Export (0) Print
Expand All
1 out of 1 rated this helpful - Rate this topic

Requiring an Encrypted Connection to a Namespace

You can require that client scripts and applications establish an encrypted connection for authentication by adding the RequiresEncryption qualifier to the Managed Object Format (MOF) .mof file that creates the namespace.

An encrypted connection to a WMI namespace specifies RPC_C_AUTHN_LEVEL_PKT_PRIVACY (or PktPrivacy in a script) for authentication. The RequiresEncryption qualifier causes WMI to reject any incoming data requests unless they explicitly use encrypted authentication. For more information, see Setting the Default Process Security Level Using VBScript or Setting Authentication Using C++.

You can also modify an existing namespace by adding this attribute and then compile the MOF file again. RequiresEncryption is used in MOF with the pragma namespace preprocessor instruction.

Windows Server 2003 and Windows XP:  Before Windows Server 2003 with Service Pack 1 (SP1), providers could not set namespace security to require encryption before returning data.

The following procedure sets the namespace to require an encrypted connection.

Aa393068.wedge(en-us,VS.85).gifTo set required encryption

  1. Create a Managed Object Format (MOF) file or modify your existing MOF file that defines the namespace.

    The following code example shows the namespace that will be modified is root\MyNamespace and the file is named MyNamespace_security.mof. RequiresEncryption has a Boolean datatype so it must be set to True or False.

    
    #pragma namespace("\\\\.\\Root\\MyNamespace") 
    
    [RequiresEncryption(TRUE)] 
    instance of __systemSecurity { };
    
    
    
  2. Run mofcomp.exe to compile the MOF file.

    c:\mofcomp MyNamespace_security.mof

    In C++, use the IMoFCompiler methods.

WMI rejects a client that uses the default authentication level because DCOM negotiates the security to the level required by the SVCHOST process in which the WMI service is running. For more information about service hosts, see Provider Hosting and Security. For more information about setting authentication levels when connecting to WMI namespaces, see Setting the Default Process Security Level Using C++, Setting Authentication Using C++, or Setting the Default Process Security Level Using VBScript.

When returning data on an asynchronous callback connection, WMI returns an access denied message to the requesting computer. WMI also makes a log entry in the NT Event Log of the computer with the encrypted namespace stating that a secure connection cannot be established to the client.

Starting with Windows Vista, the WbemCore.log file no longer exists. You can check the NT Event Log for entries indicating rejected inbound data requests to namespaces that require encryption.

Windows Server 2003 and Windows XP:  Entries for rejected inbound data requests can be found in both the NT Event Log and Wbemcore.log.

Related topics

Setting Namepace Security Descriptors
WbemAuthenticationLevelEnum
Securing a Remote WMI Connection

 

 

Show:
© 2014 Microsoft. All rights reserved.