As just mentioned, the Windows security model is the foundation of WMI security. As is true for most security frameworks in existence today, Windows security revolves around user IDs or names, and the associated passwords. Simply put, the operating system associates every object within the enterprise with a list of users authorized to access it. Every user request is checked against this list before access to the object is granted. WMI employs a similar strategy: it maintains a list of authorized users for each namespace.
In addition to controlling access to WMI namespaces, the system has to be able to verify the user's identity before allowing the client application to connect to WMI services. The process of confirming the identity of the user who is running the management client application is referred to as authentication. In order to authenticate the client requests for services, WMI relies on the Component Object Model (COM) authentication mechanism. The COM authentication scheme is password-based and it provides for not only verifying the identity of the requestor, but also protecting the communications between the client and the server by encrypting the network packets.
WMI is designed for remote administration, which means that management requests from a remote management client are carried out by the WMI service that is running on the local machine. Since the WMI service operates on behalf of the remote user, there has to be a way to ensure that the user possesses adequate permissions to complete certain management actions. This essentially means that each client's request has to be carried out by the WMI service under the security context of the client and perhaps by using the client's identity. This is achieved by using the COM impersonation mechanism, which allows the client to grant certain authority to the WMI service so that the latter may perform the requested operations on the client's behalf.
Source of Information : Dot NET System Management Services - Apress
In addition to controlling access to WMI namespaces, the system has to be able to verify the user's identity before allowing the client application to connect to WMI services. The process of confirming the identity of the user who is running the management client application is referred to as authentication. In order to authenticate the client requests for services, WMI relies on the Component Object Model (COM) authentication mechanism. The COM authentication scheme is password-based and it provides for not only verifying the identity of the requestor, but also protecting the communications between the client and the server by encrypting the network packets.
WMI is designed for remote administration, which means that management requests from a remote management client are carried out by the WMI service that is running on the local machine. Since the WMI service operates on behalf of the remote user, there has to be a way to ensure that the user possesses adequate permissions to complete certain management actions. This essentially means that each client's request has to be carried out by the WMI service under the security context of the client and perhaps by using the client's identity. This is achieved by using the COM impersonation mechanism, which allows the client to grant certain authority to the WMI service so that the latter may perform the requested operations on the client's behalf.
Source of Information : Dot NET System Management Services - Apress
|
|
0 comments
Post a Comment