Message Queuing security overview
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Message Queuing takes advantage of the various built-in security features of the Windows Server 2003 family operating systems. Specifically, Message Queuing uses access control, message authentication, encryption, and auditing for security. In Message Queuing 3.0, 128-bit encryption is supported in addition to 40-bit encryption. By managing security properties for objects, you can set permissions, assign ownership, and monitor user access.
Access control is used to restrict user access to Message Queuing objects in Active Directory and is implemented by assigning security descriptors to objects. Message Queuing objects include the MsmqServices, msmq, Queue, routing link, and MSMQ Settings objects. The msmq object for the local computer is also known as the MSMQ configuration object, for example, in names of specific permissions for this object and in the Delegation of Control Wizard. A security descriptor lists the users and groups that are granted or denied access to an object as well as the specific permissions assigned to those users and groups. For more information, see Access control for Message Queuing.
Security queries to Active Directory and other directory services, in which the client and server are online and talk to one another, are implemented using the Kerberos V5 security protocol (between Windows Server 2003 computers) or server authentication (for compatibility with MSMQ 1.0 running on Windows NT 4.0).
Message authentication, which verifies the identity of the sender of a message to the receiver, is implemented using certificates. Messages are authenticated asynchronously without the sender and the receiver communicating with one another. For more information, see Authentication for Message Queuing.
Encryption is implemented using both public/private key (asymmetric) and secret key (symmetric) algorithms. Encryption is used by Message Queuing applications to encrypt messages sent between Message Queuing computers. For more information, see Encryption for Message Queuing.
Security auditing is used to record which users attempt to access Message Queuing objects in Active Directory. The security descriptor for an object specifies the various security events to be audited for the object. For more information, see Auditing Message Queuing objects.
Message Queuing ensures the security of messages sent from a source computer to a destination computer. Applications can perform a local read or a remote read when accessing queues. A local read is performed when the receiving application accesses a destination queue that resides on the same computer. In this case, message security can be guaranteed.
A remote read is performed when the contents of a queue are accessed from a computer other than the one on which the queue is located. For remote reading, Message Queuing 3.0 uses encrypted RPC by default. This feature is available when a Windows Server 2003 family client computer does a remote read against a Message Queuing computer running on Windows Server 2003 family computers, Windows 2000, or Windows NT 4.0. Note that in situations where encrypted RPC cannot be used, (for example, where a workgroup computer is part of the remote read process) the message will be passed to the remote computer as clear text and message security is not guaranteed. A clear text message that has reached its destination queue can be read only by users that have the necessary access rights to read messages from the queue.
Secured remote read
Message Queuing 3.0 on Windows Server 2003 family computers provides a new secure remote read interface that enhances the security of the old remote read interface used by Message Queuing running on earlier versions of Windows operating systems, and allows Message Queuing servers to expose remote-read functionality in a more secure way.
Following Message Queuing installation, Message Queuing 3.0 on Windows Server 2003 family computers listens for both the old remote read interface and the new secure remote read interface, and the following default settings are applied:
Message Queuing 3.0 clients on Windows Server 2003 family computers in the same forest as the Message Queuing 3.0 server will use the secure remote read interface with an encrypted channel.
Message Queuing 3.0 clients across forests on Windows Server 2003 family computers in non-trusted domains will use the secure remote read interface. By default, the Message Queuing 3.0 server requires domain clients to establish an encrypted channel, and such a channel cannot be established between non-trusted domains. Thus remote read requests from such clients will be rejected. To modify this default behavior and allow the Message Queuing server to accept domain clients that do not establish an encrypted channel, create a DWORD value Security\NewRemoteReadServerAllowNoneSecurityClient in the registry and set it to 1. Creation of this registry key causes clients from non-trusted domains to be validated using Anonymous logon credentials. After creating this registry key, the Anonymous logon account must be granted Peek or Receive permissions in order to accommodate remote read requests for clients from non-trusted domains. After implementing this registry key and granting permissions to the Anonymous logon account, Message Queuing server accepts Peek or Receive requests from everyone without authentication checks. Therefore, these changes should only be implemented when absolutely necessary.
Message Queuing 3.0 workgroup clients on Windows Server 2003 family computers will use the secure remote read interface. Workgroup clients cannot establish an encrypted channel for remote reading, and by default, the Message Queuing server accepts workgroup clients on a non-encrypted channel using Anonymous logon credentials. In this scenario, the Anonymous logon account must be granted Peek or Receive permissions in order to accommodate remote read requests from workgroup clients. To modify this default behavior so that the Message Queuing 3.0 server rejects workgroup clients, create a DWORD value Security\NewRemoteReadServerDenyWorkgroupClient in the registry and set it to 1.
MSMQ 1.0 and MSMQ 2.0 clients, and Message Queuing 3.0 clients on Windows XP computers, will use the old remote read interface. If you enable your Message Queuing 3.0 server to use only the secure remote read interface, the computer does not listen on the old remote read interface, and remote reads from these clients are not supported.
You can enable your Message Queuing 3.0 server to use only secured remote reading mode in the Server Security tab of Message Queuing properties in Computer Management. In secured remote reading mode, your computer will only listen on the new secure remote read interface, and not on the old remote read interface. The effect of this is that only Message Queuing 3.0 servers on Windows Server 2003 family computers can remotely receive messages from queues on your computer, and remote reads from MSMQ 1.0 clients, MSMQ 2.0 clients, and Message Queuing 3.0 clients running on Windows XP computers are not supported. For instructions on enabling your server to use only the new secured mode, see Enable secured remote read.