Enabling weakened security

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Enabling weakened security

Message Queuing servers running on Windows Server 2003 domain controllers, or Windows 2000 domain controllers can operate using weakened security for Active Directory. If you install Message Queuing with the Message Queuing Downlevel Client Support component on a domain controller, a dialog will appear, asking you if you want to enable or disable weakened security. Enable weakened security if any of the following operating configurations apply to your organization:

  • A domain environment where users running MSMQ 1.0 (on Windows NT 4.0, Windows 98, or Windows 95) access the Message Queuing Downlevel Client Support service on Windows Server 2003 domain controllers, and Windows 2000 domain controllers for directory services. This applies even if such users are logged on with Windows Server 2003 or Windows 2000 domain accounts.

  • A Windows Server 2003 family domain, or Windows 2000 domain, where users running Message Queuing (on Windows Server 2003 family operating systems, Windows XP, or Windows 2000) are logged on with Windows NT 4.0 domain accounts.

  • An environment where Message Queuing 2.0 users are logged on with local user accounts. Note that:

    • Dependent clients cannot run under a local user account.

    • Any computer that sends queries about Message Queuing objects to Active Directory on a domain controller directly, rather than through a Message Queuing server, will not be able to access Message Queuing objects in Active Directory when it logs on with a local user account, even if the security for Active Directory is weakened.

If weakened security is enabled, a Message Queuing server running on a Windows Server 2003 domain controller or a Windows 2000 domain controller will access Active Directory within its own security context. This access will be under the LocalSystem account on the applicable domain controller. You can view the properties of Active Directory objects, including msmq (MSMQ configuration) objects and queue objects. You can also check security settings for operating systems requiring the Downlevel Client Support service or Windows XP clients. You cannot bypass any security restrictions on creating objects or setting object security.

For users running MSMQ 1.0, when the MSMQ service starts an RPC call to a Message Queuing server running on a Windows Server 2003 domain controller, the call is impersonated as an anonymous logon in the default security context. To allow such an anonymous user access to Active Directory, domain security is weakened by not impersonating this call. Consequently, all queries for Message Queuing objects in Active Directory are accepted by Windows Server 2003 Message Queuing servers. This means only that the properties of Message Queuing objects can be viewed. It does not mean that messages can be retrieved (removed) from public queues.

You can also check how Message Queuing is configured and modify this setting after installation using ADSI Edit. For information on how to do this, see Weaken security using ADSI Edit.

It is also possible to support MSMQ 1.0 users (and other configurations discussed) without weakening security. In this case, you must grant the Everyone group the List Content permission on all computer objects in each domain. This, however, greatly compromises the domain security.