Partager via


MSMQ Security (Windows Embedded CE 6.0)

1/6/2010

To provide a more secure environment, the default Message Queuing (MSMQ) registry setup in more restrictive.

For example, to prevent a rogue application from causing a denial of service for a device, MSMQ limits the quota for message storage instead of allowing unlimited storage. The registry allows developers to configure MSMQ for optimal deployment.

Best Practices

Consider the following best practices.

Limit the size for storage and size of incoming and outgoing messages

The default registry setup limits the size of queue quota for incoming and outgoing messages, as well as a system-wide quota. This prevents a denial of service when the system becomes overwhelmed with high traffic that depletes limited resources.

The following registry values set the quota:

  • DefaultQuota
  • DefaultLocalQuota
  • MachineQuota

For more information, see MSMQ Registry Settings.

Set up a trusted environment

The default MSMQ registry setup sets the UntrustedNetwork registry value to "Yes" to minimize exposure to unknown networks.

This setting prevents message routing.

You can change the MSMQ behavior using the registry or the MSMQAdm utility. For more information, see MSMQ Registry Settings and Using the MSMQAdm Utility.

Select the appropriate protocol

When MSMQ is registered as a service, it no longer processes messages unless you enable the protocol–native MSMQ or the SOAP-based MSMQ.

You can use the registry or the MSMQAdm utility to configure the service.

To enable the SOAP-based MSMQ, set the SRMPEnabled value to "Yes".

To enable the native MSMQ, set the BinaryEnabled value to "Yes"; then set UntrustedNetwork value to "Yes".

For more information, see MSMQ Registry Settings and Using the MSMQAdm Utility.

The following example illustrates the MSMQAdm commands to enable and disable the MSMQ protocols.

;default activation
msmqadm register srmp
msmqadm start

;enter private network
msmqadm stop
msmqadm enable srmp               ;sets SRMPEnabled to "Yes"
msmqadm enable trust              ;sets UntrustedNetwork to "No"
msmqadm start

;leave the private network
msmqadm stop
msmqadm disable srmp              ;sets SRMPEnabled to "No"
msmqadm disable trust             ;sets UntrustedNetwork to "Yes"
msmqadm start

Default Registry Settings

Be aware of registry settings that impact security. If a value has security implications you will find a Security Note in the registry settings documentation.

For MSMQ registry information, see MSMQ Registry Settings.

Ports

The following ports are used by MSMQ.

For more information, see MSMQ Registry Settings.

Port number Registry value

3527

PingPort

1801

Port

See Also

Concepts

MSMQ Registry Settings

Other Resources

Message Queuing
Enhancing the Security of a Device