|
For Windows Vista and Windows Server 2008, newly created queues may not have the permissions you're used to. With MSMQ 3.0 and earlier, creating a queue would assign the following defaults:
which meant that ANYONE could send a message to a queue. If you didn't have any quotas set, this could open up your server to a Denial of Service attack. In the worst case, the server would crash through lack of available kernel memory. To prevent this, MSMQ 4.0 removed the Everyone and Anonymous Logon defaults, forcing you to go in and add the permissions you need. This isn't a blanket change, though. There are 4 scenarios where the old defaults are retained:
This is discussed further at the bottom of this TechNet article:
Note A further note on permissions - if you are looking at public queues, you may see various Access Control Entries (ACEs) being inherited from the parent objects above the queue object. For example, my test domain controller has the following additions to the list:
but as MSMQ-specific permissions (like “receive message”) don’t exist at higher levels then very little is effectively inherited. If you have a look at the extra ACEs, you will see that some entries have no permissions enabled or disabled.
Note If you want to set permissions when you create queues, you can always build the desired security descriptor and pass it in the pSecurityDescriptor parameter of MQCreateQueue (http://msdn.microsoft.com/en-us/library/ms701768(VS.85).aspx). You can't, though, customise the defaults as they are hard-coded. |
|
|
来自: icecity1306 > 《消息队列》
