Sysadmins LV
Vadims Podāns
Vadims Podāns
  • I work at
PKI Solutions
Microsoft Most Valuable Professional: Windows PowerShell
Protected by Copyscape DMCA Takedown Notice Search Tool

Retired Microsoft Blog disclaimer

This directory is a mirror of retired "Decrypt My World" MSDN blog and is provided as is. All posting authorship and copyrights belong to respective authors.

How to change the Security Descriptor of WMI objects

Original URL: https://blogs.msdn.microsoft.com/alejacma/2008/03/13/how-to-change-the-security-descriptor-of-wmi-objects/
Post name: How to change the Security Descriptor of WMI objects
Original author: Alejandro Campos Magencio
Posting date: 2008-03-13T22:51:00+00:00

Hi all, welcome back,


You may want to give users or groups access to perform read/modify WMI operations on WMI objects, and for that you need to change the Security Descriptor (SD) for WMI objects. There are several ways to achieve this:


1) Manually with wmimgmt.msc: 325353HOW TO: Set WMI Namespace Security in Windows Server 2003.


2) Using third-party tools like WMI Namespace Security.


3) Programmatically, the easy way:


We could manually set the SD on one box, then save it to a text file with GetSD method of the __SystemSecurity class, read the SD from the text file and reapply it to new boxes with SetSD method.


The following VBScript shows how to use GetSD to obtain the current SD for the Root\Cimv2 namespace and change it to the byte array shown in strDisplaySD.

' Connect to WMI and the root namespace.

'

Set objWMI = GetObject("winmgmts:root\cimv2")


' Get the single __SystemSecurity object in this namespace.

'

Set objSecurity = objWMI.Get("__SystemSecurity=@")


' Get the namespace security.

'

nReturn = objSecurity.GetSD(arrSD)

If Err <> 0 Then

    WScript.Echo "Return value =  " & nReturn

Else

    ' Show it

    '

    strDisplaySD = "SD = {"

    For I = Lbound(arrSD) To Ubound(arrSD)

        strDisplaySD = strDisplaySD & arrSD(I)

        If I <> Ubound(arrSD) Then

            strDisplaySD = DisplaySD & ","

        End If

    Next

    strDisplaySD = strDisplaySD & "}"

    WScript.Echo strDisplaySD

End If

The following script shows how to use SetSD to set the namespace SD for the root namespace and change it to the byte array shown in arrSD.

' Hard-coded security descriptor

'

arrSD = array( 1, 0, 4,129,72, 0, 0, 0, _

    88, 0, 0, 0, 0, 0, 0, 0, _

    20, 0, 0, 0, 2, 0,52, 0, _

    2, 0, 0, 0, 0, 2,24, 0, _

    63, 0, 6, 0, 1, 2, 0, 0, _

    0, 0, 0, 5,32, 0, 0, 0, _

    32, 2, 0, 0, 0, 2,20, 0, _

    63, 0, 6, 0, 1, 1, 0, 0, _

    0, 0, 0, 1, 0, 0, 0, 0, _

    1, 2, 0, 0, 0, 0, 0, 5, _

    32, 0, 0, 0,32, 2, 0, 0, _

    1, 2, 0, 0, 0, 0, 0, 5, _

    32, 0, 0, 0,32, 2, 0, 0)


' Connect to WMI and the root namespace.

'

Set objWMI = GetObject("winmgmts:root\cimv2")


' Get the single __SystemSecurity object in this namespace.

'

Set objSecurity = objWMI.Get("__SystemSecurity=@")


' Change the namespace security.

'

nReturn = objSecurity.SetSD(arrSD)

WScript.Echo "Return value = " & nReturn

4) Programmatically, the hard way:


We can write our own WMI script using the following sample found at http://www.lissware.net/:


vol 2, Sample 4.02 to 4.13 - WMIManageSD.Wsf, using a series of subfunctions:

Sample 4.02 to 4.13 - WMIManageSD.Wsf
Sample 4.14 to 4.24 - GetSDFunction.vbs
Sample 4.25 - CreateDefaultSDFunction.vbs
Sample 4.26 to 4.27 - ADSIHelper.exp
Sample 4.28 - DecipherWMISDFunction.vbs
Sample 4.29 - DecipherADSISDFunction.vbs
Sample 4.30 - DecipherSDControlFlagsFunction.vbs
Sample 4.31 - CalculateSDControlFlagsFunction.vbs
Sample 4.32 to 4.40 - ActiveDirectory.CMD
Sample 4.41 - SetSDOwnerFunction.vbs
Sample 4.42 - CreateTrusteeFunction.vbs
Sample 4.43 - SetSDGroupFunction.vbs
Sample 4.44 - SetSDControlFlagsFunction.vbs
Sample 4.45 to 4.46 - AddACEFunction.vbs
Sample 4.47 to 4.48 - DelACEFunction.vbs
Sample 4.49 to 4.50 - ReOrderACEFunction.vbs
Sample 4.51 to 4.61 - SetSDFunction.vbs

The script actually reads the binary SD with __SystemSecurity class and converts it with Sample 4.14 to 4.24 - GetSDFunction.vbs at line 283.
The object used to convert the SD is defined at line 189 in Sample 4.02 to 4.13 - WMIManageSD.Wsf.
Under XP and 2003, it uses the IADsSecurityUtility::ConvertSecurityDescriptor.
Before XP, it uses a COM component especially written for the purpose of the bin array conversion to an ADSI SD representation (located in the resources folder coming with the ZIP that must be REGSVR32).



The sample given there manages the security not only on WMI namespaces, but also on Files, Folders, Shares, AD objects, Exchange Mailboxes and Registry keys.



Everything is explained in greater details in the book related to this sample asthe full coverage of the details for the management of all SD supported above required 220 pages of texts and tables.
This is not a trivial task even if it is fairly achievable.



I hope this helps.


Cheers,



Alex (Alejandro Campos Magencio)

Share this article:

Comments:

Comments are closed.