How to Secure MAPI Client Access to Exchange 2007
Topic Last Modified: 2011-06-16
This article describes a feature that you can use to disable MAPI client access to a computer that is running Microsoft Exchange Server 2007. This feature is based on the version number of the Emsmdb32 file. It was introduced in Microsoft Exchange 2000 Server Service Pack 1 (SP1).
This feature lets you restrict access based on one or more of the following version configurations:
A single MAPI client version
A specific range of MAPI client versions
An open-ended range of MAPI client versions
This functionality can help prevent problematic or beta client MAPI providers from running against an Exchange computer.
To disable MAPI client access, you must create the Disable MAPI Clients registry value.Creating the Disable MAPI Clients registry value
Start Registry Editor.
Expand the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\ParametersSystem
Right-click ParametersSystem, point to New, and then click String value.
Type Disable MAPI Clients, and then press ENTER to name the new entry.
Right-click Disable MAPI Clients, and then click Modify.
In the Value data box, type the MAPI client version that you want to disable. For more information about the values that can be used, view the descriptions later in this topic.
Click OK, and then exit Registry Editor.
The store queries the registry key every 15 minutes. If the registry key changes, the changes are immediately put into effect. If any current open connections are established for a newly blocked version, these connections are immediately disconnected. All new connections are blocked if you are using a blocked version.
You can indicate all the specific versions or ranges of versions that you want to disable in this string. Use Exchange System Manager to determine the version of MAPI clients that connect to the mailbox store. In Exchange System Manager, locate the Logons container of the mailbox store. The Client Version column displays the version of the MAPI clients that are connected to the mailbox store.
|The MAPI client version is listed as "X.0.Y.Z" in Exchange System Manager. This version must be entered as "X.Y.Z" for the value of the Disable MAPI Clients registry entry. For example, if Exchange System Manager lists the MAPI client version as 5.0.2819.0, enter 5.2819.0.|
|Server-side Exchange components also use MAPI to log on. Some components report their client version as an Exchange build number. Therefore, avoid restricting 6.x.x version numbers on Exchange 2000 computers or on Exchange Server 2003 computers.|
For more information about the appropriate registry value to use in the Disable MAPI Clients registry entry, see the client version table in All versions of Outlook are allowed to access the server.
To disable a single MAPI client version, enter the appropriate value in the Value Data string. For example, to disable the MAPI client version 5.0.2653.22, use the following string as the Value Data string for the Disable MAPI Clients registry value:
To disable a range of MAPI client versions, use the v2-v3 format, in which v2 is the earlier version number that starts the range of MAPI client versions that you want to disable.
For example, you want to disable the access of all the MAPI client versions from the following range of version numbers:
5.0.2653.11 to 5.0.2653.22
In this case, enter the following string as the value for the Disable MAPI Clients registry entry:
To disable an open-ended range of MAPI client versions, use the "-v4" format or the "v5-" format. To disable the MAPI client version v4 and all earlier versions, use the "-v4" format. To disable the MAPI client version v5 and all later versions, use the "v5-" format.
To disable multiple sets of MAPI client versions, use any combination of the formats that are discussed in this section. Use commas (,) or semicolons (;) to separate the formats.
After you configure the value for the Disable MAPI Clients registry entry, clients receive an error message when they try to connect to the mailbox store.
A disabled MAPI client receives the following error message:
Cannot start Microsoft Outlook. The attempt to log on to the Microsoft Exchange Server computer has failed.
A Microsoft Outlook 2003 client receives the following error message:
Your Exchange Server administrator has blocked the version of Outlook that you are using. Contact your administrator for assistance.