Access Control for Message Queuing

Applies To: Windows Server 2008

Access control for Message Queuing

Access control is used to restrict user access to Message Queuing objects in Active Directory Domain Services and can be implemented by assigning security descriptors to objects. A security descriptor lists the users and groups that are granted or denied access to an object and the specific permissions assigned to those users and groups. This part of the security descriptor is known as a discretionary access control list (DACL). By setting the permissions on an object, the owner of the object controls which access is allowed. The Message Queuing objects include computer (msmq), queue, routing link, and MSMQ Settings objects. For more information about Message Queuing objects, where they are created, and where they are located in Active Directory Domain Services, see Message Queuing and Active Directory Domain Services.

Permissions can also be used to restrict users from sending messages to, or retrieving messages from, a particular queue on a computer. Although messages are not objects in Active Directory Domain Services, they are protected through the security descriptor of the queue object. In order to implement strong queue access control, permissions should be set on Message Queuing queues to allow only authenticated messages. This measure should be taken because malicious users may tamper with the sender identity of unauthenticated messages which would permit these users to defeat queue access controls.

Because Message Queuing provides asynchronous messaging, the source and destination computers do not need to be online at the same time. In this case, Message Queuing can implement access control for offline users through the use of sender security IDs (SIDs). For example, because a queue can restrict access to itself, the sending application must attach the sender's SID to any message directed to that queue. The Message Queuing service on the destination computer then checks the SID to verify that the sender has the proper permissions to access the queue.

Note

You must also be granted certain permissions to be able to install and uninstall Message Queuing. For more information, see Installation permissions.

For more information about access control for Windows 7 and the Windows Server 2008 R2 family, see Access Control, in the Windows Help file.