// Copyright (c) 2000-2004 Microsoft Corporation // WMI Class Definitions for the Security Configuration Engine // Version 1.0 #pragma autorecover #pragma classflags("forceupdate") #pragma namespace("\\\\.\\root") instance of __Namespace { Name = "Security"; }; #pragma namespace("\\\\.\\root\\Security") instance of __Namespace { Name = "SCE"; }; #pragma namespace("\\\\.\\root\\Security\\SCE") //************************************************************************** //* Declare an instance of the __Win32Provider so as to "register" the //* SCE provider. //************************************************************************** instance of __Win32Provider as $P { Name = "SCEProvider|1.0" ; ClsId = "{bd7570f7-9f0e-4c6b-b525-e078691b6d0e}" ; ImpersonationLevel = 1; PerUserInitialization = TRUE; HostingModel = "NetworkServiceHost"; }; instance of __InstanceProviderRegistration { Provider = $P; SupportsPut = TRUE; SupportsGet = TRUE; SupportsDelete = TRUE; SupportsEnumeration = TRUE; QuerySupportLevels = {"WQL:UnarySelect"}; }; instance of __MethodProviderRegistration { Provider = $P; }; //************************************************************************* //* Class: Sce_Template //* A new template can be physically created by doing a PutInstance on the //* template class or (because we have the storetype with each security //* setting) by doing a PutInstance on a security setting which //* refers to a template that does not physically exist. //************************************************************************* [dynamic, provider("SCEProvider|1.0")] class Sce_Template { [key, DisplayName (""), Description ("")] string Path; [read,write, DisplayName (""), Description ("")] string Description; [read, DisplayName (""), Description ("")] string Sce_Version; [read, DisplayName (""), Description ("")] boolean Readonly; [read, DisplayName (""), Description ("")] boolean Dirty; }; //********************************************************************** //* Class: Sce_Database //* In V1, this class is provided strictly for query support. //* To create or otherwise work with data in a database, use one of the //* methods in the ESC_Operation class. //********************************************************************** [dynamic, provider("SCEProvider|1.0")] class Sce_Database { [key, DisplayName (""), Description ("")] string Path; [read, DisplayName (""), Description ("")] string Description; [read, DisplayName (""), Description ("")] string Sce_Version; [read, DisplayName (""), Description ("")] datetime LastAnalysis; [read, DisplayName (""), Description ("")] datetime LastConfiguration; }; //********************************************************************** //* Class: Sce_Operation //********************************************************************** [dynamic, provider("SCEProvider|1.0")] class Sce_Operation { [static,Implemented] uint32 Import ([in] string TemplatePath, [in] string DatabasePath, [in] uint32 AreaMask, [in] boolean Overwrite = FALSE); [static,Implemented] uint32 Export ([in] string TemplatePath, [in] string DatabasePath, [in] uint32 AreaMask); [static,Implemented] uint32 Configure ([in] string DatabasePath, [in] uint32 AreaMask, [in] string LogFilePath); }; //*********************************************************************** //* Class: Sce_SecuritySetting //* Abstract base class to support database\template queries that span //* all security settings. For example: //* Select * from Sce_SecuritySetting where SceStorePath="foo.bar" //* would result in iterative queries of all the derived classes (below) //* sucy that, in the end, all security settings in the template are //* returned. //* Configurable security items for SCE Pods should also inherit //* from this class so that those data are also returned. //*********************************************************************** [abstract] class Sce_SecuritySetting { [DisplayName ("") : ToSubClass, Description ("") : ToSubClass] string SceStorePath; }; //*********************************************************************** //* Class: Sce_CoreSecuritySetting //* Abstract base class to support database\template queries that span //* all core