// Copyright (c) 2000-2004 Microsoft Corporation
// WMI Class Definitions for the Security Configuration Engine
// Version 1.0
#pragma autorecover
#pragma classflags("forceupdate")
#pragma namespace("\\\\.\\root")
instance of __Namespace
{
Name = "Security";
};
#pragma namespace("\\\\.\\root\\Security")
instance of __Namespace
{
Name = "SCE";
};
#pragma namespace("\\\\.\\root\\Security\\SCE")
//**************************************************************************
//* Declare an instance of the __Win32Provider so as to "register" the
//* SCE provider.
//**************************************************************************
instance of __Win32Provider as $P
{
Name = "SCEProvider|1.0" ;
ClsId = "{bd7570f7-9f0e-4c6b-b525-e078691b6d0e}" ;
ImpersonationLevel = 1;
PerUserInitialization = TRUE;
HostingModel = "NetworkServiceHost";
};
instance of __InstanceProviderRegistration
{
Provider = $P;
SupportsPut = TRUE;
SupportsGet = TRUE;
SupportsDelete = TRUE;
SupportsEnumeration = TRUE;
QuerySupportLevels = {"WQL:UnarySelect"};
};
instance of __MethodProviderRegistration
{
Provider = $P;
};
//*************************************************************************
//* Class: Sce_Template
//* A new template can be physically created by doing a PutInstance on the
//* template class or (because we have the storetype with each security
//* setting) by doing a PutInstance on a security setting which
//* refers to a template that does not physically exist.
//*************************************************************************
[dynamic, provider("SCEProvider|1.0")]
class Sce_Template
{
[key, DisplayName (""), Description ("")]
string Path;
[read,write, DisplayName (""), Description ("")]
string Description;
[read, DisplayName (""), Description ("")]
string Sce_Version;
[read, DisplayName (""), Description ("")]
boolean Readonly;
[read, DisplayName (""), Description ("")]
boolean Dirty;
};
//**********************************************************************
//* Class: Sce_Database
//* In V1, this class is provided strictly for query support.
//* To create or otherwise work with data in a database, use one of the
//* methods in the ESC_Operation class.
//**********************************************************************
[dynamic, provider("SCEProvider|1.0")]
class Sce_Database
{
[key, DisplayName (""), Description ("")]
string Path;
[read, DisplayName (""), Description ("")]
string Description;
[read, DisplayName (""), Description ("")]
string Sce_Version;
[read, DisplayName (""), Description ("")]
datetime LastAnalysis;
[read, DisplayName (""), Description ("")]
datetime LastConfiguration;
};
//**********************************************************************
//* Class: Sce_Operation
//**********************************************************************
[dynamic, provider("SCEProvider|1.0")]
class Sce_Operation
{
[static,Implemented] uint32 Import ([in] string TemplatePath, [in] string DatabasePath, [in] uint32 AreaMask, [in] boolean Overwrite = FALSE);
[static,Implemented] uint32 Export ([in] string TemplatePath, [in] string DatabasePath, [in] uint32 AreaMask);
[static,Implemented] uint32 Configure ([in] string DatabasePath, [in] uint32 AreaMask, [in] string LogFilePath);
};
//***********************************************************************
//* Class: Sce_SecuritySetting
//* Abstract base class to support database\template queries that span
//* all security settings. For example:
//* Select * from Sce_SecuritySetting where SceStorePath="foo.bar"
//* would result in iterative queries of all the derived classes (below)
//* sucy that, in the end, all security settings in the template are
//* returned.
//* Configurable security items for SCE Pods should also inherit
//* from this class so that those data are also returned.
//***********************************************************************
[abstract]
class Sce_SecuritySetting
{
[DisplayName ("") : ToSubClass, Description ("") : ToSubClass]
string SceStorePath;
};
//***********************************************************************
//* Class: Sce_CoreSecuritySetting
//* Abstract base class to support database\template queries that span
//* all core security settings. For example:
//* Select * from Sce_CoreSecuritySetting where SceStorePath="foo.bar"
//* would result in iterative queries of all the derived classes (below)
//* sucy that, in the end, all core security settings in the template are
//* returned (excluding SCE Pods).
