How to change the Security Descriptor of WMI objects
Hi all, welcome back,
You may want to give users or groups access to perform read/modify WMI operations on WMI objects, and for that you need to change the Security Descriptor (SD) for WMI objects. There are several ways to achieve this:
1) Manually with wmimgmt.msc: 325353 HOW TO: Set WMI Namespace Security in Windows Server 2003.
2) Using third-party tools like WMI Namespace Security.
3) Programmatically, the easy way:
We could manually set the SD on one box, then save it to a text file with GetSD method of the __SystemSecurity class, read the SD from the text file and reapply it to new boxes with SetSD method.
The following VBScript shows how to use GetSD to obtain the current SD for the Root\Cimv2 namespace and change it to the byte array shown in strDisplaySD.
' Connect to WMI and the root namespace.
'
Set objWMI = GetObject("winmgmts:root\cimv2")
' Get the single __SystemSecurity object in this namespace.
'
Set objSecurity = objWMI.Get("__SystemSecurity=@")
' Get the namespace security.
'
nReturn = objSecurity.GetSD(arrSD)
If Err <> 0 Then
WScript.Echo "Return value = " & nReturn
Else
' Show it
'
strDisplaySD = "SD = {"
For I = Lbound(arrSD) To Ubound(arrSD)
strDisplaySD = strDisplaySD & arrSD(I)
If I <> Ubound(arrSD) Then
strDisplaySD = DisplaySD & ","
End If
Next
strDisplaySD = strDisplaySD & "}"
WScript.Echo strDisplaySD
End If
The following script shows how to use SetSD to set the namespace SD for the root namespace and change it to the byte array shown in arrSD.
' Hard-coded security descriptor
'
arrSD = array( 1, 0, 4,129,72, 0, 0, 0, _
88, 0, 0, 0, 0, 0, 0, 0, _
20, 0, 0, 0, 2, 0,52, 0, _
2, 0, 0, 0, 0, 2,24, 0, _
63, 0, 6, 0, 1, 2, 0, 0, _
0, 0, 0, 5,32, 0, 0, 0, _
32, 2, 0, 0, 0, 2,20, 0, _
63, 0, 6, 0, 1, 1, 0, 0, _
0, 0, 0, 1, 0, 0, 0, 0, _
1, 2, 0, 0, 0, 0, 0, 5, _
32, 0, 0, 0,32, 2, 0, 0, _
1, 2, 0, 0, 0, 0, 0, 5, _
32, 0, 0, 0,32, 2, 0, 0)
' Connect to WMI and the root namespace.
'
Set objWMI = GetObject("winmgmts:root\cimv2")
' Get the single __SystemSecurity object in this namespace.
'
Set objSecurity = objWMI.Get("__SystemSecurity=@")
' Change the namespace security.
'
nReturn = objSecurity.SetSD(arrSD)
WScript.Echo "Return value = " & nReturn
4) Programmatically, the hard way:
We can write our own WMI script using the following sample found at https://www.lissware.net/:
vol 2, Sample 4.02 to 4.13 - WMIManageSD.Wsf, using a series of subfunctions:
Sample 4.02 to 4.13 - WMIManageSD.Wsf
Sample 4.14 to 4.24 - GetSDFunction.vbs
Sample 4.25 - CreateDefaultSDFunction.vbs
Sample 4.26 to 4.27 - ADSIHelper.exp
Sample 4.28 - DecipherWMISDFunction.vbs
Sample 4.29 - DecipherADSISDFunction.vbs
Sample 4.30 - DecipherSDControlFlagsFunction.vbs
Sample 4.31 - CalculateSDControlFlagsFunction.vbs
Sample 4.32 to 4.40 - ActiveDirectory.CMD
Sample 4.41 - SetSDOwnerFunction.vbs
Sample 4.42 - CreateTrusteeFunction.vbs
Sample 4.43 - SetSDGroupFunction.vbs
Sample 4.44 - SetSDControlFlagsFunction.vbs
Sample 4.45 to 4.46 - AddACEFunction.vbs
Sample 4.47 to 4.48 - DelACEFunction.vbs
Sample 4.49 to 4.50 - ReOrderACEFunction.vbs
Sample 4.51 to 4.61 - SetSDFunction.vbs
The script actually reads the binary SD with __SystemSecurity class and converts it with Sample 4.14 to 4.24 - GetSDFunction.vbs at line 283.
The object used to convert the SD is defined at line 189 in Sample 4.02 to 4.13 - WMIManageSD.Wsf.
Under XP and 2003, it uses the IADsSecurityUtility::ConvertSecurityDescriptor.
Before XP, it uses a COM component especially written for the purpose of the bin array conversion to an ADSI SD representation (located in the resources folder coming with the ZIP that must be REGSVR32).
The sample given there manages the security not only on WMI namespaces, but also on Files, Folders, Shares, AD objects, Exchange Mailboxes and Registry keys.
Everything is explained in greater details in the book related to this sample as the full coverage of the details for the management of all SD supported above required 220 pages of texts and tables.
This is not a trivial task even if it is fairly achievable.
I hope this helps.
Cheers,
Alex (Alejandro Campos Magencio)
Comments
- Anonymous
April 23, 2009
Please note that the line strDisplaySD = DisplaySD & ","should read strDisplaySD = strDisplaySD & "," - Anonymous
April 03, 2014
The comment has been removed