormitories at an exponential rate. The Internet was also growing at an exponential rate, and the tools shipping with each revision of Windows needed to be tailored to this exploding home-based population. So, with the release of Internet Explorer 4.0 in Windows 95 OSR 2.5 came the successor to Internet Mail and News: Outlook Express.
Although Internet Mail and News was a simple freeware add-on client available to users of Internet Explorer 3.0, Outlook Express was built into Internet Explorer 4.0. Every user who purchased a Windows 95 OSR 2.5 and subsequent Windows 98 machine would get this new application as part of his Internet-browsing arsenal. In fact, Outlook Express was built with the integration of Internet Explorer in mind, something that would be both a blessing and a curse for users of the application.
With the advent of Hypertext Markup Language (HTML)-based e-mail came the exposure of myriad security holes for Outlook Express users. Because Internet Explorer managed its content and security by “zoning” different Web sites, Outlook Express was relegated to the same approach. Outlook Express rendered mail through Internet Explorer, and the behavior and “trusts” of Internet Explorer were passed along to its news and mail counterpart. Because Internet Explorer traditionally ran all code and scripts it encountered in an effort to streamline the user’s browsing experience, Outlook Express followed the same behavior.
Executable files could be attached to messages received by earlier versions of Outlook Express and rendered only as harmless picture attachments. Even worse, insidious virus architects found that they could launch harmful scripts in the background of a user’s session without her knowledge. Because the default behavior of Outlook Express is to automatically open the first message in the Inbox, regardless of the preview pane settings, multitudes of viruses emerged to exploit this threat. Unfortunately for many, a number of these efforts were met with great success (Nimda, anyone?).
Nevertheless, Outlook Express has always maintained a solid following. As a news and mail application, it is easily a favorite among home and small-office users for managing mail for Post Office Protocol 3 (POP3) and Internet Message Access Protocol (IMAP). Outlook Express had a wizard-driven introduction to usher a new user down the road of configuration and quickly provided users an “Outlook” experience for free.
As Outlook Express continued to be refined, the application began to incorporate the functionality of supporting multiple mail and user accounts, which solidified its place in the home PC used by the entire family. It was not long before Lightweight Directory Access Protocol (LDAP) and Secure/Multipurpose Internet Mail Extensions (S/MIME) were added to the list of supported protocols. Even Mac users found the opportunity to explore the utility in a version free for download when Microsoft chose to support the application for those running classic Mac OSes (8.1 to 9.x).
Aside from this sidestep into the Mac world, Outlook Express has remained an application built into the Microsoft OSes and browser, something you could expect to find answering every hyperlink with an @ symbol as you browsed with Internet Explorer.
Windows Mail is the next iteration of this product. Although it is absolutely a “version” of Outlook Express, carrying with it many visual similarities to the Outlook product, Windows Mail is fundamentally a different application. Although Outlook Express is tied to Internet Explorer, Windows Mail is more tightly integrated into the OS. This may well be serving the purpose of delineating the product from its predecessors as well as making it more difficult for antitrust lawsuits to be filed against Microsoft for “bundling” products into its OS. Windows Mail is not designed as a plug-in or addition to Internet Explorer, and though it is very much its own application, it is now a fundamental component of the OS itself.
The integration of applications such as Outlook Express and Internet Explorer has been both a blessing and a curse for Microsoft. Although considered a sacred cow for Microsoft in the States, the European Union charged that Microsoft’s “bundling” of software presented an unfair and almost impossible challenge for vendors of competing software. Although a version of Windows XP was released that did not include Media Player (Windows XP N), the EU required the software giant to pay an initial fine of $613 million.
At its core, Windows Mail runs with a completely different architecture than Outlook Express. Outlook Express presented a set of direct database files to both the user and the OS. At least four default folders are created with each “identity” in Outlook Express. These are:
C:Documents and Settings
C:Documents and Settings
C:Documents and Settings
C:Documents and Settings
Outlook Express utilizes the single database file, Folders.dbx, as the master index for the entire messaging store. It holds the tree structure for all mail folders, the newsgroups on each news account, and even the options for the synchronization of “subscribed” folders. It is ultimately in this design that Outlook Express begins to fall short of many hopes and expectations. All mail items reside within each of these folders, meaning that the corruption of any of the folders results in the loss or corruption of all the mail stored within. Even worse, there are functional capacity limits for each of the individual files. If any of these files gets too large, typically near 2 GB, searching for mail and even opening Outlook Express becomes slow or even impossible.
For these reasons, the Windows Mail design team did away with the single storage-file design. Instead, Windows Mail utilizes a JET database, the same database engine in use for Exchange and Active Directory, and the very same instance in use in the Vista OS on which Windows Mail is installed. The database file tree structure that existed in Outlook Express now exists only as folders within the OS. All of these folders, as well as the pointers to the actual messages, are located in a single folder for each user.
The Windows Mail Folder Structure
If you were paying attention, you may have noticed our use of the term pointers regarding messages. Via JET, Windows Mail now stores each piece of mail and each news post as a separate file within the OS. Mail files are given the .eml file extension and news posts receive an .nws file extension. Each of these files is composed of two streams. For messages, the primary stream of the file is the RFC standard MIME. This is the portion of the message that is easily read by opening an .eml file in Notepad.exe.
