RestrictRemoteClients registry key is enabled
Topic Last Modified: 2011-10-19
The Microsoft® Exchange Server Analyzer Tool reads the following registry entry to determine whether remote procedure call (RPC) Interface Restrictions is enabled:
HKEY_LOCAL_MACHINE\ Software\Policies\Microsoft\Windows NT\RPC
If the Exchange Server Analyzer finds that the RestrictRemoteClients registry key is configured, the Exchange Server Analyzer displays a non-default configuration message.
RPC Interface Restrictions provides increased network protection that will make systems less vulnerable to attacks over the network. The RestrictRemoteClients registry value modifies the behavior of all RPC interfaces on the system. By default, the RestrictRemoteClients registry value will prevent remote anonymous access to RPC interfaces on the system, with some exceptions.
When an interface is registered by using RpcServerRegister, RPC allows the server application to restrict access to the interface, typically through a security callback. The RestrictRemoteClients registry value enables RPC to perform additional security checks for all interfaces, even if the interface does not have a registered security callback.
|RPC clients that use the named pipe protocol sequence are exempt from all restrictions. The pipe protocol sequence cannot be restricted because of significant backward compatibility issues.|
|You can also configure the RestrictRemoteClients registry key by using the Group Policy Object Editor.|
The RestrictRemoteClients registry key is configured by using DWORD values. By default, the value is set to 0 on all server SKUs, and the value is set to 1 on all client SKUs. If the registry value is not present, the absent value is equivalent to the RPC_Restrict_Remote_Client_Default value.
The following table provides information about the RestrictRemoteClients configuration settings.
|Registry Key Value (DWORD)||Description|
The RPC_RESTRICT_REMOTE_CLIENT_NONE (0) represents the default value in Microsoft Windows Server™ 2003 Service Pack 1. The default value setting causes the system to bypass the RPC interface restriction.
The default value setting corresponds to the value of RPC_RESTRICT_REMOTE_CLIENT_NONE. The server application is responsible for imposing the appropriate RPC restrictions. This default setting is equivalent to the setting of RestrictRemoteClients in earlier versions of Windows.
A value of 1 on the RestrictRemoteClients registry key represents the default value in Microsoft Windows® XP Service Pack 2. The value setting of 1 restricts access to all RPC interfaces. All remote anonymous calls are rejected by the RPC runtime.
This value setting corresponds to the value of RPC_RESTRICT_REMOTE_CLIENT_DEFAULT. If an interface registers a security callback and provides the RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH flag, this restriction does not apply to that interface.
A value of 2 on the RestrictRemoteClients registry key indicates that all remote anonymous calls are rejected by the RPC runtime without exceptions.
This value setting corresponds to the value of RPC_RESTRICT_REMOTE_CLIENT_HIGH. When the RestrictRemoteClients value is configured to 2, a system cannot receive remote anonymous calls by using RPC.
For more information about changes to RPC service with Windows XP Service Pack 2, see the MSDN® article, "RPC Interface Restrictions" (http://go.microsoft.com/fwlink/?LinkId=47371).