Security with WMIC

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

General information about the security model

Only users in the local Administrators group can start WMIC. The WMI security access model is enforced on any call from WMIC to WMI. The operating system enforces operating system-level security for any operations executed through WMI. For example, you cannot access files through WMI that you cannot access from Windows Explorer.

WMIC is a client for WMI, so all security checks are performed within WMI components. Before connecting to a remote computer, the component uses PING functionality to verify validity of the input (remote computer status).

When WMIC is used in a Telnet, Terminal Services, or similar session, all commands are carried out in the context of the user issuing the command.

WMIC allows extension of Aliases and XSLs. Security is addressed by NTFS which enforces administrator-only credential requirements for accessing WMIC's files.

Except for method parameters, WMIC allows input data only through the /NODE switch. A list of computer nodes can be provided as a text file using the @FileList option. The file and its location should be secured by the Administrator, and the input file should preferably be read from the WBEM directory.

User permissions

No special user permissions are required to run WMIC. Implicitly, to be able to use WMIC, a user needs to have full write access to both the WMIC namespaces and a registry key (HKLM\Software\Microsoft\WBEM).

Authentication and authorization

Authentication and authorization are provided by the system when these resources are opened. They are stored in a secured location and the Discretionary Access Control List (DACL) is used to verify that client has access to them. They are wholly dependent on Distributed Component Object Model (DCOM) security as well as Windows Management (WINMGMT) for remote access in providing it with user name, password, and requested levels. The /AUTHLEVEL switch is used for securing WMIC network traffic. In the Windows ServerĀ 2003 family operating systems, the default level is set to PKTPRIVACY providing packet privacy encryption level. You can modify the authentication level using the /AUTHLEVEL switch.

Example:

WMIC /AUTHLEVEL:Pktprivacy /NODE:"testcomputer.microsoft.com" BIOS

Configuration data

The configuration information is stored in the registry and in the WMI repository. The registry configuration holds timestamps and validity of Managed Object Format(MOF)-compiled status for schemas. At the start of each session of WMIC, this is evaluated and WMIC will update the WMI repository when schemas are not valid or were updated by a user.

Miscellaneous

WMIC is a powerful command-line tool that allows you to quickly do any task for which you have permissions. If you are not familiar with the WMI environment, you can use the /INTERACTIVE switch to set a warning for delete operations. For example:

WMI /INTERACTIVE:ON

For information about how WMI validates users, see Managing WMI security.

For more information, see Windows Management Instrumentation Command-line.