//***********************************************************************
[abstract]
class Sce_CoreSecuritySetting : Sce_SecuritySetting
{
[DisplayName ("") : ToSubClass, Description ("") : ToSubClass]
string SceStorePath;
};
//***********************************************************************
//* Class: Sce_PasswordPolicy
//* Derived from: Sce_CoreSecuritySetting
//***********************************************************************
[dynamic, provider("SCEProvider|1.0")]
class Sce_PasswordPolicy : Sce_CoreSecuritySetting
{
[key]
string SceStorePath;
[DisplayName (""), Description ("")]
uint32 MinAge;
[DisplayName (""), Description ("")]
uint32 MaxAge;
[DisplayName (""), Description ("")]
uint32 MinLength;
[DisplayName (""), Description ("")]
uint32 History;
[DisplayName (""), Description ("")]
boolean Complexity;
[DisplayName (""), Description ("")]
boolean StoreClearText;
[DisplayName (""), Description ("")]
boolean ForceLogoff;
[DisplayName (""), Description ("")]
boolean LsaLookupPol;
[DisplayName (""), Description ("")]
boolean DisableAdmin;
[DisplayName (""), Description ("")]
boolean DisableGuest;
};
//***********************************************************************
//* Class: Sce_AccountLockoutPolicy
//* Derived from: Sce_CoreSecuritySetting
//***********************************************************************
[dynamic, provider("SCEProvider|1.0")]
class Sce_AccountLockoutPolicy : Sce_CoreSecuritySetting
{
[key]
string SceStorePath;
[DisplayName (""), Description ("")]
uint32 Threshold;
[DisplayName (""), Description ("")]
uint32 Duration;
[DisplayName (""), Description ("")]
uint32 ResetTimer;
};
//***********************************************************************
//* Class: Sce_KerberosPolicy
//* Derived from: Sce_CoreSecuritySetting
//***********************************************************************
[dynamic, provider("SCEProvider|1.0")]
class Sce_KerberosPolicy : Sce_CoreSecuritySetting
{
[key]
string SceStorePath;
[DisplayName (""), Description ("in hours")]
uint32 MaxTicketAge;
[DisplayName (""), Description ("in days")]
uint32 MaxRenewAge;
[DisplayName (""), Description ("in minutes")]
uint32 MaxServiceAge;
[DisplayName (""), Description ("in minutes")]
uint32 MaxClockSkew;
[DisplayName (""), Description ("")]
boolean EnforceLogonRestrictions;
};
//***********************************************************************
//* Class: Sce_AuditPolicy
//* Derived from: Sce_CoreSecuritySetting
//***********************************************************************
[dynamic, provider("SCEProvider|1.0")]
class Sce_AuditPolicy : Sce_CoreSecuritySetting
{
[key]
string SceStorePath;
[key]
string Category; //Display information is instance-dependent.
[NotNull, DisplayName (""), Description ("")]
boolean Success;
[NotNull, DisplayName (""), Description ("")]
boolean Failure;
};
//***********************************************************************
//* Class: Sce_EventLog
//* Derived from: Sce_CoreSecuritySetting
//***********************************************************************
[dynamic, provider("SCEProvider|1.0")]
class Sce_EventLog : Sce_CoreSecuritySetting
{
[key]
string SceStorePath;
[key]
string Type; //Display information is instance dependent
[DisplayName (""), Description ("")]
uint32 Size;
[Values {"Overwrite Events As Needed", "Overwrite Events by Days", "Do Not Overwrite Events (Clear Log Manually)"}, DisplayName (""), Description ("")]
uint32 OverwritePolicy;
[DisplayName (""), Description ("")]
uint32 RetentionPeriod;
[DisplayName (""), Description ("")]
boolean RestrictGuestAccess;
};
//************************************************************************
//* Class: Sce_RegistryValue
//* Derived from: Sce_CoreSecuritySetting
//* Question: How do we handle Adding\Removing entries from REG_MULTI_SZ types?
//************************************************************************
[dynamic, provider("SCEProvider|1.0")]
class Sce_RegistryValue : Sce_CoreSecuritySetting
{
[key]
string SceStorePath;
[key] //Display information is instance dependent
string Path;
[ValueMap {"1","2","3","4","7"}, Values {"REG_SZ", "REG_EXPAND_SZ", "REG_BINARY", "REG_DWORD", "REG_MULTI_SZ"}, NotNull]
uint32 Type;
[NotNull]
string Data;
};
//************************************************************************
//* Class: Sce_SecurityOptions
//* Derived from: Sce_CoreSecuritySetting
//* Security relevant options that aren't registry values.
