Windows Management Security

  • Article

SMS uses Windows Management Instrumentation (WMI) as a standardized management interface. SMS uses WMI on clients for hardware inventory collection, on servers as an interface to the SMS site database, and on consoles as an interface to the SMS site database. WMI is also used for storing some configuration data, such as that used by Network Trace.

WMI supports full security for the Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 families. WMI supports limited security for Windows 98. WMI security authenticates a user's logon information both for the local computer and for remote access. With the versions of WMI included with SMS and Windows 2000, Windows XP, and operating systems in the Windows Server 2003 family, you can use WMI to control global permissions on WMI namespace operations, such as limiting the access of some users to read-only operations.

Each WMI namespace has its own security descriptor, which allows the namespace to have its own security settings. As with files on the NTFS disk partitions, inheritance might be used to simplify the administration of security. Each ACE in the namespace security descriptor has a flags field, which indicates what inheritance, if any, is to be performed. For example, if container inheritance is allowed, then the ACE of the namespace security descriptor is inherited by child namespaces.

The security descriptor is constructed when a connection to the namespace is first made. The security descriptor is constructed from the ACLs of the namespaces in the inheritance chain, as modified by the inheritance bits of each namespace. By default, the local administrator account and the local administrators group have rights to all operations, including remote access. The SMS security descriptor is created in WMI during the installation of the SMS site server.

The security descriptor is also used to control access to WMI services. The security descriptor is a standard Windows security descriptor, and it contains an ACL. Each ACE grants permission to run a restricted operation, such as allowing logons, remote access, method execution, and writing to the CIM Repository (the WMI database). The WMI security descriptors are stored in the CIM Repository.

In the Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 family operating systems, there is no distinction between local and remote access. However, with a remote connection, users can specify a user name and password, replacing the current user name and password. With a local connection, users cannot override the current name and password.

In Windows 98, local users are considered administrators and are granted full rights. There is no authentication. Remote users, however, are validated using instances of WMI system classes.

You can use the WMI Control, available in the System Control Panel icon, to manage WMI security.

For More Information

Did you find this information useful? Please send your suggestions and comments about the documentation to smsdocs@microsoft.com.