Article
07/23/2014

RestrictRemoteClients registry key is enabled

[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at https://go.microsoft.com/fwlink/?linkid=34707.]

Topic Last Modified: 2011-10-19

The Microsoft® Exchange Server Analyzer Tool reads the following registry entry to determine whether remote procedure call (RPC) Interface Restrictions is enabled:

HKEY_LOCAL_MACHINE\ Software\Policies\Microsoft\Windows NT\RPC

If the Exchange Server Analyzer finds that the RestrictRemoteClients registry key is configured, the Exchange Server Analyzer displays a non-default configuration message.

RPC Interface Restrictions provides increased network protection that will make systems less vulnerable to attacks over the network. The RestrictRemoteClients registry value modifies the behavior of all RPC interfaces on the system. By default, the RestrictRemoteClients registry value will prevent remote anonymous access to RPC interfaces on the system, with some exceptions.

When an interface is registered by using RpcServerRegister, RPC allows the server application to restrict access to the interface, typically through a security callback. The RestrictRemoteClients registry value enables RPC to perform additional security checks for all interfaces, even if the interface does not have a registered security callback.

Note

RPC clients that use the named pipe protocol sequence are exempt from all restrictions. The pipe protocol sequence cannot be restricted because of significant backward compatibility issues.

Note

You can also configure the RestrictRemoteClients registry key by using the Group Policy Object Editor.

The RestrictRemoteClients registry key is configured by using DWORD values. By default, the value is set to 0 on all server SKUs, and the value is set to 1 on all client SKUs. If the registry value is not present, the absent value is equivalent to the RPC_Restrict_Remote_Client_Default value.

The following table provides information about the RestrictRemoteClients configuration settings.

Registry Key Value (DWORD)	Description
0 (Default)	The RPC_RESTRICT_REMOTE_CLIENT_NONE (0) represents the default value in Microsoft Windows Server™ 2003 Service Pack 1. The default value setting causes the system to bypass the RPC interface restriction. The default value setting corresponds to the value of RPC_RESTRICT_REMOTE_CLIENT_NONE. The server application is responsible for imposing the appropriate RPC restrictions. This default setting is equivalent to the setting of RestrictRemoteClients in earlier versions of Windows.
1	A value of 1 on the RestrictRemoteClients registry key represents the default value in Microsoft Windows® XP Service Pack 2. The value setting of 1 restricts access to all RPC interfaces. All remote anonymous calls are rejected by the RPC runtime. This value setting corresponds to the value of RPC_RESTRICT_REMOTE_CLIENT_DEFAULT. If an interface registers a security callback and provides the RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH flag, this restriction does not apply to that interface.
2	A value of 2 on the RestrictRemoteClients registry key indicates that all remote anonymous calls are rejected by the RPC runtime without exceptions. This value setting corresponds to the value of RPC_RESTRICT_REMOTE_CLIENT_HIGH. When the RestrictRemoteClients value is configured to 2, a system cannot receive remote anonymous calls by using RPC.

0 (Default)

The RPC_RESTRICT_REMOTE_CLIENT_NONE (0) represents the default value in Microsoft Windows Server™ 2003 Service Pack 1. The default value setting causes the system to bypass the RPC interface restriction.

The default value setting corresponds to the value of RPC_RESTRICT_REMOTE_CLIENT_NONE. The server application is responsible for imposing the appropriate RPC restrictions. This default setting is equivalent to the setting of RestrictRemoteClients in earlier versions of Windows.

A value of 1 on the RestrictRemoteClients registry key represents the default value in Microsoft Windows® XP Service Pack 2. The value setting of 1 restricts access to all RPC interfaces. All remote anonymous calls are rejected by the RPC runtime.

This value setting corresponds to the value of RPC_RESTRICT_REMOTE_CLIENT_DEFAULT. If an interface registers a security callback and provides the RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH flag, this restriction does not apply to that interface.

A value of 2 on the RestrictRemoteClients registry key indicates that all remote anonymous calls are rejected by the RPC runtime without exceptions.

This value setting corresponds to the value of RPC_RESTRICT_REMOTE_CLIENT_HIGH. When the RestrictRemoteClients value is configured to 2, a system cannot receive remote anonymous calls by using RPC.

For more information about changes to RPC service with Windows XP Service Pack 2, see the MSDN® article, "RPC Interface Restrictions" (https://go.microsoft.com/fwlink/?LinkId=47371).

RestrictRemoteClients registry key is enabled

Additional resources