// Copyright (c) 2000-2004 Microsoft Corporation
// WMI Class Definitions for the Security Configuration Engine
// Version 1.0

#pragma autorecover
#pragma classflags("forceupdate")


#pragma namespace("\\\\.\\root")

instance of __Namespace
{
        Name = "Security";
};

#pragma namespace("\\\\.\\root\\Security")

instance of __Namespace
{
        Name = "SCE";
};

#pragma namespace("\\\\.\\root\\Security\\SCE")

//**************************************************************************
//* Declare an instance of the __Win32Provider so as to "register" the
//* SCE provider.
//**************************************************************************


instance of __Win32Provider as $P
{
    Name                    = "SCEProvider|1.0" ;
    ClsId                   = "{bd7570f7-9f0e-4c6b-b525-e078691b6d0e}" ;
    ImpersonationLevel      = 1;
    PerUserInitialization   = TRUE;
    HostingModel            = "NetworkServiceHost";
};

instance of __InstanceProviderRegistration
{
    Provider            = $P;
    SupportsPut         = TRUE;
    SupportsGet         = TRUE;
    SupportsDelete      = TRUE;
    SupportsEnumeration = TRUE;
    QuerySupportLevels = {"WQL:UnarySelect"};

};

instance of __MethodProviderRegistration
{
    Provider = $P;
};

//*************************************************************************
//* Class: Sce_Template
//* A new template can be physically created by doing a PutInstance on the
//* template class or (because we have the storetype with each security
//* setting) by doing a PutInstance on a security setting which
//* refers to a template that does not physically exist.
//*************************************************************************

[dynamic, provider("SCEProvider|1.0")]
class Sce_Template
{
        [key, DisplayName (""), Description ("")]
    string Path;
        [read,write, DisplayName (""), Description ("")]
    string Description;
        [read, DisplayName (""), Description ("")]
    string Sce_Version;
        [read, DisplayName (""), Description ("")]
    boolean Readonly;
        [read, DisplayName (""), Description ("")]
    boolean Dirty;
};


//**********************************************************************
//* Class: Sce_Database
//* In V1, this class is provided strictly for query support.
//* To create or otherwise work with data in a database, use one of the
//* methods in the ESC_Operation class.
//**********************************************************************

[dynamic, provider("SCEProvider|1.0")]
class Sce_Database
{
        [key, DisplayName (""), Description ("")]
    string Path;
        [read, DisplayName (""), Description ("")]
    string Description;
        [read, DisplayName (""), Description ("")]
    string Sce_Version;
        [read, DisplayName (""), Description ("")]
    datetime LastAnalysis;
        [read, DisplayName (""), Description ("")]
    datetime LastConfiguration;
};


//**********************************************************************
//* Class: Sce_Operation
//**********************************************************************

[dynamic, provider("SCEProvider|1.0")]
class Sce_Operation
{
        [static,Implemented] uint32 Import ([in] string TemplatePath, [in] string DatabasePath, [in] uint32 AreaMask, [in] boolean Overwrite = FALSE);
        [static,Implemented] uint32 Export ([in] string TemplatePath, [in] string DatabasePath, [in] uint32 AreaMask);
        [static,Implemented] uint32 Configure ([in] string DatabasePath, [in] uint32 AreaMask, [in] string LogFilePath);
};


//***********************************************************************
//* Class: Sce_SecuritySetting
//* Abstract base class to support database\template queries that span
//* all security settings.  For example:
//* Select * from Sce_SecuritySetting where SceStorePath="foo.bar"
//* would result in iterative queries of all the derived classes (below)
//* sucy that, in the end, all security settings in the template are
//* returned.
//* Configurable security items for SCE Pods should also inherit
//* from this class so that those data are also returned.
//***********************************************************************

[abstract]
class Sce_SecuritySetting
{
        [DisplayName ("") : ToSubClass, Description ("") : ToSubClass]
    string SceStorePath;
};

//***********************************************************************
//* Class: Sce_CoreSecuritySetting
//* Abstract base class to support database\template queries that span
//* all core security settings.  For example:
//* Select * from Sce_CoreSecuritySetting where SceStorePath="foo.bar"
//* would result in iterative queries of all the derived classes (below)
//* sucy that, in the end, all core security settings in the template are
//* returned (excluding SCE Pods).
//***********************************************************************

[abstract]
class Sce_CoreSecuritySetting : Sce_SecuritySetting
{
        [DisplayName ("") : ToSubClass, Description ("") : ToSubClass]
    string SceStorePath;
};

