Managing the Message Queuing service account

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Managing the Message Queuing service account

Services run in their own security context. To establish a security context, a service needs to log on to the system. The Message Queuing service runs by default under the LocalSystem account, and you can change this default account if necessary.

The Message Queuing Downlevel Client Support service is installed on Message Queuing servers that provide Active Directory Integration to Windows 95, Windows 98, and Windows NT 4.0 computers running MSMQ 1.0, and Windows 2000 computers running MSMQ 2.0. This service must run under the default LocalSystem account.

The following are features of the LocalSystem account:

  • The LocalSystem account is a member of the local Administrators group.

  • The LocalSystem account already has the required rights to run as a service.

  • The LocalSystem account already has the Generate Security Audits privilege.

The default LocalSystem account is a member of the Authenticated Users group, and is granted the Read permission for all Message Queuing objects in Active Directory. This permission allows these users to read the attributes of Message Queuing objects in Active Directory, but does not control the rights of users to receive (and remove) messages from queues. Change the account that the Message Queuing service runs under only if you do not want to grant the Read permission to all members of the Authenticated Users group. In this case, to run the Message Queuing service under a specific user account, you need to do the following:

  • Grant the Read permission for all Message Queuing objects in Active Directory to the user account.

  • Add the user account to the local Administrators group.

If you must provide greater functionality you may consider granting the user account the following privileges:

  • Log on as a service

  • Act as part of the operating system

  • Replace a process level token

  • Increase quotas

  • Generate security audits

In addition, if you use a local user account to run Message Queuing applications on Windows 2000 independent clients, such clients cannot authenticate Message Queuing servers that run on domain controllers. Such domain controllers provide access to Active Directory. If authenticating those Message Queuing servers is a requirement, you must use a domain user account instead.

For information on how to change the account the Message Queuing service runs under, see Change the Message Queuing service account.

Triggers service security

By default, the Message Queuing Triggers service runs under the Network Service account. Services that are running under this account interact with the network using the credentials of the computer account, and this account has the same level of access to resources and objects as members of the Users group accounts. For heightened security, you can change the default Triggers service account to a more secure setting; for example, the Local Service account, which limits access to the local computer. You can also specify a less secure account for the Triggers service; for example, the LocalSystem account, allowing access to the entire domain. The account used must be able to access the queues with which triggers are associated. Specifically, the account must be granted the Log On As A Service permission as well as the Peek Message permission for all applicable queues. If the message processing type of a trigger is "retrieval" or "transactional retrieval," the user must be granted the Receive Message permission for that queue. If you change the security settings for a queue to enable a trigger to monitor it, you must stop and start Triggers to update the service's configuration before the trigger will start to work. Note that executable files invoked by triggers are invoked with the same security privileges as those assigned to the Triggers service.