Auditing

 

Applies To: Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server Technical Preview, Windows Vista

Message Queuing allows you to audit access operations for the queues in your Message Queuing enterprise. The operations that you can audit include creating a queue, opening a queue, setting or retrieving queue properties, and deleting a queue.

Note

Message operations such as sending or retrieving a message are not audited.

To implement auditing on a computer, you must first enable the Message Queuing service on the computer to access the information in the system access control list (SACL) of objects. For information on how to enable Message Queuing to access SACL information, see the Message Queuing (MSMQ) online Help.

Then you can enable and disable auditing for specific queue operations programmatically by calling MQSetQueueSecurity (there is no equivalent COM method or property). This function allows you to add queue operations to the system access control list (SACL) of the queue's security descriptor (thus enabling auditing) or remove them (disabling auditing). When auditing is enabled for a particular queue operation, the operating system generates an audit entry in the security log each time that the operation is performed.

Auditing is set up and maintained by the operating system installed on the computer. The operating system is notified by the directory service or Message Queuing, depending on whether the queue is public or private, whenever an audited operation is performed on a queue. For public queues, the directory service performs this notification. For private queues, Message Queuing performs the notification.

Note

For a complete description of auditing, see the Message Queuing (MSMQ) online Help.

The following constants specify which queue operations can be audited:

  • MQSEC_DELETE_MESSAGE and MQSEC_PEEK_MESSAGE: The operating system is notified whenever the queue is opened with receive access. Note that no notification is sent when a message is removed from the queue.

  • MQSEC_DELETE_JOURNAL_MESSAGE and MQSEC_PEEK_MESSAGE: The operating system is notified whenever the queue's journal is opened with receive access. Note that no notification is sent when a message is removed from the queue journal.

  • MQSEC_PEEK_MESSAGE: The operating system is notified whenever the queue is opened for peek access. Note that no notification is sent when a message is peeked at in the queue.

  • MQSEC_GET_QUEUE_PROPERTIES. The operating system is notified whenever the queue's properties are retrieved.

  • MQSEC_SET_QUEUE_PROPERTIES. The operating system is notified whenever the queue's properties are set.

  • MQSEC_DELETE_QUEUE. The operating system is notified when the queue is deleted.(equivalent to DELETE, as defined in the Win32® header files).

  • MQSEC_GET_QUEUE_PERMISSIONS. The operating system is notified whenever the queue's security descriptor is retrieved.(equivalent to READ_CONTROL, as defined by the Win32 header files).

  • MQSEC_CHANGE_QUEUE_PERMISSIONS. The operating system is notified whenever the discretionary access control list (DACL) of the queue's security descriptor is changed (equivalent to WRITE_DAC, as defined by the Win32 header files).

  • MQSEC_TAKE_QUEUE_OWNERSHIP: The operating system is notified whenever the owner of the queue is changed.(equivalent to WRITE_OWNER, as defined by the Win32 header files).

Audit log messages are written in the security log on the server that performs the actual operation, not necessarily the server that owns the object. For example, audits for opening a queue are logged on the computer where the queue resides. However, other operations (such as setting queue properties) are logged on the machine that performed the operation. As a result, the audit messages for a queue can be logged on servers throughout your Message Queuing enterprise.