Add to collection(s) Add to saved
  1. Social Science
  2. Psychology
  3. Conformity

Best Practices for Kernel WMI Object Security

Kernel WMI Object Security
June 13, 2006
Abstract
Microsoft® Windows® Management Instrumentation (WMI) enables kernel-mode
device drivers and system firmware to expose WMI objects for configuration and
instrumentation. This document describes the default security permissions for
kernel WMI objects on Microsoft Windows Server® 2003 and Microsoft Windows
Vista® and how system manufacturers and BIOS developers can change the
security permissions during device installation.
This information applies for the following operating systems:
Microsoft Windows Server® 2008
Microsoft Windows Vista®
Microsoft Windows Server 2003
Future versions of this preview information will be provided in the Windows Driver
Kit.
The current version of this paper is maintained on the Web at:
http://www.microsoft.com/whdc/system/pnppwr/wmi/wmi_security.mspx
References and resources discussed here are listed at the end of this paper.
Contents
Introduction ............................................................................................................................. 3
Kernel WMI Architecture ......................................................................................................... 3
Levels of WMI Object Security ........................................................................................... 4
Retrieving Instrumentation Data from a Kernel WMI Object ............................................... 5
Specifying Kernel WMI Object Security in an INF File ............................................................ 6
INF File Directives for Kernel WMI Object Security ............................................................ 7
Example INF File That Specifies Security Descriptors ....................................................... 8
Installing the INF File.......................................................................................................... 8
Best Practices for Kernel WMI Object Security ....................................................................... 9
References.............................................................................................................................. 9
Kernel WMI Object Security - 2
Disclaimer
This is a preliminary document and may be changed substantially prior to final commercial release of the
software described herein.
The information contained in this document represents the current view of Microsoft Corporation on the
issues discussed as of the date of publication. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot
guarantee the accuracy of any information presented after the date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights
under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval
system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail
addresses, logos, people, places and events depicted herein are fictitious, and no association with any
real company, organization, product, domain name, email address, logo, person, place or event is
intended or should be inferred.
© 2006 Microsoft Corporation. All rights reserved.
Microsoft, Windows, Windows Server, and Windows Vista are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
June 13, 2006
© 2006 Microsoft Corporation. All rights reserved.
Kernel WMI Object Security - 3
Introduction
Windows Management Instrumentation (WMI) in the Microsoft® Windows® family
of operating systems enables system firmware and kernel-mode device drivers to
expose WMI objects, called kernel WMI objects, for configuration and
instrumentation. To expose kernel WMI objects, system firmware includes
Advanced Configuration and Power Interface (ACPI) objects that are exposed to
WMI through the ACPI-WMI mapping driver. A kernel-mode driver defines WMI
classes as described in the Windows Driver Kit (WDK).
Kernel WMI objects, especially objects that are exposed by system firmware, are
more likely than other WMI objects to expose critical system functionality, such as
the ability to change the behavior of a device driver or to change configuration
information that is stored in the system firmware. To help enhance the security of
kernel WMI objects, the default security descriptor in Microsoft Windows Server™
2003 and later versions of Windows allows only users who belong to the Local
Administrators group to access kernel WMI objects. This security descriptor is more
restrictive than the default security descriptor in Microsoft Windows XP and earlier
versions of Windows, which allows any user to read, write, and execute methods on
kernel WMI objects.
The default security descriptor is used to control access to all kernel WMI objects,
unless the manufacturer or device driver vendor provides a different security
descriptor for a particular object. The default security descriptor is recommended for
most scenarios; however, some scenarios might require different security
descriptors for specific WMI objects. For example, A WMI object that configures the
color of an external light-emitting diode (LED) might require a much less restrictive
security descriptor that allows all users to access the object.
A manufacturer specifies a security descriptor for a specific kernel WMI object in an
