Exchange 2010 SP1: Less Secure?

Exchange 2010 hit the ground more secure than it’s predecessors in many ways; one of which was to enable RPC encryption on Outlook MAPI connections by default.  While Outlook 2007 and Outlook 2010 try to do this anyway, Outlook 2003 does not. 

This caused a few of issues:securitytab-Outlook

  • New Outlook 2003 user profiles require an extra step to enable RPC encryption.
  • During a migration, users moved to Exchange 2010 would stop working if this box was not selected prior to the mailbox move.
  • During a migration, users who were not yet migrated could not access calendars and other mailbox items from users who were migrated.

I believe the easiest way to fix this was with a simple Group Policy setting which enabled RPC encryption in Outlook.

Enable-RPC-Encryption

However apparently this was too much for a number of Microsoft customers, and as such Microsoft disabled RPC encryption by default in Exchange 2010 SP1!

See for yourself here:

Note In Exchange Server 2010 Service Pack 1, the RPC encryption requirement is disabled, by default. Any new Client Access Servers (CAS) deployed in the organization will not require encryption. However, any CAS servers deployed prior to Service Pack 1, or upgraded to Service Pack 1, will retain the existing RPC encryption requirement setting.

ref: http://support.microsoft.com/kb/2006508

 

As the excerpt states, this isn’t an issue for upgrades, but if you plan to deploy new servers in an existing environment, or a new environment all together, you may wish to re-enable this setting on Exchange.

To see what your RPC encryption setting is, run the following command:

image

Get-RPCClientAccess | fl Server, *version, EncryptionRequired

Then to enable the encryption requirement for all Client Access Servers:

image

Get-RPCClientAccess | Set-RpcClientAccess -EncryptionRequired $True

One final note:  This setting is to determine weather Exchange requires encryption.  You’re still welcome to use it even though the setting not doesn’t mandate it.

5 thoughts on “Exchange 2010 SP1: Less Secure?

  1. Pingback: Tweets that mention Exchange 2010 SP1: Less Secure? « Mike Crowley's Whiteboard -- Topsy.com
  2. I agree, I think sometimes Microsoft go for the lowest common denominator of sysadmin and that’s not always the best thing to do. Encouraging admins to do a little testing and reading isn’t going to hurt anybody!

    Steve

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s