Auditing

MSMQ allows you to audit access operations for your MSMQ enterprise, sites, connected networks (CNs), computers, and queues.

For the most part, auditing is set up and maintained by the MSMQ Explorer (for a complete description of auditing, see the Microsoft Message Queue Server Administrator's Guide). However, it is possible to audit queue operations by modifying the system access control list (SACL) of the queue's security descriptor.

The following queue operations can be audited:

• MQSEC_DELETE_MESSAGE. When combined with MQSEC_PEEK_MESSAGE, the user can retrieve messages from the queue. MSMQ does not explicitly delete messages that are in queues. When a receive operation is requested, MSMQ peeks at the message and deletes it from the queue.
• MQSEC_DELETE_JOURNAL_MESSAGE. When combined with MQSEC_PEEK_MESSAGE, the user can retrieve messages from a journal queue. MSMQ does not explicitly delete messages that are in queues. When a receive operation is requested, MSMQ peeks at the message and deletes it from the queue.
• MQSEC_PEEK_MESSAGE. The user can look (peek) at messages from a queue. Messages cannot be removed.
• MQSEC_GET_QUEUE_PROPERTIES. The user can retrieve the queue's properties.
• MQSEC_SET_QUEUE_PROPERTIES. The user can set the queue's properties.
• MQSEC_DELETE_QUEUE. The user can delete the queue (equivalent to DELETE: as defined in the Win32 header files).
• MQSEC_GET_QUEUE_PERMISSIONS. The user can retrieve the queue's security descriptor (equivalent to READ_CONTROL: as defined by the Win32 header files).
• MQSEC_CHANGE_QUEUE_PERMISSIONS. The user can modify the discretionary access control list (DACL) of the queue's security descriptor (equivalent to WRITE_DAC: as defined by the Win32 header files).
• MQSEC_TAKE_QUEUE_OWNERSHIP: The user can change the queue's owner in the queue's security descriptor (equivalent to WRITE_OWNER: as defined by the Win32 header files).

Audit log messages are written in the event log on the server that performs the actual operation, not necessarily the server that owns the object. For example, audits for opening a queue are logged on the computer where the queue resides. However, other operations (such as setting queue properties) are logged on the machine that performed the operation. As a result, the audit messages for a queue can be logged on servers throughout your MSMQ enterprise.

Note  The send operation cannot be audited.

For applications using MSMQ API functions, call MQSetQueueSecurity to modify the queue's security descriptor.