//***********************************************************************
//* Class: Sce_PasswordPolicy
//* Derived from: Sce_CoreSecuritySetting
//***********************************************************************

[dynamic, provider("SCEProvider|1.0")]
class Sce_PasswordPolicy : Sce_CoreSecuritySetting
{
        [key]
     string SceStorePath;
        [DisplayName (""), Description ("")]
     uint32  MinAge;
        [DisplayName (""), Description ("")]
     uint32  MaxAge;
        [DisplayName (""), Description ("")]
     uint32  MinLength;
        [DisplayName (""), Description ("")]
     uint32  History;
        [DisplayName (""), Description ("")]
     boolean Complexity;
        [DisplayName (""), Description ("")]
     boolean StoreClearText;
        [DisplayName (""), Description ("")]
     boolean ForceLogoff;
        [DisplayName (""), Description ("")]
     boolean LsaLookupPol;
        [DisplayName (""), Description ("")]
     boolean DisableAdmin;
        [DisplayName (""), Description ("")]
     boolean DisableGuest;
};

//***********************************************************************
//* Class:  Sce_AccountLockoutPolicy
//* Derived from: Sce_CoreSecuritySetting
//***********************************************************************

[dynamic, provider("SCEProvider|1.0")]
class Sce_AccountLockoutPolicy : Sce_CoreSecuritySetting
{
        [key]
    string  SceStorePath;
        [DisplayName (""), Description ("")]
    uint32  Threshold;
        [DisplayName (""), Description ("")]
    uint32  Duration;
        [DisplayName (""), Description ("")]
    uint32  ResetTimer;
};

//***********************************************************************
//* Class:  Sce_KerberosPolicy
//* Derived from: Sce_CoreSecuritySetting
//***********************************************************************

[dynamic, provider("SCEProvider|1.0")]
class Sce_KerberosPolicy : Sce_CoreSecuritySetting
{
        [key]
    string  SceStorePath;
        [DisplayName (""), Description ("in hours")]
    uint32  MaxTicketAge;
        [DisplayName (""), Description ("in days")]
    uint32  MaxRenewAge;
        [DisplayName (""), Description ("in minutes")]
    uint32  MaxServiceAge;
        [DisplayName (""), Description ("in minutes")]
    uint32  MaxClockSkew;
        [DisplayName (""), Description ("")]
    boolean EnforceLogonRestrictions;
};


//***********************************************************************
//* Class: Sce_AuditPolicy
//* Derived from: Sce_CoreSecuritySetting
//***********************************************************************

[dynamic, provider("SCEProvider|1.0")]
class Sce_AuditPolicy : Sce_CoreSecuritySetting
{
        [key]
    string  SceStorePath;
        [key]
    string  Category;   //Display information is instance-dependent.
        [NotNull, DisplayName (""), Description ("")]
    boolean Success;
        [NotNull, DisplayName (""), Description ("")]
    boolean Failure;
};

//***********************************************************************
//* Class: Sce_EventLog
//* Derived from: Sce_CoreSecuritySetting
//***********************************************************************

[dynamic, provider("SCEProvider|1.0")]
class Sce_EventLog : Sce_CoreSecuritySetting
{
        [key]
    string SceStorePath;
        [key]
    string Type;        //Display information is instance dependent
        [DisplayName (""), Description ("")]
    uint32 Size;
        [Values {"Overwrite Events As Needed", "Overwrite Events by Days", "Do Not Overwrite Events (Clear Log Manually)"}, DisplayName (""), Description ("")]
    uint32 OverwritePolicy;
        [DisplayName (""), Description ("")]
    uint32 RetentionPeriod;
        [DisplayName (""), Description ("")]
    boolean RestrictGuestAccess;
};

//************************************************************************
//* Class:  Sce_RegistryValue
//* Derived from: Sce_CoreSecuritySetting
//* Question: How do we handle Adding\Removing entries from REG_MULTI_SZ types?
//************************************************************************

[dynamic, provider("SCEProvider|1.0")]
class Sce_RegistryValue : Sce_CoreSecuritySetting
{
        [key]
    string SceStorePath;
        [key]           //Display information is instance dependent
    string Path;
        [ValueMap {"1","2","3","4","7"}, Values {"REG_SZ", "REG_EXPAND_SZ", "REG_BINARY", "REG_DWORD", "REG_MULTI_SZ"}, NotNull]
    uint32 Type;
        [NotNull]
    string Data;
};

