Access Control


Updated: July 19, 2016

Applies To: Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server Technical Preview, Windows Vista

Because queues are securable objects, access to them is regulated by the access control model that governs access to all securable objects in Windows®. According to this model, specific operations on queues can be restricted to specific users or groups of users, called trustees. When a queue is created, a SECURITY_DESCRIPTOR structure is associated with the queue to specify the access rights that are allowed or denied to specific trustees for performing specific operations on the queue.

The queue operations that can be restricted include creating, deleting, and opening the queue (for sending messages to and reading messages from the queue). Operations also include getting and setting the queue's properties and security descriptor.

The following are the default values of the components of the security information included in a queue's SECURITY_DESCRIPTOR structure:

  • Owner

    The security identifier (SID) of the queue's creator.

  • Group

    The security identifier (SID) of the primary group to which the queue's creator belongs.

  • Discretionary access control list (DACL)

    Full control for the queue's creator. All other users (processes) can get queue properties, get queue security, and send messages to the queue. In MSMQ 3.0, anonymous users can only send messages to the queue, and the Computer_Name$ account of a computer that belongs to a domain can only get the properties and security of the queue and receive or peek at messages in the queue.

  • System access control list (SACL)


For applications using Message Queuing Win32® APIs, the SECURITY_DESCRIPTOR structure is specified by the pSecurityDescriptor parameter of MQCreateQueue when the queue is created. For applications using Message Queuing COM components, the default security descriptor is automatically attached to the queue when it is created unless the optional IsWorldReadable parameter of the MSMQQueueInfo.Create method is set. When this parameter is set to True, all members of the Everyone group can peek at or retrieve messages in the queue and its journal. You can determine whether the default security descriptor of the queue was changed to allow read access to all members of the Everyone group in the call to create the queue or at any time after the queue was created by retrieving the MSMQQueueInfo.IsWorldReadable2 property.

Before Message Queuing performs any operation on a queue, it checks the queue's security descriptor to determine whether the access rights for performing the requested operation are allowed for the user. To do this, Message Queuing checks whether the operation is restricted. If the operation is restricted, Message Queuing then checks the identity of the user to ascertain whether the restriction applies to that user. If it does, the operation is not allowed to continue.

With the exception of putting a new message in a queue, Message Queuing can verify the identity of the user from the access token attached to the process. Access tokens are produced by the system. When a user logs on, the system verifies the user's password by comparing it with information stored in the system's security database. If the password is valid, the system produces an access token and attaches it to each process started by the user.

However, Message Queuing cannot use the sender's access token to put a new message in a remote destination queue, because it is not available to the destination queue manager. Instead, it uses the security identifier (SID) that Message Queuing attached to the message when it was sent. Similar to the access token, the user's SID is attached by the application. When a message is sent by a local user account to a remote computer, no SID is attached to the message, and in MSMQ 3.0, the destination queue manager regards the sender as an anonymous user. For more information, see access tokens and SIDs in the Security section of the Microsoft® Platform SDK.

Applications can retrieve or modify the security descriptor of a queue if the users running them have sufficient permissions and privileges. For more information, see MQGetQueueSecurity and MQSetQueueSecurity.

For an example ofSee
Retrieving the domain name (if applicable) and account name of a queue's ownerC/C++ Code Example: Retrieving the Queue Owner's Name
Displaying lists of the permissions that are granted or denied to trustees for a queueC/C++ Code Example: Retrieving the Access Rights of a Queue
Changing the security settings of a queue to allow all members of the Everyone group to receive messages from a queueC/C++ Code Example: Granting Additional Access Rights
Creating a security descriptor that gives a specified trusted user full control over a queueC/C++ Code Example: Creating a Security Descriptor