security settings. For example: //* Select * from Sce_CoreSecuritySetting where SceStorePath="foo.bar" //* would result in iterative queries of all the derived classes (below) //* sucy that, in the end, all core security settings in the template are //* returned (excluding SCE Pods). //*********************************************************************** [abstract] class Sce_CoreSecuritySetting : Sce_SecuritySetting { [DisplayName ("") : ToSubClass, Description ("") : ToSubClass] string SceStorePath; }; //*********************************************************************** //* Class: Sce_PasswordPolicy //* Derived from: Sce_CoreSecuritySetting //*********************************************************************** [dynamic, provider("SCEProvider|1.0")] class Sce_PasswordPolicy : Sce_CoreSecuritySetting { [key] string SceStorePath; [DisplayName (""), Description ("")] uint32 MinAge; [DisplayName (""), Description ("")] uint32 MaxAge; [DisplayName (""), Description ("")] uint32 MinLength; [DisplayName (""), Description ("")] uint32 History; [DisplayName (""), Description ("")] boolean Complexity; [DisplayName (""), Description ("")] boolean StoreClearText; [DisplayName (""), Description ("")] boolean ForceLogoff; [DisplayName (""), Description ("")] boolean LsaLookupPol; [DisplayName (""), Description ("")] boolean DisableAdmin; [DisplayName (""), Description ("")] boolean DisableGuest; }; //*********************************************************************** //* Class: Sce_AccountLockoutPolicy //* Derived from: Sce_CoreSecuritySetting //*********************************************************************** [dynamic, provider("SCEProvider|1.0")] class Sce_AccountLockoutPolicy : Sce_CoreSecuritySetting { [key] string SceStorePath; [DisplayName (""), Description ("")] uint32 Threshold; [DisplayName (""), Description ("")] uint32 Duration; [DisplayName (""), Description ("")] uint32 ResetTimer; }; //*********************************************************************** //* Class: Sce_KerberosPolicy //* Derived from: Sce_CoreSecuritySetting //*********************************************************************** [dynamic, provider("SCEProvider|1.0")] class Sce_KerberosPolicy : Sce_CoreSecuritySetting { [key] string SceStorePath; [DisplayName (""), Description ("in hours")] uint32 MaxTicketAge; [DisplayName (""), Description ("in days")] uint32 MaxRenewAge; [DisplayName (""), Description ("in minutes")] uint32 MaxServiceAge; [DisplayName (""), Description ("in minutes")] uint32 MaxClockSkew; [DisplayName (""), Description ("")] boolean EnforceLogonRestrictions; }; //*********************************************************************** //* Class: Sce_AuditPolicy //* Derived from: Sce_CoreSecuritySetting //*********************************************************************** [dynamic, provider("SCEProvider|1.0")] class Sce_AuditPolicy : Sce_CoreSecuritySetting { [key] string SceStorePath; [key] string Category; //Display information is instance-dependent. [NotNull, DisplayName (""), Description ("")] boolean Success; [NotNull, DisplayName (""), Description ("")] boolean Failure; }; //*********************************************************************** //* Class: Sce_EventLog //* Derived from: Sce_CoreSecuritySetting //*********************************************************************** [dynamic, provider("SCEProvider|1.0")] class Sce_EventLog : Sce_CoreSecuritySetting { [key] string SceStorePath; [key] string Type; //Display information is instance dependent [DisplayName (""), Description ("")] uint32 Size; [Values {"Overwrite Events As Needed", "Overwrite Events by Days", "Do Not Overwrite Events (Clear Log Manually)"}, DisplayName (""), Description ("")] uint32 OverwritePolicy; [DisplayName (""), Description ("")] uint32 RetentionPeriod; [DisplayName (""), Description ("")] boolean RestrictGuestAccess; }; //************************************************************************ //* Class: Sce_RegistryValue //* Derived from: Sce_CoreSecuritySetting //* Question: How do we handle Adding\Removing entries from REG_MULTI_SZ types? //************************************************************************ [dynamic, provider("SCEProvider|1.0")] class Sce_RegistryValue : Sce_CoreSecuritySetting { [key] string SceStorePath; [key] //Display information is instance dependent string Path; [ValueMap {"1","2","3","4","7"}, Values {"REG_SZ", "REG_EXPAND_SZ", "REG_BINARY", "REG_DWORD", "REG_MULTI_SZ"}, NotNull] uint32 Type; [NotNull] string Data; }; //************************************************************************ //* Class: Sce_SecurityOptions //* Derived from: Sce_CoreSecuritySetting //* Security relevant options that aren't registry values. //************************************************************************ [dynamic, provider("SCEProvider|1.0")] class Sce_SecurityOptions : Sce_CoreSecuritySetting { [key] string SceStorePath; [DisplayName (""), Description ("")] string AdministratorAccountName; [DisplayName (""), Description ("")] string AdministratorAccountDescription; //Not currently supported [DisplayName (""), Description ("")] string GuestAccountName; [DisplayName (""), Description ("")] string GuestAccountDescription; //Not currently supported }; //************************************************************************ //* Class: Sce_UserPrivilegeRight //* Derived from: Sce_CoreSecuritySetting //************************************************************************ [dynamic, provider("SCEProvider|1.0")] class Sce_UserPrivilegeRight : Sce_CoreSecuritySetting { [key] string SceStorePath; [key] string UserRight; //Display information is instance-dependent [Values {"AddRemove" , "Set"}] uint32 Mode; [DisplayName (""), Description ("")] string AddList[]; //If Mode=Set, then AddList specifies the complete list [DisplayName (""), Description ("")] string RemoveList[]; //If Mode=Set, then RemoveList is ignored }; //************************************************************************ //* Class: Sce_RestrictedGroup //* Derived from: Sce_CoreSecuritySetting //************************************************************************ [dynamic, provider("SCEProvider|1.0")] class Sce_RestrictedGroup : Sce_CoreSecuritySetting { [key] string SceStorePath; [key] string GroupName; [Values {"AddRemove" , "Set"}] uint32 Mode; string AddList[]; //If Mode=Set, then AddList specifies the complete list string RemoveList[]; //If Mode=Set, then RemoveList is ignored }; //************************************************************************ //* Class: Sce_SystemService //* Derived from: Sce_CoreSecuritySetting //************************************************************************ [dynamic, provider("SCEProvider|1.0")] class Sce_SystemService : Sce_CoreSecuritySetting { [key] string SceStorePath; [key] string Service; [ValueMap {"2", "3", "4"}, Values {"Automatic", "Manual", "Disabled"}] uint32 StartupMode; string SDDLString; }; //************************************************************************ //* Class: Sce_FileObject //* Derived from: Sce_CoreSecuritySetting //************************************************************************ [dynamic, provider("SCEProvider|1.0")] class Sce_FileObject : Sce_CoreSecuritySetting { [key] string SceStorePath; [key] string Path; [Values {"Inherit", "Ignore", "Overwrite"}] uint32 Mode; string SDDLString; }; //************************************************************************ //* Class: Sce_KeyObject //* Derived from: Sce_CoreSecuritySetting //************************************************************************ [dynamic, provider("SCEProvider|1.0")] class Sce_KeyObject : Sce_CoreSecuritySetting { [key] string SceStorePath; [key] string Path; [Values {"Inherit", "Ignore", "Overwrite"}] uint32 Mode; string SDDLString; }; //************************************************************************* //******************** Sce_SupportedSecurityAreas ************************* //* Allows caller to determine specific areas that the current version of //* SCE can configure, import, export. These areas may change over time. //* Will need static instances for v1. class Sce_SupportedSecurityAreas { [key] string areaname; uint32 bitmask; }; instance of Sce_SupportedSecurityAreas { areaname = "Security Policy"; bitmask = 0x1; }; instance of Sce_SupportedSecurityAreas { areaname = "Group