4.4 Blocking client access

Exchange 2000 SP1 (and onward) includes the ability for an administrator to block access to specific sets of MAPI clients or groups of MAPI clients through a registry setting on the Exchange server. The idea is that you may want to "encourage" users to upgrade their client to a specific version, perhaps to ensure that everyone has applied a service pack or hot fix by blocking access to his or her mailbox until an appropriate client is used.

All of the client-side code to connect to Exchange is in DLL, called the MAPI client provider-each version of Outlook has a slightly different version of this component, identified by Microsoft with a number that represents a sequential build number, which is incremented over time. For example, the build number for MSMAPI.DLL, the file that contains the MAPI client provider for Outlook 2002, is 10.0.3416 (Figure 4.13). The first figure in the list represents the major build number. It is sometimes associated with an internal number used by Microsoft to track releases of Office, as in the case where Office 10 is the internal number used for Office XP. Because Exchange used to ship its own client prior to the release of Outlook, some of the major build numbers prior to Office XP refer to releases of Exchange (4.0, 5.0) rather than Office.

Figure 4.13: Examining the version number of the MAPI provider.

When a MAPI client connects to Exchange, it passes details of its client provider version to the server. You can view this information through ESM by examining the users currently logged in and connected to a store database, as shown in Figure 4.14. Note that the version number reported here is a set of four digits rather than the three that you see when you examine the client provider build number. As you can see, you can sort by client type by clicking on the client version heading. In Figure 4.14, we have some Outlook clients, some client logons from a service running on an Exchange 2000 server (a BlackBerry Enterprise Server), and some local Exchange 2003 services operated by the System Attendant. Outlook clients connect to the Store with multiple threads, so this explains why you see multiple entries per user for these clients. ESM also lists the Windows account used by each account, and we can see individual user accounts plus some privileged service accounts. For example, the System Attendant runs under the Windows LocalSystem account, while the BlackBerry service runs under a privileged account created for the purpose. Note that the SMTP Routing Engine connects to the Store via an SMTP provider, and other Exchange services (CDOEXM, WMI, etc.) access the Store via the OLE/DB provider, which provides an abstraction layer for MAPI.

Figure 4.14: Viewing the MAPI client version of connected users.

The registry setting that blocks client access depends on client provider version numbers, so it is important to specify correct values for the clients that you want to block. Table 4.6 lists the complete set of MAPI clients shipped to date, together with values for the MAPI version shown when you view the Help/About option and the adjusted value required to block client access. If in doubt, connect a copy of the client that you want to block to Exchange, note the version number reported by ESM, and then discard the second digit. Figure 4.14 shows that a client is connected with version 5.0.2819.0, resulting in 5.2819.0 after you discard the second digit. If you look for this value in Table 4.6, you can see that it belongs to an Outlook 2000 client.

Many Exchange services use MAPI to access the Store, so it is important that you do not block access to client providers that begin with 6. For example, the MAPI provider version number for Exchange 2000 SP1 is 6.4712.0, for SP2 it is 6.5716.0, and for SP3 it is 6.6429.0. The easiest way to find this value is to view the properties of MAPI32.DLL in the EXCHSRVR\BIN directory. If you include these values in the block, services such as the Exchange System Attendant will not work.

4.4.1 Blocking Outlook clients

You block Outlook client access to the Store by inserting a new REG_SZ value called "Disable MAPI Clients" into the system registry (Figure 4.15). Insert the value into the registry at the following location:

Figure 4.15: Blocking a range of MAPI clients.

HKLM\System\CurrentControlSet\Services\MSExchangeIS\ ParametersSystem

The value contains the numbers of the MAPI providers used by the clients that you wish to block. Numbers can be stated as a range (to block multiple clients) or individually. For example, the value shown in Figure 4.15 prevents access by the Exchange 4.0, 5.0, and Outlook 97 clients, whereas a value of 5.2178.0 is sufficient only to block Outlook 98 clients.

You can also prefix the version number with a hyphen to indicate that you wish to block all clients prior to the stated value. For example, to block access to all clients prior to Outlook 2000 updated with Office SP2 (5.3144.0), use the value:

-5.3143.0

Similarly, you can block access to clients higher than a specific value by placing a hyphen after the value. For example, to restrict access to clients greater than Outlook 2002 SP1 (10.0.3416), use the value:

10.0.3147-

Once you update the registry, you must stop and restart the Information Store service to implement the block on Exchange 2000 servers, whereas a background thread checks for a block every 15 minutes on Exchange 2003 servers, so you can wait for the Store to detect the change automatically. Afterward, clients that do not use an appropriate version of the MAPI client provider will be unable to open their mailboxes and will see the same error message as if a network failure had occurred or they had provided incorrect NT credentials. Be sure to inform the help desk about how to check MAPI versions and verify that users have the correct software.

Exchange manages client access on a server level, so if you want to block access across a range of servers, you will have to update the registry on each server. In addition, make sure to review the settings after Microsoft releases either a new version of Exchange (including service packs) or a new version of the Outlook client.

4.4.2 Blocking clients for Internet Protocol access

Microsoft does not support an equivalent registry setting to block client access to Exchange via HTTP, POP3, or IMAP4. However, you can easily block access for these clients by either selectively disabling access by updating a user's account or by stopping the appropriate virtual server. To disable a protocol for a specific Exchange 2000 user, switch the AD Users and Computers console to "Advanced View" and then select the desired account. You can control access to the various protocols through the "Protocol Settings" button on the "Exchange Advanced" property page. Select the protocol you wish to control, click on the "Settings" button (Figure 4.16), and then disable access for that protocol. Alternatively, if you run Exchange 2003, use the Exchange Task wizard to manage protocol access for users.

Figure 4.16: Disabling user access to specific protocols.

4.4.3 Selective blocks

From Exchange 2000 SP1 onward, you can impose a selective block, so that only a specific account is able to connect to the server, by setting the two values shown in Table 4.7 in the following location in the system registry:

HKLM\System\CurrentControlSet\Services\MSExchangeIS\ ParametersSystem

A sample value that you could use to stop anyone connecting to the Store except the account with its LegacyExchangeDN attribute set is in the following form:

/o=Compaq/Ou=Ireland/CN=Recipients/CN=TonyRedmond

After setting the appropriate registry values, you must stop and restart the Information Store service to begin blocking access. The Store process reads the registry when the service starts up, notes the presence of the values, and then verifies whether the AD contains an account with the LegacyExchangeDN attribute set to the value held in the registry. This is a fast search, because the AD indexes the LegacyExchangeDN attribute. If it matches an account in the AD, the Store begins to block access, but if the value is null or invalid, the Store operates as normal and users can access their mailboxes.

To find the value of the LegacyExchangeDN attribute of an account, use the ADSIEDIT utility to examine the attributes of the account you want to access the Store. You can either note the value or simply cut and paste it from ADSIEDIT into the registry editor. Figure 4.17 shows how ADSIEDIT displays the value of the LegacyExchangeDN attribute for a mail-enabled account, which you can find in the Domain NC container.

Figure 4.17: Using ADSIEDIT to discover a LegacyExchangeDN.

The block is removed by editing the registry and either deleting the Logon Only As value or changing its value to 0. Remember to stop and restart the Information Store service to complete the removal of the block.