Changing Access Security on Securable Objects
Printers, services, registry keys, DCOM applications, and WMI namespaces are securable objects. The access to securable objects is protected by security descriptors, which specify the users who have access. Starting with Windows Vista, many securable objects have methods for getting or setting the security descriptor. With appropriate permissions, you can read or change security descriptors on securable objects. Using these methods, you can control which user accounts or groups have access to a printer, service, WMI namespace, or other object. For more information about security descriptors and their use in WMI, see Access to WMI Securable Objects.
The following sections are discussed in this topic:
- Objects and Security Descriptor Methods
- Converting Between Security Descriptor Formats
- Security Issues
- Related topics
Objects and Security Descriptor Methods
The following list contains the methods that securable objects have to enable you to read or change the security descriptor:
A provider can establish security that only allows certain groups to have access to the data in a WMI namespace. Namespace security is controlled by methods on the __SystemSecurity class. Starting with Windows Vista, the GetSecurityDescriptor and SetSecurityDescriptor methods return and write __SecurityDescriptor objects. For more information, see Setting Namespace Security Descriptors.
Starting with Windows Vista, you can secure registry keys so that they cannot be changed by unauthorized users. The StdRegProv class has the GetSecurityDescriptor and SetSecurityDescriptor methods. These methods return and write Win32_SecurityDescriptor objects.
Starting with Windows Vista, you can secure access to instances of the Win32_Printer class using the GetSecurityDescriptor and SetSecurityDescriptor methods. These methods return and write Win32_SecurityDescriptor objects.
Starting with Windows Vista, you can secure access to instances of the Win32_Service class using the GetSecurityDescriptor and SetSecurityDescriptor methods. These methods return and write Win32_SecurityDescriptor objects.
DCOM application instances have several security descriptors. Starting with Windows Vista, use methods of the Win32_DCOMApplicationSetting class to get or change the various security descriptors. Security descriptors are returned as instances of the Win32_SecurityDescriptor class.
When a new Security Access Control List (SACL) is not specified in a call to a SetSecurityDescriptor method, then the security descriptor SACL on the target securable object is set to NULL so that the previous SACL setting does not persist.
Converting Between Security Descriptor Formats
Security descriptors are complex binary byte arrays that must normally be created and changed in C++. After you have used one of the Get methods to obtain the security descriptor, the Win32_SecurityDescriptorHelper class supplies methods that convert security descriptors into either Security Descriptor Definition Language (SDDL) or to Win32_SecurityDescriptor instances.
You can manipulate the Access Control Lists (ACL) more easily in Win32_SecurityDescriptor instances or in SDDL. For more information about the structure and use of security descriptors in WMI, see WMI Security Descriptor Objects.
In C++ or C# use conversion functions to convert binary security descriptors to Security Descriptor Definition Language (SDDL). To modify security descriptor values in C++ applications, use ConvertSecurityDescriptorToStringSecurityDescriptor and ConvertStringSecurityDescriptorToSecurityDescriptor.
It is recommended that changes to security descriptors be done with great caution so that the security of the object is not compromised. Be aware that the order of access control entries (ACEs) in a discretionary access control list (DACL) can affect access security. For more information, see Order of ACEs in a DACL.