INF file by using INF directives that are available in Windows Server 2003 and later
versions of Windows. For kernel WMI objects that are exposed by a device driver,
the manufacturer can modify the INF file in the device driver installation package.
For kernel WMI objects that are exposed by system firmware, the manufacturer
must provide an INF file and an installation application that installs the INF.
This paper provides a brief overview of kernel WMI architecture, describes how to
override the default security descriptor for kernel WMI objects by providing a
different security descriptor in an INF file, and provides guidelines and best
practices for kernel WMI object security. This paper is for system manufacturers,
BIOS developers, and device manufacturers who expose kernel WMI objects
through system firmware or kernel-mode device drivers.
Kernel WMI Architecture
System firmware or a device driver exposes instrumentation or configuration
components as one or more kernel WMI objects. Each kernel WMI object is
identified by a globally unique identifier (GUID).
The system firmware or device driver typically provides a Managed Object Format
(MOF) file that describes the schema and contents of the instrumentation or
configuration objects. The MOF schema is required to access the object through the
WMI COM interface IWbemServices. Programmatic consumers of the exposed
kernel WMI objects use the MOF schema together with IWbemServices to
navigate the hierarchy of WMI objects, retrieve WMI object data, and execute WMI
object methods.
June 13, 2006
© 2006 Microsoft Corporation. All rights reserved.
Kernel WMI Object Security - 4
Levels of WMI Object Security
Security through the IWbemServices interface is handled by using WMI
namespace security. WMI namespace security enables an administrator to
configure the security permissions for each namespace, thereby setting the security
permissions in a centralized fashion for all of the WMI objects that are in the
namespace. The WMI namespace security model applies to all WMI objects,
regardless of their provider or source of information. A caller must be granted
access to a WMI object on the basis of WMI namespace security before the object's
WMI provider can service its request.
The Windows Driver Model (WDM) provider, WMIProv, is the WMI provider for
kernel WMI objects that are exposed by system firmware or a kernel-mode device
driver. The WDM provider communicates with the Windows kernel to retrieve WMI
object information when an object is accessed through the IWbemServices
interface.
After the WDM provider passes the caller's request for kernel WMI object
information to the Windows kernel, the kernel checks security permissions for
access to the specified WMI object. Because security requirements can differ for
different drivers, the Windows kernel allows security descriptors to be specified for
individual kernel WMI objects. If a security descriptor is not provided by the
manufacturer at installation, the Windows kernel uses the default security descriptor
to validate user access to a given kernel WMI object.
June 13, 2006
© 2006 Microsoft Corporation. All rights reserved.
Kernel WMI Object Security - 5
Retrieving Instrumentation Data from a Kernel WMI Object
Figure 1 shows the components that retrieve instrumentation data from a kernel
WMI object and deliver it to a WMI client application through the IWbemServices
interface.
1
WMI Client
Applications
IWbemServices
2
WMI Service
(Winmgmt)
3
WDM
Provider
(WMIProv)
Other WMI
Providers
User
Kernel
4
Windows Kernel
5
ACPI-WMI
Mapping
Driver
6
ACPI Driver
Check
security
descriptors
Windows
Registry
Device
Drivers
Kernel
Firmware
ACPI
Firmware
Firmware
Hardware
Hardware
Figure 1 - Kernel WMI Architecture
Starting at the top of Figure 1:
1. A WMI client application (sometimes called a WMI consumer) accesses a WMI
object by path (for example, root\cimv2\Win32_ComputerSystem) through the
IWbemServices interface.
2. The WMI service (Winmgmt) communicates with the provider for that WMI
object to validate security permissions and retrieve the object, query data, or
execute a method.
The schema (MOF file) for each class object specifies the provider by name. If
the WMI object's data comes from the Windows kernel (from either a kernelmode driver or system firmware), its MOF schema specifies the WDM provider
(WMIProv).
Each namespace (for example, “root\wmi” or “root\cimv2") can have distinct
security descriptors with distinct security permissions. The WMI service
validates security permissions for the current user context that are based on the
namespace that is being accessed. If security access is denied, the WMI
service returns an error code to the WMI client application.
June 13, 2006
© 2006 Microsoft Corporation. All rights reserved.
Kernel WMI Object Security - 6
3. If security access is granted, the WMI service passes the call to the WDM
provider, which communicates with the Windows kernel to access the WMI
object. Each WMI object that is exposed by the Windows kernel is identified by
a GUID that is stored in both the corresponding driver and the MOF schema for
the class objects. The WDM provider uses the GUID to specify which WMI
object to access.
4. The Windows kernel checks security permissions for access to the specified
WMI object from the current user context. This context is the same as the user
