Topic Last Modified: 2009-03-12

The Microsoft® Exchange Server Analyzer Tool reads the following registry entry to determine whether any versions of Microsoft Office Outlook® are blocked from connecting to Exchange Server:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\ParametersSystem

If the Exchange Server Analyzer finds that the Disable MAPI Clients key does not exist, a warning is displayed.

The Disable MAPI Clients key, which is not enabled by default, lets an administrator block specific versions of Outlook from connecting to a computer that is running Exchange 2000 Server, Exchange Server 2003, or Exchange Server 2007.

Recent releases and service packs to Outlook include many security and virus-fighting enhancements. Beginning with Outlook 2002, attachment blocking and Object Model Guard are included and enabled by default. These features are a critical component in the overall fight against viruses. The oldest version of Outlook that is supported by Microsoft Product Support Services is Outlook 2000 Service Pack 3 (SP3). If you are running earlier versions of Outlook in your organization, upgrade to Outlook 2003 or, at a minimum, update the Outlook client with the latest security releases.

After you update Outlook, you can lock out access to Exchange from earlier versions of Outlook that have not been updated. Locking out earlier versions of Outlook that do not support attachment blocking and Object Model Guard helps provide a known level of client security for MAPI client connections.

To help protect against all earlier versions of Outlook (Outlook 97, Outlook 98, Outlook 2000 before SP3, and earlier versions), it is strongly recommended that you disallow all versions of Outlook with build numbers equal to or earlier than 5.3164.0.0 from connecting to Exchange Server.

The list of comma-separated or semicolon-separated values in the Disable MAPI Clients registry entry represent the different ways that you can disable ranges of MAPI client versions. The versions (vX) are typically in the following formats:

You can indicate all the specific versions or ranges of versions that you want to disable in this registry entry. Use Exchange System Manager to determine the version of MAPI clients that connect to the mailbox store for Exchange Server 2003. In Exchange System Manager, locate the Logons container of the mailbox store. The Client Version column displays the version of the MAPI clients that are connected to the mailbox store.

To view the mailbox store Logons page

  1. Start Exchange System Manager.

  2. Expand Administrative Groups, expand your administrative group, expand Servers, expand the appropriate Exchange server, expand a storage group, such as First Storage Group, expand Mailbox Store (<ServerName>), and then click Logons.

  3. In the details pane, examine the entries that appear in the Client Version column. For example, the System Attendant object may have a client version of 6.0.7638.2.

In Exchange Server 2007, use the Exchange Management Shell Get-LogonStatistics cmdlet to retrieve the client version of MAPI clients that are connected to the mailbox database.

Important:
The MAPI client version is listed in Exchange System Manager and in the Exchange Management Shell as X.0.Y.Z. This version must be entered as X.Y.Z in the registry value. For example, if Exchange System Manager lists the MAPI client version as 5.0.2819.0, enter 5.2819.0 in the Disable MAPI Clients registry value.

For more information about the build numbers that are associated with the various versions of Outlook and about the appropriate registry value to use in the Disable MAPI Clients registry entry, see the following table:

Client Version Registry entry

Outlook 2007 (RTM)

12.4518.1014

12.4518.1014

Outlook 2003 SP2

11.6568.6568

11.6568.6568

Outlook 2003 SP1

11.6359.6360

11.6359.6360

Outlook 2003 with update KB 828041

11.0.5608.5703

11.5608.5703

Outlook 2003 RTM

11.0.5608.5606

11.5608.5606

Outlook 2002 SP3

10.0.6515.6626

10.6515.6626

Outlook 2002 with update KB812262

10.4712.4219

10.4712.4219

Outlook 2002 with update KB331866

10.4608.4219

10.4608.4219

Outlook 2002 SP2

10.4219.4219

10.4219.4219

Outlook 2002 SP1

10.0.3513.3501

10.3513.3501

Outlook 2002 with update KB 300551

10.3311.2625

10.3311.2625

Outlook 2002 with update KB 303835

10.3117.2625

10.3117.2625

Outlook 2002 with update KB 300550

10.2930.2625

10.2930.2625

Outlook 2002 RTM

10.0.2627.2625

10.2627.2625

Outlook 2000 with August 16, 2001 security update

9.0.0.5414

9.0.5414

Office 2000 SP2

9.0.0.4527

9.0.4527

Office 2000 with E-mail Security Update (Final)

9.0.0.4201

9.0.4201

Outlook 2000 with E-mail Security Update (Beta)

