从 VBScript 发送 Outlook 邮件时如何避免 Outlook 安全警报? [英] How to avoid Outlook Security Alert when sending Outlook message from VBScript?
问题描述
我有这种情况:
- 代码必须在 VBScript 中(在我的控制范围之外)
- 无法在 Outlook 首选项中禁用编程访问限制(组策略,而不是管理员,并且 Windows 无法识别已安装的有效病毒扫描程序)
- 不能使用 SMTP,因为它被禁止.
- Code must be in VBScript (outside of my control)
- Unable to disable programmatic access restrictions in Outlook preferences (group policy, not admin, and Windows doesn't recognize the valid virus scanner which is installed)
- Can't use SMTP because it is disallowed.
我认为没有没有方法可以使用 Outlook 以自动方式发送电子邮件(在一个无人值守的盒子上,以用户身份登录并锁定屏幕).我尝试了许多不同的方法,但总是会收到安全警告消息.我该如何解决这个问题?
I thought there would be no way to send an email using Outlook in an automated-ish manner (on an unattended box logged in as a user with the screen locked). I tried many different approaches but would always get the security warning message. How can I fix this?
我已经在这个有用的网站上尝试了所有方法,并删除了每个选项如下:
I've already tried everything at this helpful site and eliminated each option as follows:
策略
理想情况下,自动执行 Outlook 的应用程序应避免触发这些安全提示的代码.
Strategies
Ideally, applications that automate Outlook should avoid code that triggers these security prompts.
这正是我最终要做的事情(请参阅下面的答案),这就是为什么该页面上的所有其他选项都不相关的原因.让我们一一介绍:
This is exactly what I ended up doing (see my answer below), which is why all of the other options on that page are irrelevant. Let's take them one by one:
发送消息
如果您的目标只是创建和发送电子邮件,则完全没有必要使用 Outlook 对象.Microsoft 提供了 CDO for Windows 库,用于使用 SMTP 创建和发送消息.使用这个库完全绕过 Outlook 和 MAPI,并且不会触发安全提示.代码示例见...
Sending messages
It is not necessary to use Outlook objects at all if your goal is simply to create and send an email message. Microsoft provides the CDO for Windows library for creating and sending messages with SMTP. Using this library totally bypasses Outlook and MAPI and does not trigger security prompts. For code samples, see ...
SMTP.不去.网络政策不允许.
SMTP. No-go. Disallowed by network policy.
对所有可能触发安全提示的代码使用扩展 MAPI,而不是 Outlook 对象、简单 MAPI 或 CDO 1.21.
Use Extended MAPI instead of Outlook objects, Simple MAPI, or CDO 1.21 for all code that potentially triggers security prompts.
扩展的 MAPI 可能有效,但它极其繁琐和冗长,并且涉及大量 C/C++ 代码(这不是本问题的主题;见上文),并且似乎无法在不提示用户输入的情况下使用它他们的密码.
Extended MAPI may work, but it is extremely cumbersome and verbose and involves lots of C/C++ code (which is not on topic for this question; see above), and seems to be impossible to use it without prompting the user for their password.
对所有可能触发安全提示的代码使用第三方库——Redemption 或 MAPI33.这种方法比使用具有陡峭学习曲线的扩展 MAPI 更容易,并且几乎同样安全.这些库还提供了额外的功能来帮助处理 Outlook 代码项目.
Use a third-party library -- Redemption or MAPI33 -- for all code that potentially triggers security prompts. This approach is easier than using Extended MAPI, which has a steep learning curve, and almost as secure. These libraries also offer additional features to help with Outlook code projects.
第三方库的问题有四方面:- 他们花钱;- 即使它们是免费的,它们也会引入许可问题(一些组织在允许软件进入生态系统之前需要律师的广泛审查);- 在大多数环境中,用户无法禁用 Outlook 选项中的程序化访问警告.嗯,那些可能的情况是什么?会不会是...企业环境?在企业环境中采购软件需要非常长的时间,以至于不切实际,除非使用它节省的成本超过数百万美元.但是,可以进行许多实际的过程改进,这些改进不会产生很高的成本节约,但如果需要采购软件,采购第三方软件将花费比总节约更多的金钱和劳动力.- 网络管理员可能不相信该软件驻留在系统上,因为它可能被用于恶意目的.