context in which the WMI client application initiated access through
IWebmServices because the WMI service impersonates the user. Note that it is
possible to specify different user credentials through IWebmServices.
To check security permissions, the Windows kernel looks in the registry for a
security descriptor that corresponds to the GUID for the specified WMI object. If
a security descriptor cannot be found, the Windows kernel relies on a built-in
security descriptor that is specified in the kernel code.
If security access is denied for the current user context, the Windows kernel
returns an access-denied status condition to the WDM provider, which returns
this error code to the WMI service, which then returns this error code to the
WMI client application.
If security access is granted for the current user context, the Windows kernel
communicates with the appropriate kernel-mode driver to retrieve the WMI
object or execute a method.
5. For WMI objects that are exposed by a kernel-mode driver, the driver retrieves
the data or executes a method when it receives an
IRP_MJ_SYSTEM_CONTROL request.
For WMI objects that are exposed by system firmware, the Windows kernel
communicates with the ACPI-WMI mapping driver.
6. The ACPI-WMI mapping driver communicates with the ACPI driver, which in
turn communicates with system firmware, to execute the appropriate ACPI
methods to read or write the WMI object data or execute a WMI object method.
The data is returned through each layer of the architecture until it reaches the WMI
client application.
Specifying Kernel WMI Object Security in an INF File
Installation with an INF file is the only supported method to provide security
descriptors for kernel WMI objects. A driver package to be installed on Windows
Server 2003 and later versions of Windows, including Microsoft Windows Vista™,
can provide security descriptors for kernel WMI objects by adding a WMI install
section to the INF file in the driver package, as described in the WDK. The WMI
install section is parsed automatically when the driver is installed.
System firmware that exposes kernel WMI objects from the ACPI-WMI mapping
driver might not have a separate device driver and INF to install. If security
permission changes are required for these kernel WMI objects, the manufacturer
must create an INF file as described in this paper and then use an application or
service on the system to install the file.
June 13, 2006
© 2006 Microsoft Corporation. All rights reserved.
Kernel WMI Object Security - 7
INF File Directives for Kernel WMI Object Security
Windows Server 2003 and later versions of Microsoft Windows, including Windows
Vista, support an install section and INF directives for specifying WMI security
descriptors for kernel WMI objects. The default security descriptor, which allows
only users who are members of the Local Administrators group to access kernel
WMI objects, is recommended for most scenarios.
For scenarios in which the object requires a different security descriptor, the
following INF directives can be used to enable users who are not members of the
Local Administrators group to access kernel WMI objects.
[install-section-name.WMI] |
[install-section-name.nt.WMI] |
[install-section-name.ntx86.WMI] |
[install-section-name.ntia64.WMI] | (Windows XP and later)
[install-section-name.ntamd64.WMI] (Windows XP and later)
WMIInterface={WmiClassGUID}, [flags,] WMI-class-section
Each WMI install section must have one or more WMIInterface directives. There
must be one WMIInterface directive for each WMI object that requires a security
descriptor that is different from the built-in security descriptor.
The WMIInterface directive specifies the GUID of the WMI object to which the new
security descriptor applies, a set of bit flags, and an INF section that contains the
new security descriptor. The GUID in the WMIInterface directive matches the GUID
of the WMI object that is defined in the device driver and in the MOF schema for the
device driver. For WMI objects that are exposed by the ACPI-WMI mapping driver,
the GUID matches the GUID in the ACPI _WDG data block, which is required by
the ACPI-WMI mapping driver.
The flags component of the WMIInterface directive is optional. If flags is specified,
it must be 1 (SCWMI_CLOBBER_SECURITY). If SCWMI_CLOBBER_SECURITY
is set, the security descriptor must be applied to the kernel WMI object, even if a
security descriptor has been previously specified.
The WMI-class-section component of the WMIInterface directive must contain the
name of a section that contains a Security directive to specify the security
descriptor for the kernel WMI object.
A single WMI install section can contain multiple WMIInterface directives. However,
each WMIInterface directive must have a unique WmiClassGUID.
[WMI-class-section]
Security = "SDDL_String"
The WMI-class-section INF section must contain a single Security directive that
specifies a security descriptor in Security Descriptor Definition Language (SDDL)
syntax. The SDDL string specifies which users and groups can access the kernel
WMI object.
June 13, 2006
© 2006 Microsoft Corporation. All rights reserved.
Kernel WMI Object Security - 8
Example INF File That Specifies Security Descriptors
The following example INF file shows how to set a security descriptor for two kernel
WMI objects.

