I’m currently writing a large piece on MSMQ security and wanted to check I was covering the right areas. I have some doubts as I’ve seen the occasional MSMQ forum question where a poster has used the word “security” in different contexts to what I was expecting.
So here are the areas I plan to cover:
- Message security
- encryption on the wire (SSL and IPSEC)
- encryption of the message (MSMQ encryption)
- encryption of the payload (data encryption)
- signing and authentication
- Queue security
- SIDs and ACLs
- Discoverability
- Cross-forest issues
- Storage security
- NTFS permissions
- unencrypted data
- Service security
- Ports and Firewalls
- DOS attacks
- Hardened mode (HTTP only)
- RPC
- secure channel requirement
- authenticated RPC requirement
- Active Directory
- Setup
- Administrator requirements
What else would you want to see?