The problem with third-party libraries is four-fold: - They cost money; - They introduce licensing issues even if they're free (some organizations require extensive vetting from lawyers before allowing the software into the ecosystem); - Most environments where this entire problem is even a concern are those where the user cannot disable programmatic access warnings in Outlook options. Hmm, what possible cases would those be? Could it be... corporate environments? Procurement of software in a corporate environment takes an excessively long time, to the point of being impractical unless the cost savings of using it will exceed several million dollars. But there are many practical process improvements that can be made which do not yield as high of a cost savings, but would cost more money and labor to procure the third-party software than the total savings, if software procurement is necessary. - Network administrators may not trust the software to reside on a system, since it could be used for malicious purposes.
与您的应用程序一起部署一个工具来抑制安全提示.
Deploy with your application a tool to suppress the security prompts.
这假设抑制 OMG 提示是必要的,在我的情况下,它不是,只是发送一封简单的电子邮件(见我的回答).
This assumes that suppression of the OMG prompts is necessary, which, in my case, it is not, just to send a simple email (see my answer).
对于 Outlook 2007,请确保机器运行的是最新的防病毒应用程序,并使用 Outlook 对象进行所有编码,避免使用 CDO 1.21 和简单的 MAPI 代码.
For Outlook 2007, make sure the machine is running an up-to-date anti-virus application and do all coding with Outlook objects, avoiding CDO 1.21 and Simple MAPI code.
病毒扫描程序是最新的,但更改其版本或供应商完全不受我的控制,Outlook 无法识别它.它说:防病毒状态:无效.此版本的 Windows 支持防病毒检测,但未找到防病毒软件."
The virus scanner is up to date, but it is completely out of my control to change its version or vendor, and Outlook doesn't recognize it. It says: "Antivirus status: Invalid. This version of Windows supports antivirus detection, but no antivirus was found."
在 Outlook 自定义表单代码、Outlook VBA 代码和 COM 加载项中,从 VBA 或加载项体系结构提供的 Outlook.Application 对象派生所有对象.例如,请参阅下面的示例 VBA运行脚本"规则过程.
In Outlook custom form code, Outlook VBA code, and COM add-ins, derive all objects from the Outlook.Application object provided by VBA or the add-in architecture. For example, see the sample VBA "run a script" rule procedure below.
有趣,可能有用,但不是必需的.这对在 Outlook 中设置规则以部署软件产生了不必要的依赖,从而使部署变得复杂.
Interesting, and possibly useful, but not necessary. This creates an unnecessary dependency on setting up a rule in Outlook in order to deploy the software, which complicates deployment.
部署 Outlook 安全设置,以信任"某些 COM 加载项或允许所有应用程序不受限制地访问某些功能,例如访问地址.在 Outlook 2007 之前的版本中,这需要 Microsoft Exchange Server.对于 Outlook 2007,请参阅下面有关版本特定注意事项的部分.
Deploy Outlook security settings that "trust" certain COM add-ins or that allow all applications to have unrestricted access to certain features, such as accessing addresses. In versions before Outlook 2007, this requires Microsoft Exchange Server. For Outlook 2007, see the section on version-specific considerations below.
繁琐:安装 COM 加载项需要管理访问权限,而在某些组织中很难获得管理访问权限.
Cumbersome: administrative access would be needed to install a COM add-in, and it can be hard to come by administrative access in some organizations.
在 Exchange 作为电子邮件服务器的企业环境中,可以通过 WebDAV API 直接访问服务器上的数据,从 Exchange 2000 开始,从 Exchange 2007 开始,通过 Exchange Web 服务.
In a corporate environment where Exchange is the email server, direct access to the data on the server is available through the WebDAV API beginning with Exchange 2000 and, starting with Exchange 2007, through Exchange Web Services.
在我的环境和其他可能的环境中被禁用.
Disabled in my environment, and likely others.
在企业环境中,管理员可能会选择放宽部分或所有用户的 Outlook 安全性.
In a corporate environment, the administrator may choose to loosen Outlook security for some or all users.
当然可以,但这需要与网络团队的沟通/协调/合作.如果安装 COM 加载项无法获得管理访问权限,则它也可能无法用于放松组策略.
Sure, but this requires communication/coordination/cooperation with the network team. If administrative access is not available for installing a COM addin, it probably is not available for loosening group policy, either.
