Special considerations for security on Windows

Some security functions behave differently on different versions of Windows.

IBM MQ security relies on calls to the operating system API for information about user authorizations and group memberships. Some functions do not behave identically on the Windows systems. This collection of topics includes descriptions of how those differences might affect IBM MQ security when we are running IBM MQ in a Windows environment.

• Local and domain user accounts for the IBM MQ Windows service
  When IBM MQ is running, it must check that only authorized users can access queue managers or queues. This requires a special user account that IBM MQ can use to query information about the any user attempting such access.
• Considerations when promoting Windows servers to domain controllers
  When promoting a Windows server to a domain controller, we should consider whether the security setting relating to user and group permissions is appropriate. When changing the state of a Windows machine between server and domain controller, we should take into consideration that this can affect the operation of IBM MQ because IBM MQ uses a locally-defined mqm group.
• Restrictions on nested groups on Windows
  There are restrictions on the use of nested groups. These result partly from the domain functional level and partly from IBM MQ restrictions.
• Authorizing users to use IBM MQ remotely
  For to create and start queue managers when connected to IBM MQ remotely, we must have the Create global objects user access.
• The SSPI channel exit program on Windows
  IBM MQ for Windows supplies a security exit program, which can be used on both message and MQI channels. The exit is supplied as source and object code, and provides one-way and two-way authentication.
• Applying security template files on Windows
  Applying a template might affect the security settings applied to IBM MQ files and directories. If we use the highly secure template, apply it before installing IBM MQ.
• Configure extra authority for Windows applications connecting to IBM MQ
  The account under which IBM MQ processes run might need extra authorization before SYNCHRONIZE access to application processes can be granted.

Parent topic: Set up security on UNIX, Linux, and Windows