维护 WMI 安全性Maintaining WMI Security

WMI 安全侧重于保护对命名空间数据的访问。WMI security focuses on protecting access to namespace data. WMI 首先授予对由 WMI 控件 和 DCOM 设置指定的用户组的访问权限,然后提供程序确定用户是否应该有权访问命名空间数据。WMI first grants access to groups of users as specified by the WMI Control and DCOM settings and then providers determine if the user should have access to namespace data.

本主题中讨论了以下部分:The following sections are discussed in this topic:

命名空间安全性Namespace Security

命名空间安全性取决于标准 Windows 用户 安全标识符 (SID) 和 WMI 命名空间的 安全描述符Namespace security depends on standard Windows user security identifiers (SID) and the security descriptor for the WMI namespace.

可以通过执行以下操作来设置命名空间安全性:You can set namespace security by performing the following actions:

分布式组件对象模型 (DCOM) 安全设置。Distributed Component Object Model (DCOM) Security Settings.

DCOM 安全要求使用身份验证设置和模拟设置。DCOM security requires an authentication setting and an impersonation setting. 身份验证意味着一个进程向另一个进程标识自身。Authentication means that one process identifies itself to another. 模拟标识了客户端授予服务器调用不同进程的权限。Impersonation identifies the authority that a client grants a server to call different processes. 在安全检查期间,服务器将模拟该客户端。During a security check, the server impersonates the client. 有关详细信息,请参阅 保护 c + + 客户端和提供程序保护脚本客户端For more information, see Securing C++ Clients and Providers or Securing Scripting Clients.

脚本和 C/c + +/C # 应用程序在连接到 WMI 命名空间或使用默认设置时,建立身份验证和模拟级别。Scripts and C/C++/C# applications either establish an authentication and impersonation levels when they connect to a WMI namespace or they use the default settings. 与远程计算机的连接需要与本地计算机上的 WMI 命名空间不同的设置。Connections to remote computers require different settings than to the WMI namespaces on the local computer. 有关详细信息,请参阅 连接到远程计算机上的 WMIFor more information, see Connecting to WMI on a Remote Computer.

WMI、共享服务主机和身份验证WMI, Shared Service Hosts, and Authentication

WMI 驻留在一个共享服务主机中,其中有多个其他服务在 NetworkService 帐户下运行。WMI resides in a shared service host with several other services running under the NetworkService account. 在 Svchost 进程中,WMI 与主机中的其他进程共享相同的身份验证。In a Svchost process, WMI shares the same authentication as the other processes in the host.

提供程序 Dll 从 WMI 加载到单独的服务主机进程。Provider DLLs are loaded into separate service host processes from WMI. 表示提供程序的 _ _ Win32Provider系统类中的 HostingModel 属性指定了提供程序运行时所使用的系统帐户。The HostingModel property in the __Win32Provider system class that represents a provider specifies the system account under which the provider runs. 设置此属性将使提供程序被加载到具有指定权限级别的共享主机进程中。Setting this property causes the provider to be loaded into a shared host process that has a specified level of privilege. 有关详细信息,请参阅 提供程序托管和安全性For more information, see Provider Hosting and Security.

WMI 客户端脚本和应用程序的安全性Security for WMI Client Scripts and Applications

脚本和应用程序必须建立正确的安全性才能连接到本地和远程计算机上的 WMI 命名空间。Scripts and applications must establish the correct security to connect to WMI namespaces on local and remote computers. 有关详细信息,请参阅 保护 c + + 客户端和提供程序保护脚本客户端保护 WMI 事件For more information, see Securing C++ Clients and Providers, Securing Scripting Clients, and Securing WMI Events.

下表列出了有关维护 WMI 安全的主题。The following table lists the topics on maintaining WMI security.

主题Topic 描述Description
保护 WMI 命名空间Securing WMI Namespaces 可以通过 WMI 控件限制授权用户访问命名空间数据。You can limit namespace data access to authorized users through the WMI Control.
保护提供程序Securing Your Provider 有关编写安全提供程序的信息。Information about writing secure providers.
保护 c + + 客户端和提供程序Securing C++ Clients and Providers C + + 提供程序和客户端应用程序必须执行许多相同的操作以维护 WMI 安全性。Both C++ providers and client applications must perform many of the same operations to maintain WMI security.
保护脚本客户端Securing Scripting Clients 脚本和 Visual Basic 应用程序 (自动化客户端) 必须设置适当的安全性,才能访问 WMI 数据和事件。Scripts and Visual Basic applications (automation clients) must set appropriate security to get access to WMI data and events.
保护 WMI 事件Securing WMI Events WMI 事件由事件提供程序传递给临时或永久使用方。WMI events are delivered by the event provider to a temporary or permanent consumer. 事件以事件类实例的形式传递。Events are delivered in the form of an instance of an event class.
更改对安全对象的访问安全性Changing Access Security on Securable Objects 对于适当的权限,你可以对 WMI 对象调用方法,这些对象表示读取或更改安全对象安全描述符的安全对象。With appropriate permissions, you can call methods on the WMI objects that represent securable objects that read or change security descriptors on securable objects.

使用 WMIUsing WMI