//************************************************************************
[dynamic, provider("SCEProvider|1.0")]
class Sce_SecurityOptions : Sce_CoreSecuritySetting
{
[key]
string SceStorePath;
[DisplayName (""), Description ("")]
string AdministratorAccountName;
[DisplayName (""), Description ("")]
string AdministratorAccountDescription; //Not currently supported
[DisplayName (""), Description ("")]
string GuestAccountName;
[DisplayName (""), Description ("")]
string GuestAccountDescription; //Not currently supported
};
//************************************************************************
//* Class: Sce_UserPrivilegeRight
//* Derived from: Sce_CoreSecuritySetting
//************************************************************************
[dynamic, provider("SCEProvider|1.0")]
class Sce_UserPrivilegeRight : Sce_CoreSecuritySetting
{
[key]
string SceStorePath;
[key]
string UserRight; //Display information is instance-dependent
[Values {"AddRemove" , "Set"}]
uint32 Mode;
[DisplayName (""), Description ("")]
string AddList[]; //If Mode=Set, then AddList specifies the complete list
[DisplayName (""), Description ("")]
string RemoveList[]; //If Mode=Set, then RemoveList is ignored
};
//************************************************************************
//* Class: Sce_RestrictedGroup
//* Derived from: Sce_CoreSecuritySetting
//************************************************************************
[dynamic, provider("SCEProvider|1.0")]
class Sce_RestrictedGroup : Sce_CoreSecuritySetting
{
[key] string SceStorePath;
[key] string GroupName;
[Values {"AddRemove" , "Set"}]
uint32 Mode;
string AddList[]; //If Mode=Set, then AddList specifies the complete list
string RemoveList[]; //If Mode=Set, then RemoveList is ignored
};
//************************************************************************
//* Class: Sce_SystemService
//* Derived from: Sce_CoreSecuritySetting
//************************************************************************
[dynamic, provider("SCEProvider|1.0")]
class Sce_SystemService : Sce_CoreSecuritySetting
{
[key] string SceStorePath;
[key] string Service;
[ValueMap {"2", "3", "4"}, Values {"Automatic", "Manual", "Disabled"}]
uint32 StartupMode;
string SDDLString;
};
//************************************************************************
//* Class: Sce_FileObject
//* Derived from: Sce_CoreSecuritySetting
//************************************************************************
[dynamic, provider("SCEProvider|1.0")]
class Sce_FileObject : Sce_CoreSecuritySetting
{
[key] string SceStorePath;
[key] string Path;
[Values {"Inherit", "Ignore", "Overwrite"}]
uint32 Mode;
string SDDLString;
};
//************************************************************************
//* Class: Sce_KeyObject
//* Derived from: Sce_CoreSecuritySetting
//************************************************************************
[dynamic, provider("SCEProvider|1.0")]
class Sce_KeyObject : Sce_CoreSecuritySetting
{
[key] string SceStorePath;
[key] string Path;
[Values {"Inherit", "Ignore", "Overwrite"}]
uint32 Mode;
string SDDLString;
};
//*************************************************************************
//******************** Sce_SupportedSecurityAreas *************************
//* Allows caller to determine specific areas that the current version of
//* SCE can configure, import, export. These areas may change over time.
//* Will need static instances for v1.
class Sce_SupportedSecurityAreas
{
[key] string areaname;
uint32 bitmask;
};
instance of Sce_SupportedSecurityAreas
{
areaname = "Security Policy";
bitmask = 0x1;
};
instance of Sce_SupportedSecurityAreas
{
areaname = "Group Membership";
bitmask = 0x4;
};
instance of Sce_SupportedSecurityAreas
{
areaname = "Privilege Rights";
bitmask = 0x8;
};
instance of Sce_SupportedSecurityAreas
{
areaname = "Registry Key Security";
bitmask = 0x20;
};
instance of Sce_SupportedSecurityAreas
{
areaname = "File Security";
bitmask = 0x40;
};
instance of Sce_SupportedSecurityAreas
{
areaname = "System Service Security";
bitmask = 0x80;
};
instance of Sce_SupportedSecurityAreas
{
areaname = "Security Extensions";
bitmask = 0x8000;
};
instance of Sce_SupportedSecurityAreas
{
areaname = "All Areas";
bitmask = 0xFFFF;
};
//******************** Sce_SupportedAuditCategories ***********************
//*Allows caller to enumerate the Audit Categories which can be configured
//*by SCE as well as their freindly names for display.
