WMI Namespace-Level Security
Microsoft® Windows® 2000 Scripting Guide
Before a user is allowed to connect to WMI, on either the local computer or a remote computer, the access token for the user account is validated against permissions applied to and stored in the CIM repository.
By default, the built-in Administrators security group is granted full control of WMI and the entire CIM repository on both local and remote computers. All other users, by way of the Everyone group, are granted Enable Account, Execute Methods, and Provider Write on the local computer only. Table 6.2 lists the available WMI permissions, which are configured on the Security tab in the WMI Control MMC Snap-in, systemroot\System32\Wmimgmt.msc.
Note
- On computers running Windows NT 4.0 SP4, Windows 98, and Windows 95 OSR 2.5, the WMI Control application is named Wbemcntl.exe. Wbemcntl.exe is located in the systemroot\System32\Wbem directory on Windows NT 4.0 SP4.
Table 6.2 WMI Namespace Permissions
Permission |
Description |
Administrators |
Everyone |
|---|---|---|---|
Execute Methods |
Lets a user call methods in the specific namespace. However, the provider checks to ensure that the user has the right to perform these tasks. For example, a user cannot run a script that stops a service unless the user has the right to stop that service. |
|
|
Full Write |
Lets users create or modify a namespace, a system class, or an instance. |
|
|
Partial Write |
Lets users create or modify any static class or any instance of non-system classes. |
|
|
Provider Write |
Lets users write classes and instances to WMI providers. |
|
|
Enable Account |
Grants read permissions to a WMI namespace. This allows users to run scripts that retrieve data, but only on the local computer. |
|
|
Remote Enable |
Lets a user access a WMI namespace from a remote computer. By default, this right is granted only to administrators; regular users cannot retrieve any WMI-related information from a remote computer. |
|
|
Read Security |
Lets the user read (but not modify) the security descriptor for a WMI namespace. |
|
|
Edit Security |
Lets the user modify the security descriptor for a WMI namespace. |
|
|
.gif "Table Bullet")
WMI permissions are applied at the namespace level and apply to all classes within the namespace. These permissions also apply - potentially - to child namespaces based on inheritance. By default, permissions are explicitly applied to the root namespace only and inherited by all other child namespaces.
Security is checked only when a user connects to the CIMOM. As a result, any changes made to the WMI permissions while a user is connected will not affect that user until he or she establishes a new connection. If you have the Full Write permission when you begin running a script, you (in the context of that script) will continue to have that permission until the script completes. However, if you start a new script, any new permissions will be applied to that particular script.
By default, WMI scripts run in the security context of the user running the script.