Message Queuing Security Overview
Applies To: Windows Server 2008
Security overview
Message Queuing takes advantage of the various built-in security features of the Windows 7 and Windows Server 2008 R2 family operating systems. Specifically, Message Queuing uses access control, message authentication, encryption, and auditing for security. Message Queuing also supports 40-bit and 128-bit security. By managing security properties for objects, you can set permissions, assign ownership, and monitor user access.
Access control is used to restrict user access to Message Queuing objects in Active Directory Domain Services and is implemented by assigning security descriptors to objects. Message Queuing objects include the MsmqServices, msmq, Queue, routing link, and MSMQ Settings objects. The msmq object for the local computer is also known as the MSMQ configuration object, for example, in names of specific permissions for this object. A security descriptor lists the users and groups that are granted or denied access to an object as well as the specific permissions assigned to those users and groups. For more information, see Access Control for Message Queuing.
Security queries to Active Directory Domain Services and other directory services, in which the client and server are online and talk to one another, are implemented using the Kerberos V5 security protocol.
Message authentication, which verifies the identity of the sender of a message to the receiver, is implemented using certificates. Messages are authenticated asynchronously without the sender and the receiver communicating with one another. For more information, see Authentication for Message Queuing.
Encryption is implemented using both public/private key (asymmetric) and secret key (symmetric) algorithms. Encryption is used by Message Queuing applications to encrypt messages sent between Message Queuing computers. For more information, see Encryption for Message Queuing.
Security auditing is used to record which users attempt to access Message Queuing objects in Active Directory Domain Services. The security descriptor for an object specifies the various security events to be audited for the object. For more information, see Auditing Message Queuing Objects.
Message security
Message Queuing ensures the security of messages sent from a source computer to a destination computer. Applications can perform a local read or a remote read when accessing queues. A local read is performed when the receiving application accesses a destination queue that resides on the same computer. In this case, message security can be guaranteed.
A remote read is performed when the contents of a queue are accessed from a computer other than the one on which the queue is located. For remote reading, Message Queuing uses encrypted RPC by default. This feature is available when a Windows 7 or Windows Server 2008 R2 family client computer does a remote read against a Message Queuing computer running on Windows 7, Windows Server 2008 R2 family, Windows Server 2003 family computers or Windows 2000. Note that in situations where encrypted RPC cannot be used, (for example, where a workgroup computer is part of the remote read process) the message will be passed to the remote computer as clear text and message security is not guaranteed. A clear text message that has reached its destination queue can be read only by users that have the necessary access rights to read messages from the queue.
Secured remote read
Message Queuing 5.0 provides the following default settings for secure remote read:
Message Queuing clients in the same forest as the Message Queuing server will use the secure remote read interface with an encrypted channel.
Message Queuing clients in non-trusted domains will use the secure remote read interface. By default, the Message Queuing server requires domain clients to establish an encrypted channel, and such a channel cannot be established between non-trusted domains. Thus remote read requests from such clients will be rejected. To modify this default behavior and allow the Message Queuing server to accept domain clients that do not establish an encrypted channel, create the DWORD registry entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSMQ\Parameters\Security\NewRemoteReadServerAllowNoneSecurityClient and set to a value of 1. Creation of this registry key causes clients from non-trusted domains to be validated using Anonymous logon credentials. After creating this registry key, the Anonymous logon account must be granted Peek or Receive permissions in order to accommodate remote read requests for clients from non-trusted domains. After implementing this registry key and granting permissions to the Anonymous logon account, Message Queuing server accepts Peek or Receive requests from everyone without authentication checks. Therefore, these changes should only be implemented when absolutely necessary.
Warning
Incorrectly editing the registry may severely damage your system. It is recommended that you back up any valuable data on the computer before making changes to the registry.
- Message Queuing workgroup clients will use the secure remote read interface. Workgroup clients cannot establish an encrypted channel for remote reading, and by default, the Message Queuing server accepts workgroup clients on a non-encrypted channel using Anonymous logon credentials. In this scenario, the Anonymous logon account must be granted Peek or Receive permissions in order to accommodate remote read requests from workgroup clients. To modify this default behavior so that the Message Queuing server rejects workgroup clients, create the DWORD registry entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSMQ\Parameters\Security\NewRemoteReadServerDenyWorkgroupClient and set to a value of 1.
Warning
Incorrectly editing the registry may severely damage your system. It is recommended that you back up any valuable data on the computer before making changes to the registry.
- MSMQ 2.0 clients, and Message Queuing 3.0 clients on Windows XP computers, will use the non-secure remote read interface. If you enable your Message Queuing 4.0 or later server to use only the secure remote read interface, the computer does not listen on the non-secure remote read interface, and remote reads from these clients are not supported.
You can enable your Message Queuing server to use only secured remote reading mode in the Server Security tab of Message Queuing properties in Computer Management. In secured remote reading mode, your computer will only listen on the secure remote read interface, and not on the non-secure remote read interface. The effect of this is that only Message Queuing servers on Windows Server 2003 family computers or later can remotely receive messages from queues on your computer, and remote reads from MSMQ 1.0 clients, MSMQ 2.0 clients, and Message Queuing 3.0 clients running on Windows XP computers are not supported. For instructions on enabling your server to use only the new secured mode, see Enable Secured Remote Read.