3.1.4.1.28 Security

  • Article

The Web Services Management Protocol Extensions for Windows Vista service MUST authenticate a request by using one of the configured security profiles. See section 2.2.4.36 and section 3.1.4.1.29 for more information about configured profiles.

The Web Services Management Protocol Extensions for Windows Vista service SHOULD authorize a request by using the Sddl value retrieved by issuing a Get request to itself, on the resource URI http://schemas.microsoft.com/wbem/wsman/1/config/service/security, and using the resource URI from the client request message as a selector. See section 3.1.4.1.29.4 for more information.

The Web Services Management Protocol Extensions for Windows Vista service MUST<77> authorize a request by using the RootSDDL configuration setting specified in section 2.2.4.36.

Once the SDDL for the resource URI is retrieved, it is used to determine if the user is authorized to perform the operation or not.

The SDDL for the Web Services Management Protocol Extensions for Windows Vista protocol defines the access masks described in [MS-DTYP] section 2.4.3:

If a user request is a shell request, then it MUST be allowed access if the user is granted GX permission in the SDDL. A request is a shell request if:

  • Either the request's associated plugin exposes that resource with its <Capability> element having Shell as a capability.

  • Or the request's resource URI begins with a prefix: http://schemas.microsoft.com/wbem/wsman/1/windows/shell.

For other requests, the following rules apply:

  • Requests with the following action URI's are allowed if the user is granted GR permission in the SDDL:

    • http://schemas.xmlsoap.org/ws/2004/09/transfer/Get

    • http://schemas.xmlsoap.org/ws/2004/09/enumeration/Enumerate

    • http://schemas.xmlsoap.org/ws/2004/09/enumeration/Pull

    • http://schemas.xmlsoap.org/ws/2004/09/enumeration/Release

    • http://schemas.xmlsoap.org/ws/2004/08/eventing/Subscribe

    • http://schemas.xmlsoap.org/ws/2004/08/eventing/Unsubscribe

  • Requests with the following action URI's are allowed if the user is granted GW permission in the SDDL:

    • http://schemas.xmlsoap.org/ws/2004/09/transfer/Put

    • http://schemas.xmlsoap.org/ws/2004/09/transfer/Create

    • http://schemas.xmlsoap.org/ws/2004/09/transfer/Delete

  • Requests with any other action URI's are allowed if the user is granted GX permission in the SDDL.

The Web Services Management Protocol Extensions for Windows Vista service SHOULD support the CredSSP security profile,<78> where the authentication is carried out as specified in [MS-CSSP]. If the CredSSP security profile is used, the authentication sequence MUST be as follows:

  1. The Web Services Management Protocol Extensions for Windows Vista client connects with no authorization header.

  2. The Web Services Management Protocol Extensions for Windows Vista service responds with a HTTP 401 response, listing CredSSP as an available HTTP authentication mechanism.

  3. The Web Services Management Protocol Extensions for Windows Vista client starts a SPNEGO sequence to negotiate for CredSSP, as specified in [RFC4559].

  4. The Web Services Management Protocol Extensions for Windows Vista service engages in the SPNEGO sequence to authenticate the client using CredSSP.

  5. The Web Services Management Protocol Extensions for Windows Vista service authenticates the client.