Export (0) Print
Expand All

Changing Access Security on Securable Objects

Printers, services, registry keys, DCOM applications, and WMI namespaces are securable objects. The access to securable objects is protected by security descriptors, which specify the users who have access. Starting with Windows Vista, many securable objects have methods for getting or setting the security descriptor. With appropriate permissions, you can read or change security descriptors on securable objects. Using these methods, you can control which user accounts or groups have access to a printer, service, WMI namespace, or other object. For more information about security descriptors and their use in WMI, see Access to WMI Securable Objects.

The following sections are discussed in this topic:

Objects and Security Descriptor Methods

The following list contains the methods that securable objects have to enable you to read or change the security descriptor:

Note  When a new Security Access Control List (SACL) is not specified in a call to a SetSecurityDescriptor method, then the security descriptor SACL on the target securable object is set to NULL so that the previous SACL setting does not persist.

Converting Between Security Descriptor Formats

Security descriptors are complex binary byte arrays that must normally be created and changed in C++. After you have used one of the Get methods to obtain the security descriptor, the Win32_SecurityDescriptorHelper class supplies methods that convert security descriptors into either Security Descriptor Definition Language (SDDL) or to Win32_SecurityDescriptor instances.

You can manipulate the Access Control Lists (ACL) more easily in Win32_SecurityDescriptor instances or in SDDL. For more information about the structure and use of security descriptors in WMI, see WMI Security Descriptor Objects.

In C++ or C# use conversion functions to convert binary security descriptors to Security Descriptor Definition Language (SDDL). To modify security descriptor values in C++ applications, use ConvertSecurityDescriptorToStringSecurityDescriptor and ConvertStringSecurityDescriptorToSecurityDescriptor.

Security Issues

It is recommended that changes to security descriptors be done with great caution so that the security of the object is not compromised. Be aware that the order of access control entries (ACEs) in a discretionary access control list (DACL) can affect access security. For more information, see Order of ACEs in a DACL.

Windows Server 2003:  If the SE_DACL_PRESENT bit is set, but a DACL parameter is not set, a NULL DACL is written to the new security descriptor. A NULL DACL creates a security vulnerability because it grants the Everyone account full access to the object. For more information, see Creating a DACL.

Related topics

WMI Security Descriptor Objects
Security Descriptor Helper Class
Security Best Practices
Maintaining WMI Security
Access Control
Access to WMI Namespaces

 

 

Show:
© 2014 Microsoft