wcfssl-certificatewcf-securityduplexmsmqbinding

securing duplex WCF MSMQ


I'm building a system where several clients are connected to a central server by WCF using duplex MSMQ (updates are sent to the server, messages are periodically pushed out to several clients).

How do I best secure this scenario? The nature of duplex WCF effectively makes each client a server. Does that mean to secure each channel every client needs to shell out $1200 for a verisign cert?


Solution

  • Because MSMQ binding uses regular MSMQ queues, you can implement security using the standard MSMQ queue security model. You need to make sure you set security mode to 'Transport', and then allow or restrict access to the queue as appropriate.

    When you create a queue you can set permissions which govern who can send, receive, or remove from the queue using active directory or Windows accounts. The only resource I can find with a few minutes googling is MSMQ for .NET Developers - describes a little about setting permissions.

    Have a read of Securing Messages with Transport Security and the examples in the NetMsmqBinding documentation.

    So you should either run your services as the same user, or ensure all the users are in a single AD group, etc and then grant queue permissions (send permission?) to that user / group only.