An E-Mail File Opened in Notepad
The secondary stream is actually XML. Because JET is part of Vista and Vista supports even more metadata in the file’s file system than earlier OSes, this stream is populated with flags, account information, state information, and filter handlers that get promoted up into JET for categorization. This allows for the integration of the new Windows Search, which we’ll cover more in the section “Instant Search,” later in this chapter.
The utilization of the JET database on the OS provides myriad benefits. The most noticeable is easily the improvement in performance. Searching for mail, opening mail, and ultimately running the application is markedly faster due to the flatness of the file structure within the OS. A flatter file structure means it’s easier to grab data from the application level. In Vista, e-mail messages and news posts are found and displayed even as the user is typing criteria into the search engine, eliminating the extra actions of initiating a search and then perusing the search results for the appropriate mail content as opposed to only the filename. The use of JET also provides a self-cleaning mechanism from within the OS. As files are added and deleted, garbage collection processes within the OS groom the disk and ultimately the database in a very natural way that is transparent to the user and even the application. The result is a lighter application, a faster data store for mail, and a simpler organization of files and folders.
Loss Prevention and Identities
Windows Mail takes a significant step forward when it comes to addressing the shortcomings of Outlook Express in the area of mail corruption and loss. Once again, the chief contributor to that effort is the major player of the new architecture: JET.
Because the JET database enables the storage of e-mails as individual files, a major point of failure is avoided. In Outlook Express, the corruption of the single Inbox.dbx file typically meant the loss of everything in it. Now, however, the corruption of any single mail file doesn’t mean the loss of integrity of any and all mail, but rather only the single message.
Or does it?
A few surprise bells and whistles are working in the background of Windows Mail to keep order in the area of disaster recovery. In fact, there is a layered approach to the mitigation of corruption and loss. First, there is the fact that the new database is fully transactional. This means when messages are deleted, you can play back the transaction logs to re-create the full picture. For example, if you’re about to save a message and you lose power, the transaction logs will roll back to the point of failure. Second, the database can be reconstructed from the files themselves, so the loss of the database is only a minor hit. Lastly, an actual backup database is kept up-to-date with everything that takes place within the primary mail database. This database file is an exact replica of the primary one, and is located at C:Users
In the event of corruption to any of the three sources (primary message database, backup database, or log files), the OS uses the other two to rebuild the third automatically. This establishes a very sound and stable environment for users, even those in business settings where locally stored mail cannot be lost to corruption.
Now, if you’ve been in the business of mail management, you know the obvious problem with the preceding statement is that corruption is only one way to lose data; disk loss is another. How does Windows Mail handle the backing up and restoring of mail and associated accounts? The answer is “much differently than Outlook Express.”
In Outlook Express, the account information that tied the .dbx files to real users was kept in the Registry. This presented two problems. First, there were now two groups of data to back up: a series of .dbx files, and then a series of Registry entries for both the mail and news accounts that are stored in the Registry key HKEY_CURRENT_USERSoftwareMicrosoftInternet Account Manager.
At the point of a restore to a second machine or new profile, the user accounts had to be re-created first. This meant dealing with the backups of the Registry key, the importing of the Registry key, and the configuring of the profile prior to even touching mail database files. The second challenge is in the actual backup: If a user wanted to export or import his mail data he needed to be logged onto Outlook Express to run the utility in a neat and easy fashion. This was also true of managing the Address Book, which is a subset of the Windows Address book that held all contacts on the machine.
The Windows Mail design team moved the account data from the Registry into XML files that are associated with each Inbox in the Windows Mail folder. This means that to back up the totality of mail and profile information for a user, all you need to do is copy the Windows Mail folder under that user’s profile. If that folder is then copied to a new profile, all account and mail data is effectively moved and will come online when Windows Mail is launched.
There is one caveat to this new approach: Although it is more efficient to administer, it does require that Outlook Express users who had multiple accounts or “identities” converge their data into one user profile. Windows Mail does not support identities. Strangely, you are never informed of this when you configure multiple POP3 accounts within Windows Mail. In fact, there is a very deceptive menu item seemingly labeled just for the management of your identities, at File | Identities.
If you select this menu option, you will actually launch a wizard that both announces this change in identity support and offers to consolidate your “identities” into a single user profile (see Figure 8.3). Here you are given the opportunity to learn a bit about the change from Identities to Windows Profiles by clicking a built-in link to a Help and Support article. If you are upgrading from Outlook Express, this wizard will start automatically every time Windows Mail is launched until all Identities are imported, unless you choose the “Do not show this again” box.
The Identity Import Wizard
After clicking Next, you are brought to the import options page.
Import Path Choices
If you choose Import Identities, Windows Mail will search for and allow you to select the varied identities in your Windows profile. If you choose Import Identities from a different Windows account, Windows Mail will prompt you for credentials to access that other local profile.
