Exchange 2010 SP1: Less Secure?

Exchange 2010 hit the ground more secure than it’s predecessors in many ways; one of which was to enable RPC encryption on Outlook MAPI connections by default.  While Outlook 2007 and Outlook 2010 try to do this anyway, Outlook 2003 does not. 

This caused a few of issues:securitytab-Outlook

  • New Outlook 2003 user profiles require an extra step to enable RPC encryption.
  • During a migration, users moved to Exchange 2010 would stop working if this box was not selected prior to the mailbox move.
  • During a migration, users who were not yet migrated could not access calendars and other mailbox items from users who were migrated.

I believe the easiest way to fix this was with a simple Group Policy setting which enabled RPC encryption in Outlook.


However apparently this was too much for a number of Microsoft customers, and as such Microsoft disabled RPC encryption by default in Exchange 2010 SP1!

See for yourself here:

Note In Exchange Server 2010 Service Pack 1, the RPC encryption requirement is disabled, by default. Any new Client Access Servers (CAS) deployed in the organization will not require encryption. However, any CAS servers deployed prior to Service Pack 1, or upgraded to Service Pack 1, will retain the existing RPC encryption requirement setting.



As the excerpt states, this isn’t an issue for upgrades, but if you plan to deploy new servers in an existing environment, or a new environment all together, you may wish to re-enable this setting on Exchange.

To see what your RPC encryption setting is, run the following command:


Get-RPCClientAccess | fl Server, *version, EncryptionRequired

Then to enable the encryption requirement for all Client Access Servers:


Get-RPCClientAccess | Set-RpcClientAccess -EncryptionRequired $True

One final note:  This setting is to determine weather Exchange requires encryption.  You’re still welcome to use it even though the setting not doesn’t mandate it.

5 thoughts on “Exchange 2010 SP1: Less Secure?

  1. Pingback: Tweets that mention Exchange 2010 SP1: Less Secure? « Mike Crowley's Whiteboard --
  2. I agree, I think sometimes Microsoft go for the lowest common denominator of sysadmin and that’s not always the best thing to do. Encouraging admins to do a little testing and reading isn’t going to hurt anybody!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s