Default MSMQ queue permissions have changed in MSMQ 4.0
For Windows Vista and Windows Server 2008, newly created queues may not have the permissions you're used to.
With MSMQ 3.0 and earlier, creating a queue would assign the following defaults:
- Everyone – Get permissions, Get properties, Send message.
- Anonymous Logon – Send message.
- Machine$ - Get permissions, Get properties
- Creator (owner) – full control.
which meant that ANYONE could send a message to a queue. If you didn't have any quotas set, this could open up your server to a Denial of Service attack. In the worst case, the server would crash through lack of available kernel memory.
To prevent this, MSMQ 4.0 removed the Everyone and Anonymous Logon defaults, forcing you to go in and add the permissions you need.
This isn't a blanket change, though. There are 4 scenarios where the old defaults are retained:
- when Message Queuing is installed in workgroup mode (i.e. when the directory service integration feature is not installed)
- when Multicasting support is enabled.
- when HTTP support is enabled.
- when the default behavior is overridden with the new PermitAnonEveryoneSend registry value.
This is discussed further at the bottom of this TechNet article:
Security Enhancements that Affect the Default Behavior of Message Queuing
Note
A further note on permissions - if you are looking at public queues, you may see various Access Control Entries (ACEs) being inherited from the parent objects above the queue object. For example, my test domain controller has the following additions to the list:
- Administrators
- Enterprise Administrators
- Pre-Windows 2000 Compatible Access
- Enterprise Domain Controllers
but as MSMQ-specific permissions (like “receive message”) don’t exist at higher levels then very little is effectively inherited. If you have a look at the extra ACEs, you will see that some entries have no permissions enabled or disabled.
Note
If you want to set permissions when you create queues, you can always build the desired security descriptor and pass it in the pSecurityDescriptor parameter of MQCreateQueue (https://msdn.microsoft.com/en-us/library/ms701768(VS.85).aspx). You can't, though, customise the defaults as they are hard-coded.
Comments
Anonymous
October 23, 2009
Thank you John, Your article was a real time saver for us. We spent a few weeks wondering about changes in behavior observed on some COTS (Commercial off-the-shelf) software we migrated from Windows Server 2003 to Windows Server 2008. Once we read your article we were able to solve our problems in 15 minutes. Keep up the good word...Anonymous
October 23, 2009
Hi Jean-Francois, Glad I could help. Cheers John Breakwell (MSFT)