Microsoft KB Archive/255547

= How To Determine If MSMQ 2.0 Servers Are Configured to Use Weakened Security for Active Directory =

Article ID: 255547

Article Last Modified on 2/23/2007

-

APPLIES TO


 * Microsoft Message Queuing 2.0

-



This article was previously published under Q255547



SUMMARY
Message Queuing servers that are running on Microsoft Windows 2000 domain controllers can operate using weakened security for Active Directory. If used, weakened security is enabled during installation of the first Message Queuing server on a Windows 2000 domain controller in the forest. This setting is then replicated to all other domain controllers in every domain in the forest. You should enable weakened security if any of the following operating configurations apply to your organization:
 * An MSMQ mixed-mode domain environment where users running MSMQ version 1.0 (on Microsoft Windows NT 4.0, Microsoft Windows 95, or Microsoft Windows 98) access Message Queuing servers running on Windows 2000 domain controllers. This configuration also applies if such users are logged on with Windows 2000 domain accounts.
 * An MSMQ mixed-mode domain environment where users running Message Queuing (on Windows 2000) in a Windows NT 4.0 domain access MSMQ 1.0 controller servers.
 * An MSMQ Windows 2000 domain where users running Message Queuing (on Windows 2000) are logged on with Windows NT 4.0 domain accounts, or in a Windows 2000 domain where users are running computers that support only the IPX protocol.
 * An environment where users are logged on with a Local User account (regardless of the operating system).

If weakened security is enabled, such computers are able to query domain controllers, and view object properties in Active Directory. If disabled, such computers are not, by default, able to query Active Directory. Specifically, when weakened security is enabled, the "Everyone" group is allowed Read permission for queue properties and queue security.



MORE INFORMATION
For users running MSMQ 1.0 on Windows NT 4.0, when the MSMQ service starts a Microsoft Remote Procedure Call (RPC) call to a Message Queuing server running on a Windows 2000 domain controller, the call is impersonated as an anonymous logon. To allow such an anonymous user access to Active Directory, domain security is weakened by not impersonating this call. Consequently, all queries for objects in Active Directory are accepted by Message Queuing servers. This means only that the properties of Message Queuing objects can be viewed; it does not mean that messages can be read (or removed) from public queues.

NOTE: It is also possible to support Windows NT 4.0 users (and the other configurations discussed above) without weakening security. In this case, you must grant the Everyone group the "List Content" permission on all computer objects in each domain. This approach is considered a greater compromise of domain security, and is not recommended.

To check and modify the security configuration, perform the steps below. Note that you must have previously installed the support tools that are provided in the \Support\Tools folder on the Windows 2000 distribution CD.
 * 1) Open an empty Microsoft Management Console (MMC), or edit an existing profile and add ADSI Edit.
 * 2) Right-click ADSI Edit and click Connect to.
 * 3) Under Connection Point, click Naming Context, click the DOWN ARROW, and then select Configuration Container.
 * 4) If necessary, click the Advanced button to specify credentials.
 * 5) Click OK.
 * 6) Expand Configuration Container.
 * 7) Expand CN=Configuration,DC="Domainname".
 * 8) Expand CN=Services.
 * 9) Right-click CN=MsmqService, and then select Properties.
 * 10) From Select a property to view, select mSMQNameStyle.
 * 11) If Attribute Values is set to false, security is tightened and down-level clients cannot connect to your MSMQ Domain. If Attribute Values is set to true, down-level clients can connect to your MSMQ domain.

If you change the mSMQNameStyle setting, you must restart all Message Queuing servers that are running on Windows 2000 domain controllers for the change to take effect.

