All versions of Outlook are allowed to access the server
[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at https://go.microsoft.com/fwlink/?linkid=34707.]
Topic Last Modified: 2011-01-26
The Microsoft Exchange Server Best Practices Analyzer reads the following registry entry to determine whether any versions of Microsoft Office Outlook are blocked from connecting to Exchange Server:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\ParametersSystem
If the Exchange Server Analyzer finds that the Disable MAPI Clients key does not exist, a warning is displayed.
The Disable MAPI Clients key, which is not enabled by default, lets an administrator block specific versions of Outlook from connecting to a computer that is running Exchange 2000 Server, Exchange Server 2003, or Exchange Server 2007.
Recent releases and service packs to Outlook include many security and virus-fighting enhancements. Beginning with Outlook 2002, attachment blocking and Object Model Guard are included and enabled by default. These features are a critical component in the overall fight against viruses. The oldest version of Outlook that is supported by Microsoft Product Support Services is Outlook 2000 Service Pack 3 (SP3). If you are running earlier versions of Outlook in your organization, upgrade to Outlook 2003 or, at a minimum, update the Outlook client with the latest security releases.
After you update Outlook, you can lock out access to Exchange from earlier versions of Outlook that have not been updated. Locking out earlier versions of Outlook that do not support attachment blocking and Object Model Guard helps provide a known level of client security for MAPI client connections.
To help protect against all earlier versions of Outlook (Outlook 97, Outlook 98, Outlook 2000 before SP3, and earlier versions), it is strongly recommended that you disallow all versions of Outlook with build numbers equal to or earlier than 5.3164.0.0 from connecting to Exchange Server.
The list of comma-separated or semicolon-separated values in the Disable MAPI Clients registry entry represent the different ways that you can disable ranges of MAPI client versions. The versions (vX) are typically in the following formats:
For Microsoft Outlook 2003 and Outlook 2007: Maj.Min.Build
For Microsoft Outlook 2000: Maj.Build.Dot
For earlier versions of Microsoft Outlook: Maj.Min.Build
You can indicate all the specific versions or ranges of versions that you want to disable in this registry entry. Use Exchange System Manager to determine the version of MAPI clients that connect to the mailbox store for Exchange Server 2003. In Exchange System Manager, locate the Logons container of the mailbox store. The Client Version column displays the version of the MAPI clients that are connected to the mailbox store.
To view the mailbox store Logons page
Start Exchange System Manager.
Expand Administrative Groups, expand your administrative group, expand Servers, expand the appropriate Exchange server, expand a storage group, such as First Storage Group, expand Mailbox Store (<ServerName>), and then click Logons.
In the details pane, examine the entries that appear in the Client Version column. For example, the System Attendant object may have a client version of 6.0.7638.2.
In Exchange Server 2007, use the Exchange Management Shell Get-LogonStatistics cmdlet to retrieve the client version of MAPI clients that are connected to the mailbox database.
Important
The MAPI client version is listed in Exchange System Manager and in the Exchange Management Shell as X.0.Y.Z. This version must be entered as X.Y.Z in the registry value. For example, if Exchange System Manager lists the MAPI client version as 5.0.2819.0, enter 5.2819.0 in the Disable MAPI Clients registry value.
For more information about the build numbers that are associated with the various versions of Outlook and about the appropriate registry value to use in the Disable MAPI Clients registry entry, see the following table:
Client | Version | Registry entry |
---|---|---|
Outlook 2007 (RTM) |
12.4518.1014 |
12.4518.1014 |
Outlook 2003 SP2 |
11.6568.6568 |
11.6568.6568 |
Outlook 2003 SP1 |
11.6359.6360 |
11.6359.6360 |
Outlook 2003 with update KB 828041 |
11.0.5608.5703 |
11.5608.5703 |
Outlook 2003 RTM |
11.0.5608.5606 |
11.5608.5606 |
Outlook 2002 SP3 |
10.0.6515.6626 |
10.6515.6626 |
Outlook 2002 with update KB812262 |
10.4712.4219 |
10.4712.4219 |
Outlook 2002 with update KB331866 |
10.4608.4219 |
10.4608.4219 |
Outlook 2002 SP2 |
10.4219.4219 |
10.4219.4219 |
Outlook 2002 SP1 |
10.0.3513.3501 |
10.3513.3501 |
Outlook 2002 with update KB 300551 |
10.3311.2625 |
10.3311.2625 |
Outlook 2002 with update KB 303835 |
10.3117.2625 |
10.3117.2625 |
Outlook 2002 with update KB 300550 |
10.2930.2625 |
10.2930.2625 |
Outlook 2002 RTM |
10.0.2627.2625 |
10.2627.2625 |
Outlook 2000 with August 16, 2001 security update |
9.0.0.5414 |
9.0.5414 |
Office 2000 SP2 |
9.0.0.4527 |
9.0.4527 |
Office 2000 with E-mail Security Update (Final) |
9.0.0.4201 |
9.0.4201 |
Outlook 2000 with E-mail Security Update (Beta) |
9.0.0.4105 |
9.0.4105 |
Outlook 2000 SR-1 or SR-1a |
9.0.0.3821 |
9.0.3821 |
Outlook 2000 with E-mail Attachment Security Update |
9.0.0.3011 |
9.0.3011 |
Outlook 2000 RTM |
9.0.0.2711 |
9.0.2711 |
Outlook 97 SR2 |
8.04.5619 |
8.04.5619 |
Outlook 97 SR1 |
8.02.4212 |
8.02.4212 |
Before you modify the Disable MAPI Clients registry entry, be aware that hotfixes and service pack releases may affect the client version string. Be careful when you restrict client access. This is because server-side Exchange components also have to use MAPI to log on. Some components report their client version as the component name, such as SMTP or OLE DB. However, other components report the Exchange build number, such as 6.0.4712.0. Therefore, you must try to avoid restricting clients that have following version numbers:
v6.x.x: Exchange 2000/2003
v8.x.x: Exchange 2007
v14.x.x: Exchange 2010
Version7.x.x does not map to any Exchange versions or to Outlook clients.
