Message Queuing will use an encryption key with an effective length of 40 bits when sending messages encrypted with the RC2 encryption algorithm.
As a result of a bug in CryptoAPI (in Windows NT 4.0 Service Pack 2 (SP2) through Service Pack 5 (SP5)), enhanced RC2 keys were created with an effective length of 40 bits (instead of 128 bits). This bug was fixed in Windows Server 2003, Windows XP Service Pack 1 (SP1), and Windows 2000 Service Pack 4 (SP4).
If you use enhanced RC2 encryption with the following operating systems, the message cannot be decrypted unless a registry key is set on the sender.
From | To |
Windows Server 2003 | Windows XP |
Windows XP SP1 and SP2 | Windows 2000 (up to Service Pack 3 (SP3)) |
Windows NT 4.0 |
The fix for Windows 2000 SP4 uses a registry key as well but defaults to compatibility with earlier service packs.
To enable backward compatibility and enhance security, the following registry values were added to all platforms.
Windows XP Service Pack 1, Windows Server 2003
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSMQ\Parameters\Security\SendEnhRC2With40: The default value is 0; use an effective length of 128 bits. A nonzero value reverts to Windows 2000 behavior, where the key is created with an effective length of 40 bits.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSMQ\Parameters\Security\RejectEnhRC2IfLen40: The default value is 0; all key lengths are accepted. To enhance security so that messages that use an effective length of 40 will be rejected, set this value to 1.
Windows 2000 Service Pack 4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSMQ\Parameters\Security\SendEnhRC2With128: The default value is 0; use an effective length of 40 bits. A nonzero value forces an effective length of 128 bits. This improves security but might not be compatible with other computers.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSMQ\Parameters\Security\RejectEnhRC2IfLen40: The default value is 0; all key lengths are accepted. To enhance security so that messages that use an effective length of 40 will be rejected, set this value to 1.
If your enterprise no longer has computers running Message Queuing (also known as MSMQ) on Windows NT 4.0, Windows 2000 Server below SP4, or Windows XP below SP1, consider the following registry modifications:
On all computers, eliminating the SendEnhRC2With40 key, if it is present. This key needlessly weakens security by forcing computers that can use a 128-bit key to use a 40-bit key instead. For more information, see the "Delete registry key" section.
Adding SendEnhRC2With128 keys to your Windows 2000 SP4 computers, with the value 1. This enhances security by making it possible for these computers to use a 128-bit key instead of a 40-bit key for compatibility. For more information, see the "Add registry key" section.
Adding RejectEnhRC2IfLen40 keys to all of your computers, with the value 1. This enhances security by requiring that incoming messages using enhanced RC2 encryption have a 128-bit key. For more information, see the "Add registry key" section, modifying for this key, as necessary.
Delete a registry key
To delete a registry key:
Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.
Open Registry Editor. To open Registry Editor, click Start. In the search box, type regedit, and then press ENTER.
Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSMQ\Parameters\Security\RejectEnhRC2IfLen40, and then delete the registry key.
Add a registry key
To add a registry key (Windows 2000 SP4):
Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.
Open Registry Editor. To open Registry Editor, click Start. In the search box, type regedit, and then press ENTER.
Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSMQ\Parameters\Security.
Right-click Security, point to New, and then click Add.
Set the value to 1.
For more information, see Event ID 2175 ( http://technet.microsoft.com/en-us/library/dd337468(WS.10).aspx)
| Target | Microsoft.MSMQ.2008.Servers | ||
| Category | ConfigurationHealth | ||
| Enabled | False | ||
| Event_ID | 2175 | ||
| Event Source | $Target/Property[Type="Microsoft.MSMQ.2008.ServerRole"]/ServiceName$ | ||
| Alert Generate | True | ||
| Alert Severity | Error | ||
| Alert Priority | Normal | ||
| Remotable | True | ||
| Alert Message |
| ||
| Event Log | Application |
| ID | Module Type | TypeId | RunAs |
|---|---|---|---|
| DS | DataSource | Microsoft.Windows.EventProvider | Default |
| GenerateAlert | WriteAction | System.Health.GenerateAlert | Default |
Home<Rule ID="Microsoft.MSMQ.2008.Rule.Alert.Event2175" Enabled="false" Target="Microsoft.MSMQ.2008.Servers" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>ConfigurationHealth</Category>
<DataSources>
<DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>Application</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>$Target/Property[Type="Microsoft.MSMQ.2008.ServerRole"]/ServiceName$</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>2175</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="GenerateAlert" TypeID="SystemHealth!System.Health.GenerateAlert">
<Priority>1</Priority>
<Severity>2</Severity>
<AlertOwner/>
<AlertMessageId>$MPElement[Name="Microsoft.MSMQ.2008.Rule.Alert.Event2175.AlertName"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/EventDescription$</AlertParameter1>
</AlertParameters>
<Suppression>
<SuppressionValue>$Data/EventDisplayNumber$</SuppressionValue>
<SuppressionValue>$Data/LoggingComputer$</SuppressionValue>
</Suppression>
</WriteAction>
</WriteActions>
</Rule>