MSMQ - No Authentication

Question

We are looking at setting up MSMQ but in our environment users aren't guaranteed to have have Active Directory and using certificates would be an extra process we would not like to have.

So I started looking into using a private queue without the "Authentication" checkbox, I get the warning on the MSMQ properties saying:

 Queue is unauthenticated. Message senders can bypass the Access Control settings specified on the security tab.

But it seems that if I change user settings on the Security tab then it works as I would think. A user without "Send Message" permission can't send a message to the queue I get the error "Access is denied".

So my question is what exactly can the "Message senders" bypass when the "Authentication" checkbox isn't checked as described in the warning message above?

What are you trying to prevent? Is it stopping people sending to the queue or accessing data in the queue? — John Breakwell, Sep 20 '17 at 23:29

score 0 · Answer 1 · answered Sep 20 '17 at 23:27

0

Permissions are easily bypassed. The sender would just need to craft a message with a SID value that matched one with access permissions to the queue. Access control without authentication is just a speed bump to a determined attacker.

answered Sep 20 '17 at 23:27

John Breakwell

4,667
20
25

MSMQ - No Authentication

1 Answers1