Operations on queues can be restricted to a specific user or group of users. When a queue is created, a security descriptor is included in the call to specify who has access rights to the queue's operations.
Queue operations that can be set include creating, deleting, and opening a queue (for sending messages to and reading messages from the queue). Operations also include getting and setting a queue's properties and security descriptor.
For applications using API functions, the security descriptor is specified by the lpSecurityDescriptor parameter of MQCreateQueue. For applications using ActiveX components, the default security descriptor is automatically attached to the queue when it is created and can only be changed using API functions.
Before MSMQ performs any operation on a queue, it checks the queue's security descriptor to determine if the user has sufficient access rights to perform the requested operation. To do this, MSMQ checks whether the operation is restricted. If the operation is restricted, MSMQ then checks the identity of the user to see if the restriction applies to that user. If it does, the operation is not allowed to continue.
With the exception of putting a new message in a queue, MSMQ can verify the identity of the user by the access token attached to the process. Access tokens are produced by the system. When a user logs on, the system verifies the user's password by comparing it with information stored in the system's security database. If the password is valid, the system produces an access token and attaches it to each process started by the user.
However, MSMQ cannot use this access to put a new message in the queue. Instead, it uses a security identifier (SID) that MSMQ attached to the message when it was sent. Similar to the access token, the user's SID is created by the application. For a description of access tokens and SIDs, see the Security section in the Microsoft Platform SDK.
Applications can retrieve or modify the security descriptor of a queue if they have sufficient access rights. See MQGetQueueSecurity and MQSetQueueSecurity.