Changing Access Security on Securable Objects
Printers, services, registry keys, DCOM applications, and WMI namespaces are securable objects. The access to securable objects is protected by security descriptors, which specify the users who have access. Starting with Windows Vista, many securable objects have methods for getting or setting the security descriptor. With appropriate permissions, you can read or change security descriptors on securable objects. Using these methods, you can control which user accounts or groups have access to a printer, service, WMI namespace, or other object. For more information about security descriptors and their use in WMI, see Access to WMI Securable Objects.
The following sections are discussed in this topic:
- Objects and Security Descriptor Methods
- Converting Between Security Descriptor Formats
- Security Issues
- Related topics
The following list contains the methods that securable objects have to enable you to read or change the security descriptor:
- WMI Namespaces
A provider can establish security that only allows certain groups to have access to the data in a WMI namespace. Namespace security is controlled by methods on the __SystemSecurity class. Starting with Windows Vista, the GetSecurityDescriptor and SetSecurityDescriptor methods return and write __SecurityDescriptor objects. For more information, see Setting Namespace Security Descriptors.
Windows Server 2003 and Windows XP: The GetSD and SetSD methods in the __SystemSecurity class allow you to change the namespace security. However, these methods only use the binary byte array form of the security descriptor, which is difficult to manipulate. You can call methods in the BinarySDToWin32SD or BinarySDToSDDL methods in the Win32_SecurityDescriptorHelper class to convert the binary descriptor to an instance of Win32_SecurityDescriptor or to Security Descriptor Definition Language (SDDL).
Windows Server 2003 and Windows XP: In script or Visual Basic use the procedure described in Securing WMI Namespaces to change the security of a namespace.
- Registry keys
Starting with Windows Vista, you can secure registry keys so that they cannot be changed by unauthorized users. The StdRegProv class has the GetSecurityDescriptor and SetSecurityDescriptor methods. These methods return and write Win32_SecurityDescriptor objects.
Windows Server 2003 and Windows XP: The GetSecurityDescriptor and SetSecurityDescriptor methods in the StdRegProv class are not available. You can call the CheckAccess method in StdRegProv to determine if a user has access to a registry key.
Starting with Windows Vista, you can secure access to instances of the Win32_Printer class using the GetSecurityDescriptor and SetSecurityDescriptor methods. These methods return and write Win32_SecurityDescriptor objects.
Starting with Windows Vista, you can secure access to instances of the Win32_Service class using the GetSecurityDescriptor and SetSecurityDescriptor methods. These methods return and write Win32_SecurityDescriptor objects.
- DCOM applications
DCOM application instances have several security descriptors. Starting with Windows Vista, use methods of the Win32_DCOMApplicationSetting class to get or change the various security descriptors. Security descriptors are returned as instances of the Win32_SecurityDescriptor class.
Windows Server 2003 and Windows XP: The Win32_DCOMApplicationSetting security descriptor methods are not available.
Note When a new Security Access Control List (SACL) is not specified in a call to a SetSecurityDescriptor method, then the security descriptor SACL on the target securable object is set to NULL so that the previous SACL setting does not persist.
Security descriptors are complex binary byte arrays that must normally be created and changed in C++. After you have used one of the Get methods to obtain the security descriptor, the Win32_SecurityDescriptorHelper class supplies methods that convert security descriptors into either Security Descriptor Definition Language (SDDL) or to Win32_SecurityDescriptor instances.
You can manipulate the Access Control Lists (ACL) more easily in Win32_SecurityDescriptor instances or in SDDL. For more information about the structure and use of security descriptors in WMI, see WMI Security Descriptor Objects.
In C++ or C# use conversion functions to convert binary security descriptors to Security Descriptor Definition Language (SDDL). To modify security descriptor values in C++ applications, use ConvertSecurityDescriptorToStringSecurityDescriptor and ConvertStringSecurityDescriptorToSecurityDescriptor.
It is recommended that changes to security descriptors be done with great caution so that the security of the object is not compromised. Be aware that the order of access control entries (ACEs) in a discretionary access control list (DACL) can affect access security. For more information, see Order of ACEs in a DACL.
Windows Server 2003 and Windows XP: If the SE_DACL_PRESENT bit is set, but a DACL parameter is not set, a NULL DACL is written to the new security descriptor. A NULL DACL creates a security vulnerability because it grants the Everyone account full access to the object. For more information, see Creating a DACL.
- WMI Security Descriptor Objects
- Security Descriptor Helper Class
- Security Best Practices
- Maintaining WMI Security
- Access Control
- Access to WMI Namespaces