Topic Last Modified: 2005-11-18

The Microsoft® Exchange Server Analyzer Tool reads the following registry entry to determine whether the remote procedure call (RPC) Interface Restrictions registry key is enabled:

HKEY_LOCAL_MACHINE\ Software\Policies\Microsoft\Windows NT\RPC

If the Exchange Server Analyzer finds that the EnableAuthEpResolution registry value exists, the Exchange Server Analyzer displays a non-default configuration message.

RPC Interface Restrictions provides increased network protection that will make systems less vulnerable to attacks over the network.

An RPC interface that is remotely and anonymously available and is registered by default on Microsoft Windows® XP presents a significant attack surface. RPC itself must register such an interface to provide endpoint resolution for calls using dynamic endpoints. The RestrictRemoteClients registry key modifies the behavior of all RPC interfaces on the system. By default, the RestrictRemoteClients registry key prevents remote anonymous access to RPC interfaces on the system, with some exceptions. Therefore, the RPC Endpoint Mapper interface is no longer available anonymously.

An RPC client that tries to make a call by using a dynamic endpoint will first query the RPC Endpoint Mapper on the server to determine what dynamic endpoint the RPC client should connect to. This query is performed anonymously, even if the RPC client call itself is performed by using RPC security. By default, anonymous calls to the RPC Endpoint Mapper interface will fail on Microsoft Windows XP Service Pack 2 because the default RestrictRemoteClients functionality prevents remote anonymous access to RPC interfaces on the system. Because of this RPC Interface Restriction, the RPC client runtime is modified to perform an authenticated query to the Endpoint Mapper. This RPC Interface Restriction is the default behavior in Windows XP Service Pack 2. The RPC client runtime then uses Integrated Windows authentication, formerly named NTLM, to authenticate to the Endpoint Mapper. The Integrated Windows authentication occurs if the actual RPC client call uses this kind of authentication. A non-default configuration exists if the following conditions exist:

For more information about changes to RPC service with Windows XP Service Pack 2, see "RPC Interface Restrictions" (