Hardened MSMQ Mode

 

Applies To: Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server Technical Preview, Windows Vista

The purpose of hardened MSMQ mode (introduced in MSMQ 3.0) is to enhance the security of MSMQ 3.0 computers running on the Internet. Hardened MSMQ mode is intended to support scenarios that employ only HTTP (SRMP) messages.

Note

Hardened MSMQ mode does not fully secure the MSMQ computer. In order to fully protect a computer from potential security attacks such as message spoofing, you should use Secure Sockets Layer (SSL) and client certificates in combination with hardened MSMQ mode.

Hardened MSMQ mode imposes the following restrictions:

  • The Message Queuing service does not listen directly to any ports. Only messages arriving from remote computers through IIS are accepted and placed in their destination queues. Remote RPC calls are ignored (remote reading is blocked), and dependent clients are not supported.

  • Attempts to open remote queues with non-HTTP format names and send messages to them succeed, and the messages sent are placed in the applicable outgoing queues on the local computer. However, all the outgoing queues (created on the local computer that correspond to remote destination queues specified by non-HTTP format names are in the locked state. Pending messages, including acknowledgment and response messages that reside in locked outgoing queues, are not transmitted to their destinations. Applications can determine if an outgoing queue is in the locked state by examining the PROPID_MGMT_QUEUE_STATE or MSMQOutgoingQueueManagement.State property.

  • Pending messages intended for remote destination queues with non-HTTP format names, including remote queues designated by non-HTTP elements of a multiple-element format name, remain in locked outgoing queues until hardened MSMQ mode is canceled and the Message Queuing service is restarted.

In hardened MSMQ mode, messages sent with non-HTTP format names can still be placed in and received from local queues.

Hardened MSMQ mode is initiated and canceled on the local computer by setting the Hardened_MSMQ registry entry.

More Information

For information on See
Sending HTTP messages HTTP Messages
Protecting computers in an enterprise by using proxy servers and store-and-forward servers Delivering Messages Sent over the Internet
How message properties are included in HTTP messages Message Properties in HTTP Messages