//************************************************************************
//* Class:  Sce_SecurityOptions
//* Derived from: Sce_CoreSecuritySetting
//* Security relevant options that aren't registry values.
//************************************************************************

[dynamic, provider("SCEProvider|1.0")]
class Sce_SecurityOptions : Sce_CoreSecuritySetting
{
        [key]
    string  SceStorePath;
        [DisplayName (""), Description ("")]
    string  AdministratorAccountName;
        [DisplayName (""), Description ("")]
    string  AdministratorAccountDescription;        //Not currently supported
        [DisplayName (""), Description ("")]
    string  GuestAccountName;
        [DisplayName (""), Description ("")]
    string  GuestAccountDescription;                //Not currently supported
};

//************************************************************************
//* Class:  Sce_UserPrivilegeRight
//* Derived from: Sce_CoreSecuritySetting
//************************************************************************

[dynamic, provider("SCEProvider|1.0")]
class Sce_UserPrivilegeRight : Sce_CoreSecuritySetting
{
        [key]
    string  SceStorePath;
        [key]
    string  UserRight;          //Display information is instance-dependent
        [Values {"AddRemove" , "Set"}]
    uint32  Mode;
        [DisplayName (""), Description ("")]
    string  AddList[];      //If Mode=Set, then AddList specifies the complete list
        [DisplayName (""), Description ("")]
    string  RemoveList[];   //If Mode=Set, then RemoveList is ignored
};

//************************************************************************
//* Class: Sce_RestrictedGroup
//* Derived from: Sce_CoreSecuritySetting
//************************************************************************

[dynamic, provider("SCEProvider|1.0")]
class Sce_RestrictedGroup : Sce_CoreSecuritySetting
{
        [key]           string  SceStorePath;
        [key]           string  GroupName;
        [Values {"AddRemove" , "Set"}]
                        uint32  Mode;
                        string  AddList[];      //If Mode=Set, then AddList specifies the complete list
                        string  RemoveList[];   //If Mode=Set, then RemoveList is ignored
};

//************************************************************************
//* Class: Sce_SystemService
//* Derived from: Sce_CoreSecuritySetting
//************************************************************************

[dynamic, provider("SCEProvider|1.0")]
class Sce_SystemService : Sce_CoreSecuritySetting
{
        [key]           string  SceStorePath;
        [key]           string  Service;
        [ValueMap {"2", "3", "4"}, Values {"Automatic", "Manual", "Disabled"}]
                        uint32  StartupMode;
                        string  SDDLString;
};

//************************************************************************
//* Class: Sce_FileObject
//* Derived from: Sce_CoreSecuritySetting
//************************************************************************

[dynamic, provider("SCEProvider|1.0")]
class Sce_FileObject : Sce_CoreSecuritySetting
{
        [key]           string  SceStorePath;
        [key]           string  Path;
        [Values {"Inherit", "Ignore", "Overwrite"}]
                        uint32  Mode;
                        string  SDDLString;
};


//************************************************************************
//* Class: Sce_KeyObject
//* Derived from: Sce_CoreSecuritySetting
//************************************************************************

[dynamic, provider("SCEProvider|1.0")]
class Sce_KeyObject : Sce_CoreSecuritySetting
{
        [key]           string  SceStorePath;
        [key]           string  Path;
        [Values {"Inherit", "Ignore", "Overwrite"}]
                        uint32  Mode;
                        string  SDDLString;
};

//*************************************************************************
//******************** Sce_SupportedSecurityAreas *************************
//* Allows caller to determine specific areas that the current version of
//* SCE can configure, import, export. These areas may change over time.
//* Will need static instances for v1.

class Sce_SupportedSecurityAreas
{
        [key]   string  areaname;
                uint32  bitmask;
};

instance of Sce_SupportedSecurityAreas
{
        areaname = "Security Policy";
        bitmask = 0x1;
};

instance of Sce_SupportedSecurityAreas
{
        areaname = "Group Membership";
        bitmask = 0x4;
};

instance of Sce_SupportedSecurityAreas
{
        areaname = "Privilege Rights";
        bitmask = 0x8;
};

instance of Sce_SupportedSecurityAreas
{
        areaname = "Registry Key Security";
        bitmask = 0x20;
};

instance of Sce_SupportedSecurityAreas
{
        areaname = "File Security";
        bitmask = 0x40;
};

instance of Sce_SupportedSecurityAreas
{
        areaname = "System Service Security";
        bitmask = 0x80;
};

instance of Sce_SupportedSecurityAreas
{
        areaname = "Security Extensions";
        bitmask = 0x8000;
};

instance of Sce_SupportedSecurityAreas
{
        areaname = "All Areas";
        bitmask = 0xFFFF;
};