9.0.0.4105

9.0.4105

Outlook 2000 SR-1 or SR-1a

9.0.0.3821

9.0.3821

Outlook 2000 with E-mail Attachment Security Update

9.0.0.3011

9.0.3011

Outlook 2000 RTM

9.0.0.2711

9.0.2711

Outlook 97 SR2

8.04.5619

8.04.5619

Outlook 97 SR1

8.02.4212

8.02.4212

Before you modify the Disable MAPI Clients registry entry, note that hotfixes and service pack releases may affect the client version string. Be careful when you restrict client access, because server-side Exchange components also have to use MAPI to log on. Some components report their client version as the component name, such as SMTP or OLEDB, although others report the Exchange build number, such as 6.0.4712.0. For this reason, avoid restricting clients that have version numbers that start with 6.<x>.<x>.

For example, to prevent MAPI access completely, instead of specifying 0.0.0-65535.65535.65535, specify two ranges. This is so that Exchange components, all of which start with 6.<x>.<x>, can still access Exchange. For example, to prevent all MAPI access to Exchange while still allowing Exchange components to have access, specify the following string entry in the Disable MAPI Clients registry value: 0.0.0-5.9.9;7.0.0-65535.65535.65535.

Important:
This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore the registry if a problem occurs. For information about how to restore the registry, view the "Restore the Registry" Help topic in Regedit.exe or Regedt32.exe.

To use Registry Editor to restrict certain MAPI clients

  1. Start Registry Editor. To do this, click Start, click Run, type regedit.exe, and then click OK.

  2. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\ParametersSystem

  3. Right-click ParametersSystem, point to New, and then click String Value.

  4. In the details pane, name the new string value Disable MAPI Clients.

  5. Right-click Disable MAPI Clients, and then click Modify.

    In the Value data box, type a comma-separated or semicolon-separated list of MAPI clients for which you want to block access. The list of values in the Value data box represents the various ways that you can disable ranges of MAPI client versions. You can indicate all the specific versions of MAPI clients to block, or you can specify ranges of versions to block. You may use one or more of the following four range types. Use a comma or a semicolon to separate each range.

    • <valueA>-<valueB> This range blocks all versions from valueA up to and including valueB. For example, 6.0.0-7.0.0 blocks versions 6.0.0 through 7.0.0.

    • <valueA>- This range blocks valueA and later versions. For example, 6.0.0- blocks version 6.0.0 and later versions.

    • -<valueA> This range blocks all versions up to and including valueA. For example, -9.0.0 blocks all versions up to and including version 9.0.0.

    • <valueA> This range blocks the specified version. For example, 10.0.0 blocks version 10.0.0 only.

    Important:
    To prevent all MAPI client access to Exchange, do not specify a single range such as 0.0.0-65535.65535.65535. If you do this, Exchange components (client versions 6.<x>.<x>), such as the System Attendant, component will also be prevented from accessing Exchange. Instead, to block all MAPI client access to Exchange, specify two ranges. In this scenario, do not include the 6.<x>.<x> range in the blocked MAPI client ranges. For example, specify the following registry entries: 0.0.0-5.9.9;7.0.0-65535.65535.65535.

    The following sample entries illustrate how to block MAPI access to Exchange:

    • To block MAPI access to all versions of Outlook, type 0.0.0-5.9.9;7.0.0-65535.65535.65535.

    • To block MAPI access to all versions of Outlook that are earlier than Outlook 2003 SP2, type -5.9.9;7.0.0-11.6568.6568.

    • To block MAPI access to the original release version (RTM) of Outlook 2003 and to the original release version of Outlook 2002, type 11.5608.5606;10.2627.2625.

    • To block MAPI access to all versions of Outlook that are greater than Outlook 2000 SP2, type 9.0.4527-.

  6. Close the registry editor and restart the Microsoft Exchange Information Store service for the change to take effect.

Before you edit the registry, and for more information about how to edit the registry, see the Microsoft Knowledge Base article 256986, "Windows registry information for advanced users" (http://go.microsoft.com/fwlink/?LinkId=3052&kbid=256986).

For more information about blocking specific MAPI clients from connecting to an Exchange 2000 Server or Exchange Server 2003 computer, see the following Microsoft Knowledge Base articles:

For more information about downloading security updates for older versions of Outlook and about how to block other versions of Outlook, see "Slowing and Stopping E-mail Transmitted Viruses in an Exchange Server 2003 Environment" (http://go.microsoft.com/fwlink/?LinkId=47587).

For more information about the Get-LogonStatistics cmdlet, see "Get-LogonStatistics" (http://go.microsoft.com/fwlink/?LinkId=80699) in the Exchange Server 2007 product documentation.