The GUID for the first kernel WMI object is ({11111111-1111-1111-1111111111111111}. Its security descriptor is set to allow all access to all
Authenticated Users.

The GUID for the second kernel WMI object is {22222222-2222-2222-2222222222222222}. Its security descriptor is set to allow read-only access to all
Authenticated Users.
This example INF file would be sufficient for kernel WMI objects that are exposed
by system firmware. For kernel WMI objects that are exposed by a kernel-mode
device driver, these WMI-specific sections should be added to an existing INF file in
the driver installation package.
[Version]
Signature=”$Windows NT$”
[InstallTest.NT.WMI]
WMIInterface = {11111111-1111-1111-1111-111111111111},1,WMIAllAu
WMIInterface = {22222222-2222-2222-2222-222222222222},1,WMIRoAu
[WMIAllAu]
security = "O:BAG:BAD:(A;;GA;;;AU)”
[WMIRoAu]
security = "O:BAG:BAD:(A;;GR;;;AU)"
Installing the INF File
For kernel WMI objects that are exposed by system firmware, the manufacturer
must provide an installation application or service that installs the INF file that
specifies security descriptors for the objects.
The installation application or service must call the
SetupConfigureWmiFromInfSection function to install the INF file.
SetupConfigureWmiFromInfSection has the following syntax:
BOOL SetupConfigureWmiFromInfSection(
HINF InfHandle,
PCWSTR SectionName,
DWORD Flags
);
Parameters
InfHandle
[in] A handle to an open INF file.
SectionName
[in] Name of the section in the INF file that contains WMI security information.
This should be in the form of [DDinstall.WMI].
Flags
[in] This parameter can be set as follows:
Flag
SCWMI_CLOBBER_SECURITY
0x0001
Meaning
If and only if this flag is set, the security information that
is passed to this function overrides any security
information that is set elsewhere in the INF file.
June 13, 2006
© 2006 Microsoft Corporation. All rights reserved.
Kernel WMI Object Security - 9
Return Values
TRUE The function succeeds.
FALSE The function fails. For extended error information, call GetLastError.
An application can use SetupOpenInfFile to open the INF file and retrieve a handle
for use with SetupConfigureWmiFromInfSection.
Note that the INF section name that is specified in the SectionName parameter to
SetupConfigureWmiInfSection must match exactly the section name in the INF
file. For example, if the INF file includes a section that is named [Install.WMI], then
the SectionName parameter must be "Install.WMI" and not "Install".
An application or service that installs an INF file for configuring kernel WMI object
security descriptors must be running in the context of a user who is a member of the
Local Administrators group.
Best Practices for Kernel WMI Object Security
If kernel WMI object security permissions must be changed for a specific scenario,
follow these best practices:

Adjust security permissions only for kernel WMI objects that your device
driver or system firmware has installed on the system. Do not adjust
security permissions for kernel WMI objects that are installed as part of the
basic Windows installation.

Make only the minimum required security adjustments. For example, if you
must grant access to all users, grant access to “Authenticated Users” instead of
“Everyone”, and consider granting read-only access instead of full access.

Carefully consider the impact of granting access to a specific WMI object
that is based on the properties of that object. For example, it might not be
desirable for any system user to access a WMI object that controls a network
device or system firmware configuration settings.
References
WMI:
Windows Management Instrumentation (WMI)
http://msdn.microsoft.com/library/default.asp?url=/library/enus/dnanchor/html/anch_wmi.asp
Setting Namespace Security Descriptors
http://msdn.microsoft.com/library/enus/wmisdk/wmi/setting_namespace_security_descriptors.asp?frame=true
Windows Instrumentation: WMI and ACPI
http://www.microsoft.com/whdc/system/pnppwr/wmi/wmi-acpi.mspx
Setup Applications and INF Files:
Setup Applications
http://msdn.microsoft.com/library/default.asp?url=/library/enus/setupapi/setup/setup_applications.asp
INF DDInstall.WMI Section
http://msdn.microsoft.com/library/en-us/DevInst_r/hh/DevInst_r/infformat_da4f55aa-0177-4b47-b415-33e64a7c461e.xml.asp?frame=true.
June 13, 2006
© 2006 Microsoft Corporation. All rights reserved.
Kernel WMI Object Security - 10
SetupConfigureWmiFromInfSection
http://msdn.microsoft.com/library/default.asp?url=/library/enus/setupapi/setup/setupconfigurewmifrominfsection.asp
SetupOpenInfFile
http://msdn.microsoft.com/library/default.asp?url=/library/enus/setupapi/setup/setupopeninffile.asp
Security Descriptors:
Security Descriptor Definition Language
http://msdn.microsoft.com/library/default.asp?url=/library/enus/secauthz/security/security_descriptor_definition_language.asp
Specifying a Security Descriptor from an INF File
http://msdn.microsoft.com/library/default.asp?url=/library/enus/setupapi/setup/specifying_a_security_descriptor_from_an_inf_file.asp
June 13, 2006
© 2006 Microsoft Corporation. All rights reserved.
Related documents
On-Course
On-Course
WFR course details 2016
WFR course details 2016
VBScript18
VBScript18
WMI WILDERNESS FIRST AID COURSE Sponsored by Custer
WMI WILDERNESS FIRST AID COURSE Sponsored by Custer
course description
course description
Ch10EOCAs
Ch10EOCAs
Download