Event ID 2175 — Message Queuing Operation
Applies To: Windows Server 2008
Message Queuing operation provides message authentication, message encryption, dead-letter queues, security settings, and other basic features. If Message Queuing has problems with any of these features, proper Message Queuing operation may suffer.
Event Details
Product: | Windows Operating System |
ID: | 2175 |
Source: | MSMQ |
Version: | 6.0 |
Symbolic Name: | EVENT_USE_RC2_LEN40 |
Message: | Message Queuing will use an encryption key with an effective length of 40 bits when sending messages encrypted with the RC2 encryption algorithm. |
Resolve
Delete keys that force 40-bit RC2 encryption
As a result of a bug in CryptoAPI (in Windows NT 4.0 Service Pack 2 (SP2) through Service Pack 5 (SP5)), enhanced RC2 keys were created with an effective length of 40 bits (instead of 128 bits). This bug was fixed in Windows Server 2003, Windows XP Service Pack 1 (SP1), and Windows 2000 Service Pack 4 (SP4).
If you use enhanced RC2 encryption with the following operating systems, the message cannot be decrypted unless a registry key is set on the sender.
From | To |
---|---|
Windows Server 2003 | Windows XP |
Windows XP SP1 and SP2 |
Windows 2000 (up to Service Pack 3 (SP3)) |
|
Windows NT 4.0 |
The fix for Windows 2000 SP4 uses a registry key as well but defaults to compatibility with earlier service packs.
To enable backward compatibility and enhance security, the following registry values were added to all platforms.
Windows XP Service Pack 1, Windows Server 2003
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSMQ\Parameters\Security\SendEnhRC2With40: The default value is 0; use an effective length of 128 bits. A nonzero value reverts to Windows 2000 behavior, where the key is created with an effective length of 40 bits.
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSMQ\Parameters\Security\RejectEnhRC2IfLen40: The default value is 0; all key lengths are accepted. To enhance security so that messages that use an effective length of 40 will be rejected, set this value to 1.
Windows 2000 Service Pack 4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSMQ\Parameters\Security\SendEnhRC2With128: The default value is 0; use an effective length of 40 bits. A nonzero value forces an effective length of 128 bits. This improves security but might not be compatible with other computers.
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSMQ\Parameters\Security\RejectEnhRC2IfLen40: The default value is 0; all key lengths are accepted. To enhance security so that messages that use an effective length of 40 will be rejected, set this value to 1.
If your enterprise no longer has computers running Message Queuing (also known as MSMQ) on Windows NT 4.0, Windows 2000 Server below SP4, or Windows XP below SP1, consider the following registry modifications:
- On all computers, eliminating the SendEnhRC2With40 key, if it is present. This key needlessly weakens security by forcing computers that can use a 128-bit key to use a 40-bit key instead. For more information, see the "Delete registry key" section.
- Adding SendEnhRC2With128 keys to your Windows 2000 SP4 computers, with the value 1. This enhances security by making it possible for these computers to use a 128-bit key instead of a 40-bit key for compatibility. For more information, see the "Add registry key" section.
- Adding RejectEnhRC2IfLen40 keys to all of your computers, with the value 1. This enhances security by requiring that incoming messages using enhanced RC2 encryption have a 128-bit key. For more information, see the "Add registry key" section, modifying for this key, as necessary.
Delete a registry key
To delete a registry key:
Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.
- Open Registry Editor. To open Registry Editor, click Start. In the search box, type regedit, and then press ENTER.
- Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSMQ\Parameters\Security\RejectEnhRC2IfLen40, and then delete the registry key.
Add a registry key
To add a registry key (Windows 2000 SP4):
Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.
- Open Registry Editor. To open Registry Editor, click Start. In the search box, type regedit, and then press ENTER.
- Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSMQ\Parameters\Security.
- Right-click Security, point to New, and then click Add.
- Set the value to 1.
If you continue to get this error, note any details in the event message, and then contact Microsoft Customer Service and Support (CSS). For information about how to contact CSS, see Enterprise Support (https://go.microsoft.com/fwlink/?LinkId=52267).
Verify
Verify that the MSMQ Service is installed and running.
To perform this procedure, you must have membership in Administrators, or you must have been delegated the appropriate authority.
To verify that the MSMQ Service is installed and running:
- Open the Services snap-in. To open Services, click Start. In the search box, type services.msc, and then press ENTER.
- Locate the Message Queuing service, and confirm that the value in the Status column is Started.