MSMQ Security (Windows Embedded CE 6.0)
1/6/2010
To provide a more secure environment, the default Message Queuing (MSMQ) registry setup in more restrictive.
For example, to prevent a rogue application from causing a denial of service for a device, MSMQ limits the quota for message storage instead of allowing unlimited storage. The registry allows developers to configure MSMQ for optimal deployment.
Best Practices
Consider the following best practices.
Limit the size for storage and size of incoming and outgoing messages
The default registry setup limits the size of queue quota for incoming and outgoing messages, as well as a system-wide quota. This prevents a denial of service when the system becomes overwhelmed with high traffic that depletes limited resources.
The following registry values set the quota:
- DefaultQuota
- DefaultLocalQuota
- MachineQuota
For more information, see MSMQ Registry Settings.
Set up a trusted environment
The default MSMQ registry setup sets the UntrustedNetwork registry value to "Yes" to minimize exposure to unknown networks.
This setting prevents message routing.
You can change the MSMQ behavior using the registry or the MSMQAdm utility. For more information, see MSMQ Registry Settings and Using the MSMQAdm Utility.
Select the appropriate protocol
When MSMQ is registered as a service, it no longer processes messages unless you enable the protocol–native MSMQ or the SOAP-based MSMQ.
You can use the registry or the MSMQAdm utility to configure the service.
To enable the SOAP-based MSMQ, set the SRMPEnabled value to "Yes".
To enable the native MSMQ, set the BinaryEnabled value to "Yes"; then set UntrustedNetwork value to "Yes".
For more information, see MSMQ Registry Settings and Using the MSMQAdm Utility.
The following example illustrates the MSMQAdm commands to enable and disable the MSMQ protocols.
;default activation
msmqadm register srmp
msmqadm start
;enter private network
msmqadm stop
msmqadm enable srmp ;sets SRMPEnabled to "Yes"
msmqadm enable trust ;sets UntrustedNetwork to "No"
msmqadm start
;leave the private network
msmqadm stop
msmqadm disable srmp ;sets SRMPEnabled to "No"
msmqadm disable trust ;sets UntrustedNetwork to "Yes"
msmqadm start
Default Registry Settings
Be aware of registry settings that impact security. If a value has security implications you will find a Security Note in the registry settings documentation.
For MSMQ registry information, see MSMQ Registry Settings.
Ports
The following ports are used by MSMQ.
For more information, see MSMQ Registry Settings.
Port number | Registry value |
---|---|
3527 |
PingPort |
1801 |
Port |