TABLE OF CONTENTS Previously, we discovered how to manage various components of Windows. In some cases, we saw that the security configuration is part of the component management. In this chapter, we will discover the WMI capabilities to manage the security settings of various Windows components, such as files, folders, and shares on the file system; Active Directory objects; and CIM repository namespaces. Although quite specific, the manipulation of the security settings, defined by security descriptors, is one of the most complex tasks to script. This chapter will explain the security descriptor components, their roles, and how to decipher them. One of the goals is to help you navigate between the various challenges that you face when automating and maintaining the security configuration under Windows. Beyond that, we will also see the security implication when developing ASP WMI-enabled scripts for Internet Information Server and how the Microsoft security push initiative in early 2002 affects WMI scripting under Windows Server 2003.
Any manageable object we discussed in the previous chapters can be accessed under some security conditions. The WMI access is defined by three methods:
During the WMI connection, the entity accessing a system must provide an authentication method and some privileges to perform specific tasks (i.e., system reboot) or access some specific manageable objects (i.e., security event log).
The entity accessing the manageable object is granted access to a CIM repository namespace and allowed to perform some specific operations. The entity in question could also be...
