Редагувати

Поділитися через


Setting Namespace Security Descriptors

Both C++ applications and scripts running under a full administrator account can change a namespace security descriptor.

Namespace Security Descriptors

Each WMI namespace has a security descriptor, which allows each namespace to have unique security settings that determine who has access to the namespace data and methods. For more information about WMI access security, see Access to WMI Securable Objects. Access to WMI Namespaces describes the default security settings for WMI namespaces and security auditing in WMI.

You can set account permissions for each WMI namespace in the WMI (CIM) repository in the following ways:

The following methods of the __SystemSecurity object associated with each namespace allow you to read or change security on a namespace.

GetCallerAccessRights

Sets the rights parameter as a bitmap with each bit corresponding to an access right.

GetSD

Gets the security descriptor for the namespace to which the user is connected. This method returns a security descriptor in binary byte array format. If you are writing a script, use the GetSecurityDescriptor method.

SetSD

Sets the security descriptor (SD) for the namespace to which a user is connected. This method requires a security descriptor in binary byte array format. If you are writing a script, use the SetSecurityDescriptor method.

GetSecurityDescriptor

Gets the security descriptor that controls access to the WMI namespace associated with the instance of __SystemSecurity. The security descriptor is returned as an instance of__SecurityDescriptor.

SetSecurityDescriptor

Writes an updated version of the security descriptor that controls access to the printer. The security descriptor is represented by an instance of __SecurityDescriptor.

Get9XUserList

Gets the remote access rights for a list of individual users on computers running obsolete versions of Windows, where access control through Windows security descriptors is not available.

Set9XUserList

Sets the remote access rights for a list of individual users on computers running obsolete versions of Windows, where access control through Windows security descriptors is not available.

If you are writing scripts, use the GetSecurityDescriptor and SetSecurityDescriptor. You can use the methods of the Win32_SecurityDescriptorHelper class to alter the security descriptors.

If you are programming in C++, you can manipulate the binary security descriptor using Security Descriptor Definition Language (SDDL), and the conversion methods ConvertSecurityDescriptorToStringSecurityDescriptor and ConvertStringSecurityDescriptorToSecurityDescriptor.

Be aware that, starting with Windows Vista, User Account Control (UAC) affects access to WMI data and what can be configured with the WMI Control. For more information, see User Account Control and WMI.

Securing WMI Namespaces

WMI Security Constants

Access to WMI Namespaces

WMI Security Descriptor Objects