Encrypting Data When Running WMI–Based Remote Administration Scripts

  • Article

Applies To: Windows Server 2003 R2, Windows Server 2003 with SP1

WMI-based administration scripts operating on an IIS server over a remote connection send data over the network in clear text. You can enhance security by modifying WMI-based administration scripts to establish an encrypted remote connection.

Important

For Windows Server 2003 with Service Pack 1 (SP1), WMI-based remote administration scripts must be modified to encrypt authentication credentials and data as outlined in this topic. If you do not modify the scripts, they will fail.

Use one of the following two methods to establish an encrypted remote connection:

  • Use the IWbemLocator::ConnectServer method when an administrator user name and password must be passed to the remote server.

  • Use the GetObject function when an administrator user name and password do not need to be passed to the remote server. This is the case when the administrator user name and password on the remote server and on the server running the script are the same.

To establish an encrypted connection to a remote server when an administrator user name and password must be provided, use the ConnectServer method to connect to the server, and then set the AuthenticationLevel property to encrypt the connection. The following code example illustrates this.

Note

The ConnectServer call encrypts the administrator user name and password.

Important

You must be a member of the Administrators group on the local computer to run scripts and executables. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run your script or executable as an administrator. At a command prompt, type runas /profile /User:MyComputer</STRONG>Administrator cmd to open a command window with administrator rights and then type cscript.exe ScriptName (include the script's full path and any parameters).

var locatorObj=new ActiveXObject("WbemScripting.SWbemLocator");
provObj=locatorObj.ConnectServer(Server_Name,"root/MicrosoftIISv2", AdministratorUserName, AdministratorPassword);
var wbemAuthenticationLevelPktPrivacy=6;
provObj.Security_.AuthenticationLevel=wbemAuthenticationLevelPktPrivacy;

To establish an encrypted connection to a remote server when an administrator user name and password do not need to be provided, use the GetObject function, and then set the AuthenticationLevel property to pktPrivacy. The following code example illustrates this.

provObj=GetObject( "winmgmts:{AuthenticationLevel=pktPrivacy}!//Server_Name/root/MicrosoftIISv2");
  • For more information about security settings in WMI scripts, see the Scripting API for WMI on MSDN Online.