{"id":1081,"date":"2015-06-29T12:31:00","date_gmt":"2015-06-29T12:31:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/powershell\/2015\/06\/29\/use-dsc-to-manage-wmi-namespace-security\/"},"modified":"2019-02-28T09:41:15","modified_gmt":"2019-02-28T17:41:15","slug":"use-dsc-to-manage-wmi-namespace-security","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/powershell\/use-dsc-to-manage-wmi-namespace-security\/","title":{"rendered":"Use DSC to manage WMI namespace security"},"content":{"rendered":"
Almost 6 years ago, I wrote some PowerShell scripts in a multi-part series<\/a> explaining WMI namespace security and also how to manage them using PowerShell. If you’re not familiar with WMI namespace security, I recommend reading the blog posts above or even as a refresher.\nI received some feedback fairly recently about some issues and this presented itself as an opportunity for me to revisit this topic, but rewrite it as a DSC<\/a> resource using the new PowerShell Classes<\/a> syntax.\nSince I’m using PowerShell classes, you’ll need either Windows 10<\/a>, Windows Server 2016 Preview<\/a>, or Windows Management Framework 5.0<\/a> installed.\nUsing DSC, you can configure WMI namespace security much more simply using a declarative language:<\/p>\n
\n
configuration Sample {\r\n    Import-DSCResource -ModuleName WmiNamespaceSecurity\r\n    WMINamespaceSecurity Jason {\r\n        Path = \"root\/cimv2\"\r\n        Principal = \"Jason\"\r\n        AppliesTo = \"Self\"\r\n        AccessType = \"Allow\"\r\n        Permission = \"Enable\", \"MethodExecute\", \"ProviderWrite\"\r\n        Ensure = \"Present\"\r\n    }\r\n    WMINamespaceSecurity Steve {\r\n        Path = \"root\/cimv2\"\r\n        Principal = \"Contoso\\Steve\"\r\n        AppliesTo = \"Children\"\r\n        AccessType = \"Deny\"\r\n        Permission = \"Enable\", \"MethodExecute\", \"ProviderWrite\", \"RemoteAccess\"\r\n        Ensure = \"Present\"\r\n    }\r\n}<\/pre>\n
 <\/p>\n<\/div>\n
Here, I’m allowing a local user called Jason access to the root\/cimv2 namespace and denying a domain user called Steve from the same namespace. This configuration should be much easier to read and maintain.\nOnce you’ve authored your configuration document, you can execute it like a function and start DSC to apply the resulting mof:<\/p>\n
. .\\Sample.ps1\r\nSample -OutputPath c:\\temp\r\nStart-DSCConfiguration -Path c:\\temp -Wait -Verbose -Force\r\n<\/code><\/pre>\n
If you want to try the sample, be sure to change the principals to real user accounts in your environment, otherwise you’ll get an error when you use Start-DSCConfiguration and this DSC resource gets executed.\nPlease provide feedback, reports bugs, or submit changes as pull requests as issues in the GitHub repository<\/a>.\nIf you just want to use this resource, you can install it from the PowerShell Gallery<\/a>:<\/p>\n
Install-Module WmiNamespaceSecurity -Scope AllUsers\r\n# AllUsers is needed for DSC Local Configuration Manager (LCM) which runs as LocalSystem\r\n<\/code><\/pre>\n
Steve Lee\nPrincipal Software Engineer Manager\nPowerShell Core<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"
Almost 6 years ago, I wrote some PowerShell scripts in a multi-part series explaining WMI namespace security and also how to manage them using PowerShell. If you’re not familiar with WMI namespace security, I recommend reading the blog posts above or even as a refresher. I received some feedback fairly recently about some issues and […]<\/p>\n","protected":false},"author":685,"featured_media":13641,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[150,248,26],"class_list":["post-1081","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-powershell","tag-dsc","tag-powershell","tag-wmi"],"acf":[],"blog_post_summary":"
Almost 6 years ago, I wrote some PowerShell scripts in a multi-part series explaining WMI namespace security and also how to manage them using PowerShell. If you’re not familiar with WMI namespace security, I recommend reading the blog posts above or even as a refresher. I received some feedback fairly recently about some issues and […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/posts\/1081","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/users\/685"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/comments?post=1081"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/posts\/1081\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/media\/13641"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/media?parent=1081"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/categories?post=1081"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/tags?post=1081"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}