Membership"; bitmask = 0x4; }; instance of Sce_SupportedSecurityAreas { areaname = "Privilege Rights"; bitmask = 0x8; }; instance of Sce_SupportedSecurityAreas { areaname = "Registry Key Security"; bitmask = 0x20; }; instance of Sce_SupportedSecurityAreas { areaname = "File Security"; bitmask = 0x40; }; instance of Sce_SupportedSecurityAreas { areaname = "System Service Security"; bitmask = 0x80; }; instance of Sce_SupportedSecurityAreas { areaname = "Security Extensions"; bitmask = 0x8000; }; instance of Sce_SupportedSecurityAreas { areaname = "All Areas"; bitmask = 0xFFFF; }; //******************** Sce_SupportedAuditCategories *********************** //*Allows caller to enumerate the Audit Categories which can be configured //*by SCE as well as their freindly names for display. //*Will need static instances for v1. class Sce_SupportedAuditCategories { [key] string CategoryName; string DisplayName; }; instance of Sce_SupportedAuditCategories { CategoryName = "AuditSystemEvents"; DisplayName = "Audit system events"; }; instance of Sce_SupportedAuditCategories { CategoryName = "AuditLogonEvents"; DisplayName = "Audit logon events"; }; instance of Sce_SupportedAuditCategories { CategoryName = "AuditObjectAccess"; DisplayName = "Audit object access"; }; instance of Sce_SupportedAuditCategories { CategoryName = "AuditPrivilegeUse"; DisplayName = "Audit privilege use"; }; instance of Sce_SupportedAuditCategories { CategoryName = "AuditPolicyChange"; DisplayName = "Audit policy change"; }; instance of Sce_SupportedAuditCategories { CategoryName = "AuditAccountManage"; DisplayName = "Audit account management"; }; instance of Sce_SupportedAuditCategories { CategoryName = "AuditProcessTracking"; DisplayName = "Audit process tracking"; }; instance of Sce_SupportedAuditCategories { CategoryName = "AuditDSAccess"; DisplayName = "Audit directory service access"; }; instance of Sce_SupportedAuditCategories { CategoryName = "AuditAccountLogon"; DisplayName = "Audit account logon events"; }; //******************** Sce_SupportedEventLogTypes ************************* //*Allows caller to enumerate the types of EventLogs which can be configured //*by SCE (e.g. System, Application, Security). //*Will need static instances for v1. class Sce_SupportedEventLogTypes { [key] string TypeName; }; instance of Sce_SupportedEventLogTypes { TypeName = "Application Log"; }; instance of Sce_SupportedEventLogTypes { TypeName = "System Log"; }; instance of Sce_SupportedEventLogTypes { TypeName = "Security Log"; }; //******************** Sce_KnownRegistryValues *************************** //*Provides caller with display properties for security relevant registry //*values as specified in sceregvl.inf. For example: //* PathName="MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel" //* TypeName=4 //* DisplayName="LAN Manager Authentication Level" //* DisplayDialog=3 //* DisplayChoice=["Send NT and LM Responses", "Send NTLM response only",...] //* DisplayChoiceValue=["0","2",...] [dynamic, provider("SCEProvider|1.0")] class Sce_KnownRegistryValues { [key] string PathName; [ValueMap {"1","2","3","4","7"}, Values {"REG_SZ", "REG_EXPAND_SZ", "REG_BINARY", "REG_DWORD", "REG_MULTI_SZ"}] uint32 Type; string DisplayName; [Values {"Boolean", "Numeric", "String", "Choices"}] uint32 DisplayDialog; string DisplayChoice[]; //Valid only if DisplayDialog is "Choices" string DisplayChoiceResult[]; //Corresponding value stored for a given choice string Units; //Valid only if DisplayDialog is "Numeric" }; //******************** Sce_SupportedUserRights ************************* //* Base class for allowing caller to enumerate the privileges and //* rights that that can be configured by SCE. [abstract] class Sce_SupportedUserRights { string RightName; }; //******************** Sce_SupportedPrivileges ************************* //*Allows caller to enumerate the types of Privileges which can be //*configured by SCE. [dynamic, provider("SCEProvider|1.0")] class Sce_SupportedPrivileges : Sce_SupportedUserRights { [key] string RightName; string DisplayName; }; //******************** Sce_SupportedRights ************************* //*Allows caller to enumerate the types of Rights which