Condividi tramite


Security Enhancements that Affect the Default Behavior of Message Queuing

The default behavior of this version of Message Queuing may be changed from previous versions in order to enhance security under certain conditions. This topic describes these changes and how to revert the behavior of Message Queuing to the earlier behavior if required for application compatibility purposes. Each of these changes can be reverted to the earlier behavior through the creation of a registry value.

If you create any of the registry entries described in this topic to revert the behavior of Message Queuing to the earlier behavior, you must restart the Message Queuing service and any applications that are using the Message Queuing service in order for the registry entry to take effect.

Warning

Incorrectly editing the registry may severely damage your system. It is recommended that you back up any valuable data on the computer before making changes to the registry.

The number of processing requests that are accepted by the admin_queue$ queue is restricted

This version of Message Queuing counts the processing requests that are made against the internal private admin_queue$ queue. Message Queuing accepts up to 10 processing requests against this queue in a given second and ignores subsequent processing requests.

To allow Message Queuing to accept more than 10 processing requests per second for this queue, create the DWORD registry entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSMQ\Parameters\Security\MaxAdminCommandsPerSecond and set to a value greater than 10.

Certain types of negative acknowledgement messages are no longer generated for user generated message acknowledgement requests

This version of Message Queuing does not generate the following types of negative acknowledgement (NACK) messages in response to user generated message acknowledgement requests:

  • MQMSG_CLASS_NACK_ACCESS_DENIED

  • MQMSG_CLASS_NACK_BAD_DST_Q

  • MQMSG_CLASS_NACK_BAD_ENCRYPTION

  • MQMSG_CLASS_NACK_BAD_SIGNATURE

  • MQMSG_CLASS_NACK_UNSUPPORTED_CRYPTO_PROVIDER

To revert Message Queuing behavior to generate these types of NACK messages in response to user generated acknowledgement requests, create the DWORD registry entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSMQ\Parameters\Security\PermitInsecureNacks and set to a value of 1

This version of Message Queuing enforces a quota of approximately 250 MB on the system nontransactional dead-letter queue

By default, this version of Message Queuing will not write messages to the system nontransactional dead-letter queue once the size of this queue exceeds approximately 250 MB.

To increase the default quota on the system nontransactional dead-letter queue, create the DWORD registry entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSMQ\Parameters\MachineCache\MachineDeadletterQuota and specify a value greater than 262144. This value governs the quota for the nontransactional dead-letter queue as measured in kilobytes (KB).

This version of Message Queuing does not listen for ping message on UDP port 3527

Previous versions of Message Queuing send a ping message to a remote computer over UDP port 3527 to verify that the remote computer is available before attempting to send messages to it. This version of Message Queuing does not initiate a ping message before connecting to a remote computer and also does not listen for ping messages on UDP port 3527.

To revert Message Queuing behavior to listen for ping message on UDP port 3527, create the DWORD registry entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSMQ\Parameters\Security\EnablePingService and set to a value of 1.

Default queue permissions for new queues do not grant everyone send access

Previous versions of Message Queuing grant everyone send permissions to newly created public or private queues. This version of Message Queuing does not grant everyone send permissions to newly created public and private queues by default except in the following cases:

  • When Message Queuing is installed in workgroup mode (when the directory service integration feature is not installed)

  • When Multicasting support is enabled.

  • When HTTP support is enabled.

  • When the default behavior is overridden with a registry entry as described below.

Default send permissions for new queues created with this version of Message Queuing are set as follows:

Installation mode Account granted Send permissions to new private queues by default Accounts / Groups granted Send permissions to new public queues by default

Domain mode

queue creator

  • queue creator

  • <domain>\Enterprise Admins

  • local Administrators

Workgroup mode

queue creator

N/A

To revert Message Queuing behavior to grant everyone send permissions for any newly created public and private queues by default, create the DWORD registry entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSMQ\Parameters\Security\PermitAnonEveryoneSend and set to a value of 1.

Note

This registry entry will not revert permissions for any queues that were created previously; this will only affect how default send permissions are set for any newly created queues.