RPC over HTTPS security risks

[Tim Hanekamp <thanekamp () gmail com>]

We have begun to implement RPC over HTTPS for Exchange 2003 at our
corporate office.  Before rolling this service out to our users, who
then could possibly start using it on their home computers, which
could easily be insecured, we are trying to evaluate the possible
security threats that this poses.

It would seem that if someone were able to own a machine that had this
configured on it, it would be fairly easy for them to use the exchange
server as a relay for mail and/or completely flood the system with
viruses, especially if the computer were infected with a virus.

Do you think this would be the case, and, if so, what measures do you
think could be taken in order to mitigate this risk.  The only thing
we could come up with so far was requiring these clients to use
digital certificates and only install these certificates on machines
that have been inspected and will be used in the proper setting (not
that we could ever really be certain of the latter idea).

Thoughts?