//******************** Sce_SupportedAuditCategories ***********************
//*Allows caller to enumerate the Audit Categories which can be configured
//*by SCE as well as their freindly names for display.
//*Will need static instances for v1.

class Sce_SupportedAuditCategories
{
        [key]   string  CategoryName;
                string  DisplayName;
};

instance of Sce_SupportedAuditCategories
{
        CategoryName = "AuditSystemEvents";
        DisplayName = "Audit system events";
};

instance of Sce_SupportedAuditCategories
{
        CategoryName = "AuditLogonEvents";
        DisplayName = "Audit logon events";
};

instance of Sce_SupportedAuditCategories
{
        CategoryName = "AuditObjectAccess";
        DisplayName = "Audit object access";
};

instance of Sce_SupportedAuditCategories
{
        CategoryName = "AuditPrivilegeUse";
        DisplayName = "Audit privilege use";
};

instance of Sce_SupportedAuditCategories
{
        CategoryName = "AuditPolicyChange";
        DisplayName = "Audit policy change";
};

instance of Sce_SupportedAuditCategories
{
        CategoryName = "AuditAccountManage";
        DisplayName = "Audit account management";
};

instance of Sce_SupportedAuditCategories
{
        CategoryName = "AuditProcessTracking";
        DisplayName = "Audit process tracking";
};

instance of Sce_SupportedAuditCategories
{
        CategoryName = "AuditDSAccess";
        DisplayName = "Audit directory service access";
};

instance of Sce_SupportedAuditCategories
{
        CategoryName = "AuditAccountLogon";
        DisplayName = "Audit account logon events";
};

//******************** Sce_SupportedEventLogTypes *************************
//*Allows caller to enumerate the types of EventLogs which can be configured
//*by SCE (e.g. System, Application, Security).
//*Will need static instances for v1.

class Sce_SupportedEventLogTypes
{
        [key] string  TypeName;
};

instance of Sce_SupportedEventLogTypes
{
        TypeName = "Application Log";
};

instance of Sce_SupportedEventLogTypes
{
        TypeName = "System Log";
};

instance of Sce_SupportedEventLogTypes
{
        TypeName = "Security Log";
};


//******************** Sce_KnownRegistryValues ***************************
//*Provides caller with display properties for security relevant registry
//*values as specified in sceregvl.inf.  For example:
//* PathName="MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel"
//* TypeName=4
//* DisplayName="LAN Manager Authentication Level"
//* DisplayDialog=3
//* DisplayChoice=["Send NT and LM Responses", "Send NTLM response only",...]
//* DisplayChoiceValue=["0","2",...]

[dynamic, provider("SCEProvider|1.0")]
class Sce_KnownRegistryValues
{
        [key]   string  PathName;
        [ValueMap {"1","2","3","4","7"}, Values {"REG_SZ", "REG_EXPAND_SZ", "REG_BINARY", "REG_DWORD", "REG_MULTI_SZ"}]
                uint32  Type;
                string  DisplayName;
        [Values {"Boolean", "Numeric", "String", "Choices"}]
                uint32  DisplayDialog;
                string  DisplayChoice[];        //Valid only if DisplayDialog is "Choices"
                string  DisplayChoiceResult[];  //Corresponding value stored for a given choice
                string  Units;                  //Valid only if DisplayDialog is "Numeric"
};

//******************** Sce_SupportedUserRights *************************
//* Base class for allowing caller to enumerate the privileges and
//* rights that that can be configured by SCE.

[abstract]
class Sce_SupportedUserRights
{
                string  RightName;
};

//******************** Sce_SupportedPrivileges *************************
//*Allows caller to enumerate the types of Privileges which can be
//*configured by SCE.

