How to: Enable Security in Scripts
By default, calls to the Windows Management Instrumentation (WMI) Provider use the default Windows authentication setting. Although this setting allows only authorized users to use the WMI provider, calls that are sent on the network are not encrypted. If you are calling into WMI remotely, this means the data that is sent between your client and the FIM Synchronization Service server is in cleartext on the network. To protect the data, encrypt any data that is sent on the network by setting the authentication level in the WMI provider call.
You can set the authentication level by using the optional security settings component of the WMI moniker with the appropriate WbemAuthenticationLevelEnum enumeration constant.
Note
Setting the authentication level is a request rather than a command; the server might not honor the request.
The WbemAuthenticationLevelEnum enumeration constants determine the authentication level of the service object. To authenticate all previous impersonation levels and sign and encrypt each data packet, use the WbemAuthenticationLevelPktPrivacy constant.
This topic contains examples that enable security in scripts.
Enabling Security on a Local System
The following Visual Basic Scripting Edition (VBScript) example shows how to create a service object with the recommended authentication level on a local server.
Option Explicit
Const PktPrivacy = 6
Dim Service
Set Service = GetObject("winmgmts:{authenticationLevel=PktPrivacy}!root\MicrosoftIdentityIntegrationServer)
'* Start your script here.
Enabling Security on a Remote System Using the Current User Credentials
The following VBScript example shows how to create a service object with the recommended authentication level on a remote server. The script uses the credentials of the current user. Replace MyServer with the name of the remote server.
Option Explicit
Const WbemAuthenticationLevelPktPrivacy = 6
Dim Locator
Dim Service
Set Locator = CreateObject("WbemScripting.SWbemLocator")
Locator.Security_.AuthenticationLevel = WbemAuthenticationLevelPktPrivacy
Set Service = Locator.ConnectServer("MyServer", "root\MicrosoftIdentityIntegrationServer")
'* Start your script here.
Enabling Security on a Remote System Using Alternative Credentials
The following VBScript example shows how to create a service object with the recommended authentication level on a remote server. The script uses the alternative credentials of the current user.
Option Explicit
Const WbemAuthenticationLevelPktPrivacy = 6
Dim Locator
Dim Service
Set Locator = CreateObject("WbemScripting.SWbemLocator")
Locator.Security_.AuthenticationLevel = WbemAuthenticationLevelPktPrivacy
Set Service = Locator.ConnectServer("MyServer", "root\MicrosoftIdentityIntegrationServer", "Domain\Me", "MyPassword")
'* Start your script here.
Replace the following placeholder terms with the specified information:
MyServer with the name of the remote server.
Domain\Me with the name of the alternative user.
MyPassword with the password of the alternative user.
Because this script contains a user name and password, store the script in a secure folder that has the same security level as the Forefront Identity Manager Synchronization Service (FIM Synchronization Service) folder. Limit access to this folder.
Security Note: |
---|
We do not recommend storing user credentials in a script. If you need to run a script under a different user context, in most cases you should use the runas command to run the script. For more information, see How to: Create Scripts to Run Management Agents.
|
See Also
Reference
WbemAuthenticationLevelEnum
Concepts
Creating Scripts
How to: Connect to the WMI Service
How to: Create Scripts to Run Management Agents
Other Resources
Setting Client Application Process Security
Setting the Default Process Security Level Using VBScript
Connecting to WMI on a Remote Computer