//*Will need static instances for v1.
class Sce_SupportedAuditCategories
{
[key] string CategoryName;
string DisplayName;
};
instance of Sce_SupportedAuditCategories
{
CategoryName = "AuditSystemEvents";
DisplayName = "Audit system events";
};
instance of Sce_SupportedAuditCategories
{
CategoryName = "AuditLogonEvents";
DisplayName = "Audit logon events";
};
instance of Sce_SupportedAuditCategories
{
CategoryName = "AuditObjectAccess";
DisplayName = "Audit object access";
};
instance of Sce_SupportedAuditCategories
{
CategoryName = "AuditPrivilegeUse";
DisplayName = "Audit privilege use";
};
instance of Sce_SupportedAuditCategories
{
CategoryName = "AuditPolicyChange";
DisplayName = "Audit policy change";
};
instance of Sce_SupportedAuditCategories
{
CategoryName = "AuditAccountManage";
DisplayName = "Audit account management";
};
instance of Sce_SupportedAuditCategories
{
CategoryName = "AuditProcessTracking";
DisplayName = "Audit process tracking";
};
instance of Sce_SupportedAuditCategories
{
CategoryName = "AuditDSAccess";
DisplayName = "Audit directory service access";
};
instance of Sce_SupportedAuditCategories
{
CategoryName = "AuditAccountLogon";
DisplayName = "Audit account logon events";
};
//******************** Sce_SupportedEventLogTypes *************************
//*Allows caller to enumerate the types of EventLogs which can be configured
//*by SCE (e.g. System, Application, Security).
//*Will need static instances for v1.
class Sce_SupportedEventLogTypes
{
[key] string TypeName;
};
instance of Sce_SupportedEventLogTypes
{
TypeName = "Application Log";
};
instance of Sce_SupportedEventLogTypes
{
TypeName = "System Log";
};
instance of Sce_SupportedEventLogTypes
{
TypeName = "Security Log";
};
//******************** Sce_KnownRegistryValues ***************************
//*Provides caller with display properties for security relevant registry
//*values as specified in sceregvl.inf. For example:
//* PathName="MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel"
//* TypeName=4
//* DisplayName="LAN Manager Authentication Level"
//* DisplayDialog=3
//* DisplayChoice=["Send NT and LM Responses", "Send NTLM response only",...]
//* DisplayChoiceValue=["0","2",...]
[dynamic, provider("SCEProvider|1.0")]
class Sce_KnownRegistryValues
{
[key] string PathName;
[ValueMap {"1","2","3","4","7"}, Values {"REG_SZ", "REG_EXPAND_SZ", "REG_BINARY", "REG_DWORD", "REG_MULTI_SZ"}]
uint32 Type;
string DisplayName;
[Values {"Boolean", "Numeric", "String", "Choices"}]
uint32 DisplayDialog;
string DisplayChoice[]; //Valid only if DisplayDialog is "Choices"
string DisplayChoiceResult[]; //Corresponding value stored for a given choice
string Units; //Valid only if DisplayDialog is "Numeric"
};
//******************** Sce_SupportedUserRights *************************
//* Base class for allowing caller to enumerate the privileges and
//* rights that that can be configured by SCE.
[abstract]
class Sce_SupportedUserRights
{
string RightName;
};
//******************** Sce_SupportedPrivileges *************************
//*Allows caller to enumerate the types of Privileges which can be
//*configured by SCE.
[dynamic, provider("SCEProvider|1.0")]
class Sce_SupportedPrivileges : Sce_SupportedUserRights
{
[key] string RightName;
string DisplayName;
};
//******************** Sce_SupportedRights *************************
//*Allows caller to enumerate the types of Rights which can be
//*configured by SCE.
