Since Microsoft Windows supports folder encryption for multiple users β through NTFS Encrypting File System (EFS), I was able to use this transparent encryption mechanism to support encryption of the MSMQ storage folder and, therefore, minimizing the surface area of ββuser access to data inside files that contain message bodies and fragments of text read differently in * .mq files.
This solution is one of the alternatives that I developed for private queues (without domain integration) in order to be transparently encrypted and not resort to Application-Encrypted Messages or user encryption using the application . This actually affects all queues in the system because all storage for the MSMQ instance is encrypted.
This solution still allows you to use the MSMQ snap-in to view messages in queues for users who have been assigned permissions to do this, without any distorted or encrypted text visible in the viewer.
Please note that this solution offers you to create a new disk storage for MSMQ, because I had problems trying to encrypt and convert the default storage location, which is under Windows / System32. If you find a way to make this decision without creating a new folder, please write in the comments.
These are the steps that I take to make EFS technology for a transparently encrypted MSMQ solution:
(This information assumes that you know where to find the message queue manager to configure the service and how to perform some other basic Windows administration tasks or find out how to do this)
Log in as an administrator (provided that the Message Queuing service is already installed, if it is not installed later from Windows programs and features).
Note the user account on which the Message Queuing service is running (for example, a network service). You will need it in the next step ...
Create an alternative disk storage folder for msmq, for example. C: \ MSMQ Storage
Assign your administrator user a new folder with full access rights.
Assign a service user account (see step 2, for example, Network Service). Full folder permissions also. (This is a very important step because it gives the MSMQ service user account access to the encrypted contents of the message files.)
Encrypt the folder by going to its properties and turning on the Encrypt check box. The folder is now encrypted and can be displayed in a different color.
(You can test this by logging in as another user on the machine and trying to access the contents of the encrypted files, resulting in the message "Access denied.")
Now use MSMQ to re-link your storage locations (all of them) to the new encrypted folder that you just created on disk (and away from the default location or current storage, wherever it is). This change will prompt you to restart the service. Say yes.
If you find any problems with this solution, write here in the comments. Thanks.
β I tested this solution both on a Win 7 workstation and on Windows 2008 R2 Server, writing and reading from a queue using the basic .NET application described in this article on how to write a minimal message queue application .