Version 8.x.x may also map to Outlook 97 and Outlook 98 clients. You must use specific Exchange and Outlook versions to restrict unsecured versions of Outlook, and to allow Exchange 2007 MAPI access.
For example, to prevent MAPI access completely, specify two ranges instead of specifying 0.0.0-65535.65535.65535. This is so that Exchange components can still access Exchange. To prevent all MAPI access to Exchange and to still allow Exchange components to have access, you can specify the appropriate string entry in the Disable MAPI Clients registry value. For example, you can specify the following string
0.0.0-5.65535.65535;8.02.4-11.65535.65535
For more information about how to determine the version number, the build number, and the service pack level of an installation of Exchange Server, see:
How to determine the version number, the build number, and the service pack level of Exchange Server
Important
This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore the registry if a problem occurs. For information about how to restore the registry, view the "Restore the Registry" Help topic in Regedit.exe or Regedt32.exe.
To use Registry Editor to restrict certain MAPI clients
Start Registry Editor. To do this, click Start, click Run, type regedit.exe, and then click OK.
Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\ParametersSystem
Right-click ParametersSystem, point to New, and then click String Value.
In the details pane, name the new string value Disable MAPI Clients.
Right-click Disable MAPI Clients, and then click Modify.
In the Value data box, type a comma-separated or semicolon-separated list of MAPI clients for which you want to block access. The list of values in the Value data box represents the various ways that you can disable ranges of MAPI client versions. You can indicate all the specific versions of MAPI clients to block, or you can specify ranges of versions to block. You may use one or more of the following four range types. Use a comma or a semicolon to separate each range.
<valueA>-<valueB> This range blocks all versions from valueA up to and including valueB. For example, 6.0.0-7.0.0 blocks versions 6.0.0 through 7.0.0.
<valueA>- This range blocks valueA and later versions. For example, 6.0.0- blocks version 6.0.0 and later versions.
-<valueA> This range blocks all versions up to and including valueA. For example, -9.0.0 blocks all versions up to and including version 9.0.0.
<valueA> This range blocks the specified version. For example, 10.0.0 blocks version 10.0.0 only.
Important
To prevent all MAPI client access to Exchange, do not specify a single range such as 0.0.0-65535.65535.65535. If you do this, Exchange components (client versions 6.<x>.<x>), such as the System Attendant, component will also be prevented from accessing Exchange. Instead, to block all MAPI client access to Exchange, specify two ranges. In this scenario, do not include the 6.<x>.<x> range in the blocked MAPI client ranges. For example, specify the following registry entries: 0.0.0-5.9.9;7.0.0-65535.65535.65535.
The following sample entries illustrate how to block MAPI access to Exchange:
To block MAPI access to all versions of Outlook, type 0.0.0-5.9.9;7.0.0-65535.65535.65535.
To block MAPI access to all versions of Outlook that are earlier than Outlook 2003 SP2, type -5.9.9;7.0.0-11.6568.6568.
To block MAPI access to the original release version (RTM) of Outlook 2003 and to the original release version of Outlook 2002, type 11.5608.5606;10.2627.2625.
To block MAPI access to all versions of Outlook that are greater than Outlook 2000 SP2, type 9.0.4527-.
Close the registry editor and restart the Microsoft Exchange Information Store service for the change to take effect.
Before you edit the registry, and for more information about how to edit the registry, see the Microsoft Knowledge Base article 256986, "Windows registry information for advanced users" (https://go.microsoft.com/fwlink/?LinkId=3052&kbid=256986).
For more information about blocking specific MAPI clients from connecting to an Exchange 2000 Server or Exchange Server 2003 computer, see the following Microsoft Knowledge Base articles:
328240, "How to put server-side restrictions on clients that are used to access Exchange 2000 mailboxes" (https://go.microsoft.com/fwlink/?linkid=3052&kbid=328240)
288894, "How to disable MAPI client access to a computer that is running Exchange Server" (https://go.microsoft.com/fwlink/?linkid=3052&kbid=288894)
For more information about downloading security updates for older versions of Outlook and about how to block other versions of Outlook, see "Slowing and Stopping E-mail Transmitted Viruses in an Exchange Server 2003 Environment" (https://go.microsoft.com/fwlink/?LinkId=47587).
For more information about the Get-LogonStatistics cmdlet, see "Get-LogonStatistics" (https://go.microsoft.com/fwlink/?LinkId=80699) in the Exchange Server 2007 product documentation.