can be //*configured by SCE. //*Will need static instances for the eight nonqueryable rights on NT. class Sce_SupportedRights : Sce_SupportedUserRights { [key] string RightName; string DisplayName; }; instance of Sce_SupportedRights { RightName = "SeInteractiveLogonRight"; DisplayName = "Logon locally"; }; instance of Sce_SupportedRights { RightName = "SeNetworkLogonRight"; DisplayName = "Access this computer from network"; }; instance of Sce_SupportedRights { RightName = "SeBatchLogonRight"; DisplayName = "Logon as a batch"; }; instance of Sce_SupportedRights { RightName = "SeServiceLogonRight"; DisplayName = "Logon as a service"; }; instance of Sce_SupportedRights { RightName = "SeDenyInteractiveLogonRight"; DisplayName = "Deny logon locally"; }; instance of Sce_SupportedRights { RightName = "SeDenyNetworkLogonRight"; DisplayName = "Deny access this computer from network"; }; instance of Sce_SupportedRights { RightName = "SeDenyBatchLogonRight"; DisplayName = "Deny logon as a batch"; }; instance of Sce_SupportedRights { RightName = "SeDenyServiceLogonRight"; DisplayName = "Deny logon as a service"; }; //******************** Sce_SupportedServices *********************** //* ServiceNames and their corresponding DisplayNames can be queried //* From the XXXXXX class in the CIMv2 namespace. //**************************************************************************** //******************** Sce_PodData ******************************************* //* This class is used by SCE Pods to Set\Get data To\From an SCE Store. [dynamic, provider("SCEProvider|1.0")] Class Sce_PodData { [key] string SceStorePath; [key] string PodID; //GUID [key] string PodSection; [key] string Key; //A specific configurable item within a Pod Section string Value; //Data for the specic configurable item. }; //******************** Sce_PodConfigurationLogRecord ********************************* //* In V1, this class is provided for SCE Pods so that they may add entries //* to the log file during configuration. They do this via PutInstance. [dynamic, provider("SCEProvider|1.0")] class Sce_ConfigurationLogRecord { [key] string LogFilePath; string LogArea; string Action; string ErrorCause; string ObjectDetail; string ParameterDetail; uint32 LogErrorCode; }; //******************** Sce_Pod ********************************************** //All SCE Pods must implement the configure method. [abstract] class Sce_Pod { string PodID; [static] uint32 Configure ([in] string SceStorePath, [in] string LogFilePath); //Pod must implement }; //******************** Sce_EmbedFO ****************************************** // this is the base class that enables SCE provider to use foreign objects [abstract] class Sce_EmbedFO { string SceStorePath; [static] string ForeignNamespace; [static] string ForeignClassName; [static] string Sce_Configure_Method = "Sce_MethodCall_PutInstance()"; uint32 Configure([in] string LogFilePath); }; // this class determines the sequencing of embedded classes for a particular method // The smaller the priority value of the class, the higher its method execution priority. // Order member is a ':' delimited string of class names class Sce_Sequence { [key] string Method; [key] uint32 Priority; string Order; }; // this class controls the per template sequencing [dynamic, provider("SCEProvider|1.0")] class Sce_ClassOrder { [key] string SceStorePath; string ClassOrder; // colon delimited class names }; // this class controls the logging detail levels. class Sce_LogOptions { [Values {"None", "ErrorOnly", "SuccessOnly", "ErrorAndSuccess"}, read] uint16 LogErrorType = 1; // 0 for none, 1 for ErrorOnly, 2 for SuccessOnly, 3 for ErrorAndSuccess boolean Verbose = 1; // default to true }; // Per template token. This will be used to identify information deposited // by our method execution so that we can do rollbacks [dynamic, provider("SCEProvider|1.0")] class Sce_TransactionID { [key] string SceStorePath; string TranxGuid; }; //--------------------------------------------------------------------------- // Transaction token passed to WMI to record a transaction boundary [dynamic, provider("SCEProvider|1.0")] class Sce_TransactionToken { [key] string TranxGuid; };