WMI and COM Security

All client applications access WMI services via COM interfaces. It is true that WMI Scripting API or .NET System Management Framework may shield the developers from the complexities of COM. However, regardless of the development platform, at run time, all service requests issued by a management application are routed to WMI via an arbitrary COM interface. Thus, from the prospective of a client application, WMI security is synonymous with COM security.

COM security revolves around the concepts of authentication and impersonation. The former is a process that verifies the authenticity of the client's identity, while the latter is the ability of a thread to execute in a security context different from that of the process that owns the thread. Since different processes may require different levels of security, the authentication and impersonation requirements may vary from application to application. Therefore, COM clients are given the ability to control the security levels, or levels of authentication and impersonation, for their processes.

The default security levels for a process are set via the CoInitializeSecurity function. Among a few other parameters, this function accepts two DWORD values that specify the default authentication and impersonation levels. The first of these values controls the degree of protection applied to the communications between the COM client and the server. Currently, COM defines seven different authentication levels.

COM Authentication Levels
Under Windows NT 4.0, this value defaults to RPC_C_AUTH_LEVEL_CONNECT. Under Windows 2000 and later, this value instructs COM to select an appropriate authentication level using its normal security blanket negotiation algorithm.

Instructs COM not to perform any authentication

Causes COM to authenticate the credentials of the client only when the client establishes a session with the server.

Instructs COM to authenticate the client at the beginning of each remote procedure call (RPC) when the server receives the request.

Instructs COM to ensure that the data is received from the authenticated client.

Causes COM to ensure the integrity of the data received from the client.

Instructs COM to perform all the types of authentication referred to in this table and encrypt all RPC arguments.

Again, CoInitializeSecurity sets the default authentication level for the process so that all subsequently arriving COM requests with lower authentication levels will fail.

The impersonation level specifies the amount of authority granted to the server when it performs tasks on behalf of the client.

COM Impersonation Levels
This value can be used with Windows 2000 and later. It instructs COM to select an appropriate impersonation level using its normal security blanket negotiation algorithm.

The client remains anonymous to the server. The impersonation is possible, but since the server's impersonation token will not contain any client security information, the server will not be able to perform any tasks under the security context of the client.

The server's impersonation token will include the client's identity, which implies that the server will be able to impersonate the client during ACL checking. However, the server will not be able to access the system objects on behalf of the client.

The server may impersonate the client's security context, but only while it accesses the resources on local machines on behalf of the client. In other words, the impersonation token cannot be used across the machines' boundaries.

The server may impersonate the client's security context while accessing the resources on local or remote machines on behalf of the client. The impersonation token can be passed across the machines' boundaries. This impersonation level is available under Windows 2000 and later.

Calling CoInitializeSecurity is optional. If a client application chooses not to invoke this function, COM will automatically initialize and manage the security settings for a process. In such cases, in order to establish the default security settings for a process, COM uses a set of default values, stored in the system registry. Thus, the default authentication level is set based on the registry value HKLM\SOFTWARE\MICROSOFT\OLE\LegacyAuthenticationLevel. Similarly, the default impersonation level is chosen based on the value of HKLM\SOFTWARE\MICROSOFT\OLE\LegacyImpersonationLevel. If these values are not found in the registry, COM will use RPC_C_AUTH_LEVEL_CONNECT and RPC_C_IMP_LEVEL_IDENTITY for the default authentication and impersonation levels respectively.

As you may remember, once connected to WMI, a client application receives an out-of-process pointer to the IWbemServices interface, which can subsequently be used to engage various WMI services. This pointer has the identity of a client process rather than the WMI IWbemServices process. Thus, if the client attempts to use the pointer to invoke the services of WMI it may receive an access-denied error, since the access check will be carried out with the client's identity. To avoid such errors, the WMI client applications must call the CoSetProxyBlanket function in order to set the identity of a newly obtained pointer. Once the pointer identity is set, it can be used to call into WMI.

Finally, whenever a client attempts to perform an operation marked as privileged, such as a system reboot, it must enable its privileges. This is achieved via the AdjustTokenPrivileges function. This function takes the access token of the client process as a parameter and, depending on the type of the request, enables or disables the privileges associated with the token. Note that before a particular privilege can be enabled, an administrator should explicitly grant it to the user or group.

Source of Information : Dot NET System Management Services - Apress


Subscribe to Developer Techno ?
Enter your email address:

Delivered by FeedBurner