推荐答案
此代码适用于我的 Outlook 2010 系统,无需用户交互即可发送电子邮件.它稍微脆弱,因为如果用户在撰写邮件时碰巧在系统上积极工作(键入、单击),则可能会发生用户输入进入弹出窗口的情况一瞬间,要么干扰邮件的发送,要么在邮件正文中添加额外的未知字符.
This code works on my system with Outlook 2010 to send an email with no user interaction. It's slightly brittle, in that, if the user happens to be actively working on the system (typing, clicking) when the mail is composed, it could occur that user input makes its way into the window that pops up for a split second, and either interfere with the sending of the mail, or add extra unknown characters into the body of the mail.
只要在其系统上运行此功能的用户意识到这一点,并且虚假按键干扰的潜在后果不是关键业务,则此功能是可以接受的.
As long as the user on whose system this is running is aware of this, and the potential consequences of spurious keystroke interference are not business-critical, this function is acceptable.
重要的是要注意:这个解决方案的关键是我们不调用MailItem.Send 方法.这是触发程序化访问保护的方法.相反,我们触发 ALT+s 快捷方式,默认情况下,当邮件窗口在 Outlook 中获得焦点时,按下发送"按钮.如果您启用了默认的拼写检查提示,则会弹出进一步的拼写检查提示.我们的解决方案是禁用拼写检查提示,尽管我确定您可以添加更多 SendKeys 以单击它,因为拼写检查提示不是与安全相关的对话框.
Important to note: the key to this solution is that we do not call the MailItem.Send method. This is the method that triggers the programmatic access protection. Instead, we trigger the ALT+s shortcut, which by default, when a mail window has focus in Outlook, presses the "Send" button. If you have the default spell checking prompt enabled, this will pop up a further prompt for spellchecking. Our solution was to disable the spellchecking prompt, although I'm sure you could add some more SendKeys to click through it, since the spellchecking prompt is not a security-related dialog.
关于 UIPI(用户界面权限隔离)的说明:
Outlook 2010 以登录系统的用户身份运行,完整性级别为中.由 Windows 资源管理器启动的程序,或作为以类似方式启动的程序的子项或后代启动的程序,也将以中等完整性级别启动.UIPI 不能有效阻止SendKeys"类型的输入,只要用户和会话 ID 匹配,并且完整性级别相同或更高.在我的特定环境中,用户和会话 ID 是相同的,并且 VBScript 主机进程和 Outlook 进程的完整性级别是相同的.在您的环境中,如果这些条件中的任何一个为假,则此代码将不起作用.它也未在早于或晚于 2010 版的 Office 版本上进行测试.
Outlook 2010 runs as the user who logged into the system, with a Medium integrity level. Programs which are launched by Windows Explorer, or started as a child or descendant of a program which was launched in a similar way, will also be launched with a Medium integrity level. UIPI is not effective at preventing "SendKeys" type input, as long as the user and session ID match, and the integrity level is the same or higher. In my particular environment, the user and session ID are identical, and the integrity level is the same for the VBScript host process and the Outlook process. In your environment, if any of these conditions are false, this code will not work. It is also untested on earlier or later versions of Office than version 2010.
Sub SendEmail_Outlook()
Set WshShell = WScript.CreateObject("WScript.Shell")
Set ol=CreateObject("Outlook.Application")
Set Mail=ol.CreateItem(0)
Mail.to= "you@example.com"
Mail.Subject = "test"
Mail.HTMLBody = "test"
Mail.Display
WshShell.SendKeys "%s"
Set Mail = Nothing
Set ol = Nothing
End Sub
SendEmail_Outlook
此外,这里介绍了如何在从 Windows 任务计划程序运行 VBScript 时进行此操作.只需勾选红色椭圆形描绘的框,以最高权限运行",使其在没有 UAC 提升的情况下以尽可能高的完整性级别运行(如果您不是管理员帐户,则为中").
Also, here is how to make this work when running the VBScript from Windows Task Scheduler. Just tick the box depicted by the red oval, "Run With Highest Privileges", to make it run with the highest possible integrity level without UAC elevation ("Medium" if you are not an administrator account).
这篇关于从 VBScript 发送 Outlook 邮件时如何避免 Outlook 安全警报?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