Prompt for Logging into a Windows Profile
Obviously, this tool is viable only on machines where the other profiles are local. Typically this will be home-based machines and shared workstations in smaller offices.
Lastly, if you choose the Delete Identities option, you are presented with a list of accounts that Windows Mail already knows about and you can elect to remove them from Windows Mail.
Keep in mind that when you create accounts from scratch within Windows Mail they are already placed under the profile that was logged on at the time of creation, so there is no need to bring the accounts into any profile. Launching the tool will result in Windows Mail notifying you that it is fully informed and content with all the POP and IMAP accounts you have presently configured.
Microsoft clearly designed Windows Mail with awareness that users have become savvier in terms of their technical proficiency, as well as their depth of knowledge about Internet-based threats. Out of the box, the following features are enabled:
• Phishing Filter
• Junk Mail Filter (SmartScreen)
• Integration with the Internet Explorer Restricted Sites zone
• A trigger to warn the user when an application attempts to send mail “as” the user
• Threat attachment filtering
These options can be viewed and managed via the Security tab under Tools|Options.
Tools & Traps…
Management through Group Policy
Shockingly, as of this writing, only one of the settings in the preceding list is available to Group Policy: threat attachment filtering. The Group Policy Object, “Block attachments that could contain a virus,” is located under the User Configuration node of Group Policy within an Administrative Template for Internet Explorer. If that were not confusing enough, you expose the setting within Internet Explorer by double-clicking the Configure Outlook Express selection.
The Security Settings Tab
Although the Phishing and Junk Mail filters receive dedicated attention later in this chapter, the other options enabled by default are worthy of description. The Integration with the Internet Explorer Restricted Sites zone means that the ActiveX and Java settings from Internet Explorer are inherited and used to filter mail. As such, mail with this content is not displayed unless the user takes specific action to enable that content or disable this default setting.
The “send as” trigger is often a function of antivirus software, but Windows Mail enables this functionality by managing its own sensitivity to Trojans and other malware that may initiate the creation of a message. When this effort is made and detected, a Security pop-up from within Windows Vista will notify you of the effort.
Dangerous attachments are typically those that have executable extensions. By default, these attachments are blocked, in that the e-mail will be received and displayed (assuming there is no other insecure content like ActiveX), but the attachment will not be downloaded from the mail server. Windows Mail will notify you that the application has been stripped.
Tools & Traps…
Attachment Blocking, Not Filtering
Windows Mail will block all attachments with certain extensions, such as .exe, .vb, .prg, and so on. There is no way to allow a “friend” to send an attachment with such an extension and have it pass all blocking checks when this is enabled. However, you can disable the feature and then reenable it after you receive the attachment. The other option, as is often the workaround, is to Zip the file prior to receipt.
Despite the similar function of Internet Explorer zone integration, automatic downloading and display of images and other HTML content is managed separately and is enabled by default. Right-clicking a message with such content and choosing to display images is all that is required, unless a user chooses to change the setting here. This setting is a continuation of the security that was originally lacking in Outlook Express and that created enormous vulnerabilities.
Although not enabled by default, a number of options for further securing the transport of mail are available. Under the Secure Mail section, any Vista user now has the ability to use certificates for authentication and to encrypt messages during transfer. The bottom two checkboxes detail these options, but the top two options for Digital IDs (certificates) are what we’d like to focus on for a moment.
If you choose the Get Digital IDs option, Windows Mail opens an Internet Explorer page at the Microsoft Office Web site that details various sources for obtaining digital certificates. These are not provided for free; rather, Microsoft provides the less savvy user a directory of providers.
Tools & Traps…
Although Microsoft will kindly guide you to a site where you can obtain additional certificates, most Vista clients will have a plethora of certificates already installed on the machine. You can view these from within Windows Mail by selecting the Trusted Root certificates tab in the Certificate Import Wizard. Figure 8.7 shows this window as it is seen by default during an import, but selecting any of the other tabs will reveal a whole world of digital authenticity already built into Windows Vista and available to Windows Mail.
Once you have a digital certificate, you can import it into Windows Mail via the following steps:
1. Within Windows Mail, navigate to Tools | Options.
2. Choose the Security tab.
3. In the bottom section of the Security page (refer to Figure 8.6), find the section labeled Secure Mail and select the button for Digital IDs.
4. The next window is labeled Certificates. Here there are six tabs for organizing and displaying the type of digital certificates already installed and available. To continue importing a new certificate, click Import.
The Certificates Page (Default)
5. The next window is the welcome screen for the Certificate Import Wizard. Click Next.
The Welcome Page for the Certificate Import Wizard
6. The next window requires that you browse to the certificate you want to use. In this case, we are importing a certificate from Equifax that is located on our desktop.
Browsing for a Certificate
7. The next step is to choose the method for storing the certificate you import within Vista. The default is to Place all certificates in the Private store. We ultimately chose to let Vista decide based on the type of certificate. After making your choice, click Next.
The Certificate Store
8. To complete the import, you must agree to click Finish at the Completing the Certificate Import Wizard page.
Completing the Certificate Import Wizard
At this point, Windows Mail will complete the action and, if successful, will display the completion notification.