2.1.1 Server Security Settings

The Remote Administrative Interface: WINS protocol uses security support provider (SSP) security provided by RPC as specified in [MS-RPCE]. The WINS RPC server uses the principal name "Wins" and the authentication service RPC_C_AUTHN_WINNT.

The WINS server MUST allow only authenticated access to RPC clients. The WINS server MUST NOT allow anonymous or unauthenticated RPC clients to connect. The WINS server MUST perform authorization checks to ensure that the client  is authorized to perform a specific RPC operation.

The following mechanisms are enforced for client authorization:

  • The WINSRA client SHOULD be a member of the WINS Users or WINS Administrator security group in order to retrieve information from the WINS server. This level of authorization is termed "query-level access".<1>

  • The WINSRA client MUST be a member of the WINS Administrator security group before it can retrieve or modify information on the WINS server. This level of authorization is termed "control-level access".

Control-level access also includes query-level access. Therefore, clients with control access can also call methods that require only query-level access. The WINS server MUST limit access to only those clients that negotiate an authentication level equal to or higher than RPC_C_AUTHN_LEVEL_CONNECT.