//*Will need static instances for the eight nonqueryable rights on NT.
class Sce_SupportedRights : Sce_SupportedUserRights
{
[key] string RightName;
string DisplayName;
};
instance of Sce_SupportedRights
{
RightName = "SeInteractiveLogonRight";
DisplayName = "Logon locally";
};
instance of Sce_SupportedRights
{
RightName = "SeNetworkLogonRight";
DisplayName = "Access this computer from network";
};
instance of Sce_SupportedRights
{
RightName = "SeBatchLogonRight";
DisplayName = "Logon as a batch";
};
instance of Sce_SupportedRights
{
RightName = "SeServiceLogonRight";
DisplayName = "Logon as a service";
};
instance of Sce_SupportedRights
{
RightName = "SeDenyInteractiveLogonRight";
DisplayName = "Deny logon locally";
};
instance of Sce_SupportedRights
{
RightName = "SeDenyNetworkLogonRight";
DisplayName = "Deny access this computer from network";
};
instance of Sce_SupportedRights
{
RightName = "SeDenyBatchLogonRight";
DisplayName = "Deny logon as a batch";
};
instance of Sce_SupportedRights
{
RightName = "SeDenyServiceLogonRight";
DisplayName = "Deny logon as a service";
};
//******************** Sce_SupportedServices ***********************
//* ServiceNames and their corresponding DisplayNames can be queried
//* From the XXXXXX class in the CIMv2 namespace.
//****************************************************************************
//******************** Sce_PodData *******************************************
//* This class is used by SCE Pods to Set\Get data To\From an SCE Store.
[dynamic, provider("SCEProvider|1.0")]
Class Sce_PodData
{
[key] string SceStorePath;
[key] string PodID; //GUID
[key] string PodSection;
[key] string Key; //A specific configurable item within a Pod Section
string Value; //Data for the specic configurable item.
};
//******************** Sce_PodConfigurationLogRecord *********************************
//* In V1, this class is provided for SCE Pods so that they may add entries
//* to the log file during configuration. They do this via PutInstance.
[dynamic, provider("SCEProvider|1.0")]
class Sce_ConfigurationLogRecord
{
[key] string LogFilePath;
string LogArea;
string Action;
string ErrorCause;
string ObjectDetail;
string ParameterDetail;
uint32 LogErrorCode;
};
//******************** Sce_Pod **********************************************
//All SCE Pods must implement the configure method.
[abstract]
class Sce_Pod
{
string PodID;
[static] uint32 Configure ([in] string SceStorePath, [in] string LogFilePath); //Pod must implement
};
//******************** Sce_EmbedFO ******************************************
// this is the base class that enables SCE provider to use foreign objects
[abstract]
class Sce_EmbedFO
{
string SceStorePath;
[static] string ForeignNamespace;
[static] string ForeignClassName;
[static] string Sce_Configure_Method = "Sce_MethodCall_PutInstance()";
uint32 Configure([in] string LogFilePath);
};
// this class determines the sequencing of embedded classes for a particular method
// The smaller the priority value of the class, the higher its method execution priority.
// Order member is a ':' delimited string of class names
class Sce_Sequence
{
[key] string Method;
[key] uint32 Priority;
string Order;
};
// this class controls the per template sequencing
[dynamic, provider("SCEProvider|1.0")]
class Sce_ClassOrder
{
[key] string SceStorePath;
string ClassOrder; // colon delimited class names
};
// this class controls the logging detail levels.
class Sce_LogOptions
{
[Values {"None", "ErrorOnly", "SuccessOnly", "ErrorAndSuccess"}, read]
uint16 LogErrorType = 1; // 0 for none, 1 for ErrorOnly, 2 for SuccessOnly, 3 for ErrorAndSuccess
boolean Verbose = 1; // default to true
};
// Per template token. This will be used to identify information deposited
// by our method execution so that we can do rollbacks
[dynamic, provider("SCEProvider|1.0")]
class Sce_TransactionID
{
[key] string SceStorePath;
string TranxGuid;
};
//---------------------------------------------------------------------------
// Transaction token passed to WMI to record a transaction boundary
[dynamic, provider("SCEProvider|1.0")]
class Sce_TransactionToken
{
[key] string TranxGuid;
};