Requiring an Encrypted Connection to a Namespace
You can require that client scripts and applications establish an encrypted connection for authentication by adding the RequiresEncryption qualifier to the Managed Object Format (MOF) .mof file that creates the namespace.
An encrypted connection to a WMI namespace specifies RPC_C_AUTHN_LEVEL_PKT_PRIVACY (or PktPrivacy in a script) for authentication. The RequiresEncryption qualifier causes WMI to reject any incoming data requests unless they explicitly use encrypted authentication. For more information, see Setting the Default Process Security Level Using VBScript or Setting Authentication Using C++.
Windows Server 2003: Before Windows Server 2003 with Service Pack 1 (SP1), providers could not set namespace security to require encryption before returning data.
The following procedure sets the namespace to require an encrypted connection.
To set required encryption
- Create a Managed Object Format (MOF) file or modify your existing MOF file that defines the namespace.
The following code example shows the namespace that will be modified is root\MyNamespace and the file is named MyNamespace_security.mof. RequiresEncryption has a Boolean datatype so it must be set to True or False.
- Run mofcomp.exe to compile the MOF file.
In C++, use the IMoFCompiler methods.
WMI rejects a client that uses the default authentication level because DCOM negotiates the security to the level required by the SVCHOST process in which the WMI service is running. For more information about service hosts, see Provider Hosting and Security. For more information about setting authentication levels when connecting to WMI namespaces, see Setting the Default Process Security Level Using C++, Setting Authentication Using C++, or Setting the Default Process Security Level Using VBScript.
When returning data on an asynchronous callback connection, WMI returns an access denied message to the requesting computer. WMI also makes a log entry in the NT Event Log of the computer with the encrypted namespace stating that a secure connection cannot be established to the client.
Starting with Windows Vista, the WbemCore.log file no longer exists. You can check the NT Event Log for entries indicating rejected inbound data requests to namespaces that require encryption.
Windows Server 2003: Entries for rejected inbound data requests can be found in both the NT Event Log and Wbemcore.log.