[dynamic, provider("SCEProvider|1.0")]
class Sce_SupportedPrivileges : Sce_SupportedUserRights
{
        [key]   string  RightName;
                string  DisplayName;
};

//******************** Sce_SupportedRights *************************
//*Allows caller to enumerate the types of Rights which can be
//*configured by SCE.
//*Will need static instances for the eight nonqueryable rights on NT.

class Sce_SupportedRights : Sce_SupportedUserRights
{
        [key]   string  RightName;
                string  DisplayName;
};

instance of Sce_SupportedRights
{
        RightName = "SeInteractiveLogonRight";
        DisplayName = "Logon locally";
};

instance of Sce_SupportedRights
{
        RightName = "SeNetworkLogonRight";
        DisplayName = "Access this computer from network";
};

instance of Sce_SupportedRights
{
        RightName = "SeBatchLogonRight";
        DisplayName = "Logon as a batch";
};

instance of Sce_SupportedRights
{
        RightName = "SeServiceLogonRight";
        DisplayName = "Logon as a service";
};

instance of Sce_SupportedRights
{
        RightName = "SeDenyInteractiveLogonRight";
        DisplayName = "Deny logon locally";
};

instance of Sce_SupportedRights
{
        RightName = "SeDenyNetworkLogonRight";
        DisplayName = "Deny access this computer from network";
};

instance of Sce_SupportedRights
{
        RightName = "SeDenyBatchLogonRight";
        DisplayName = "Deny logon as a batch";
};

instance of Sce_SupportedRights
{
        RightName = "SeDenyServiceLogonRight";
        DisplayName = "Deny logon as a service";
};

//******************** Sce_SupportedServices ***********************
//* ServiceNames and their corresponding DisplayNames can be queried
//* From the XXXXXX class in the CIMv2 namespace.


//****************************************************************************
//******************** Sce_PodData *******************************************
//* This class is used by SCE Pods to Set\Get data To\From an SCE Store.

[dynamic, provider("SCEProvider|1.0")]
Class Sce_PodData
{
        [key]   string  SceStorePath;
        [key]   string  PodID;          //GUID
        [key]   string  PodSection;
        [key]   string  Key;            //A specific configurable item within a Pod Section
                string  Value;          //Data for the specic configurable item.
};

//******************** Sce_PodConfigurationLogRecord *********************************
//* In V1, this class is provided for SCE Pods so that they may add entries
//* to the log file during configuration.  They do this via PutInstance.

[dynamic, provider("SCEProvider|1.0")]
class Sce_ConfigurationLogRecord
{
        [key]   string          LogFilePath;
                string          LogArea;
                string          Action;
                string          ErrorCause;
                string          ObjectDetail;
                string          ParameterDetail;
                uint32          LogErrorCode;
};

//******************** Sce_Pod **********************************************
//All SCE Pods must implement the configure method.

[abstract]
class Sce_Pod
{
        string   PodID;
        [static] uint32 Configure ([in] string SceStorePath, [in] string LogFilePath);  //Pod must implement
};

//******************** Sce_EmbedFO ******************************************
// this is the base class that enables SCE provider to use foreign objects

[abstract]
class Sce_EmbedFO
{
    string SceStorePath;
    [static] string ForeignNamespace;
    [static] string ForeignClassName;
    [static] string Sce_Configure_Method = "Sce_MethodCall_PutInstance()";
    uint32 Configure([in] string LogFilePath);
};

// this class determines the sequencing of embedded classes for a particular method
// The smaller the priority value of the class, the higher its method execution priority.
// Order member is a ':' delimited string of class names
class Sce_Sequence
{
    [key]   string  Method;
    [key]   uint32  Priority;
            string  Order;
};

// this class controls the per template sequencing
[dynamic, provider("SCEProvider|1.0")]
class Sce_ClassOrder
{
    [key]   string  SceStorePath;
            string  ClassOrder; // colon delimited class names
};

// this class controls the logging detail levels.
class Sce_LogOptions
{
    [Values {"None", "ErrorOnly", "SuccessOnly", "ErrorAndSuccess"}, read]
    uint16  LogErrorType = 1;   // 0 for none, 1 for ErrorOnly, 2 for SuccessOnly, 3 for ErrorAndSuccess
    boolean Verbose = 1;    // default to true
};


// Per template token. This will be used to identify information deposited
// by our method execution so that we can do rollbacks
[dynamic, provider("SCEProvider|1.0")]
class Sce_TransactionID
{
    [key]   string  SceStorePath;
            string  TranxGuid;
};

//---------------------------------------------------------------------------
// Transaction token passed to WMI to record a transaction boundary
[dynamic, provider("SCEProvider|1.0")]
class Sce_TransactionToken
{
    [key] string  TranxGuid;
};