MSMQ Remote Private queues permissions in workgroup mode

Question

As quoted from http://msdn.microsoft.com/en-us/library/19ww660c(VS.71).aspx

Private queues are not published across the entire network. Instead they are available only on the local computer that contains them. Private queues can be accessed only by applications that know the full path name or label of the queue.

I've set-up a private queue on a Windows 2008 web server running IIS, (with no active directory).

My C# .NET web service running on the IIS server could read/write to the private queue, after I granted IIS_IUSRS both Receive and Send Message access for the queue.

I want to ensure that the no external applications can access this private queue. So I wrote a C# console app that connected to the remote queue using

DIRECT=TCP:xxx.xxx.xxx.xxxx\private$\MyQueueName

However, when I attempt to connect I get back

Invalid queue path name.

Can somebody confirm that only my .NET web service has access to this private queue ? My only other concern is that any .NET web service (running on this same IIS server) would be able to read this private queue, if they knew the name, since I had to grant IIS_IUSRS Read/Write access to the private queue.

Clarification on this issue and my security concerns would be appreciated.

Answer 1

First up, setting permissions does not provide security. If you know the SID of the account that has access permissions, you can send a message with that SID in it and you're in, regardless of the sender's actual account. If you want security, use certificates.

In your example, any application running in the context of the IIS_IUSRS account has receive/send permissions. Can't you impersonate a specific account?

If you don't trust the other applications on the server, though, you're already compromised.

Answer 2

Try adding leading word "FORMATNAME:" followed by semicolon with no quotes.