Wednesday, August 09, 2006

VBScript: Does WMI Support Querying Local Security Policy?

For doing a regular health check of our servers, I created a VBScript which queries all the relevant information (free disk space, registry size, security log size, etc.) and dumps that into a HTML file. One particular information I wanted to query remotely was one of target machine's Local Security Policies - "Log on as a service" (under User Rights Assignments).

Apparently, WMI does not have any support to enumerate Local Security Policy, probably because of security reasons. While looking for some third-party tool, I came across DumpSec, which does show remote machine's User Rights Assignments and other Local Security Policies. The problem though with this tool is, it is primarily GUI based and does not show all the rights. Even though it supports command-line parameters (C:\>DUMPSEC /rpt=RIGHTS /saveas=CSV /outfile=report.txt), it still requires output file name to dump the result instead of showing directly on the console. You are then supposed to parse that output file (may be by using FIND) to retrieve the particular piece of information. For example, executing C:\>FIND "SeServiceLogonRight" report.txt would reveal something like this:

SeServiceLogonRight,MACHINENAME\ASPNET,Log on as a service
SeServiceLogonRight,NT AUTHORITY\NETWORK SERVICE,Log on as a service

This obviously doesn't seem very efficient from scripting perspective. It would have been lot easier to get those details via Windows' scripting engine or WMI. On the positive side though, these limitations are motivating me to write my own program to query Local Security Policy (LSP) entries. Gotta revisit Charles Petzold's masterpiece on WIN32 APIs! J

4 comments:

Anonymous said...

Did you finish writing the program to query the local security policy?

If so, I would love to have access to it (please mail to troyDOTphillipsATzettaserveDOTcom)

Raj said...

I am afraid, I didn't get chance to write that program :(

Yogee said...

It's really annoying.. I had to say 'NO' to such a requirement.

David Homer said...

Hi,

Yes we have the same problem that there isn't a WMI call for this but the RSOP calls which definately don't do what you want, you have to use the native Win32 API calls.

http://msdn.microsoft.com/en-us/library/ms721792(v=VS.85).aspx

This is something we are implementing currently in our network audit software to document User Right Assignments.
http://www.centrel-solutions.com/xiaconfiguration

I think this functionality not being available from WMI is more just that Microsoft haven't got round to implementing it rather than security along with WMI classes for DHCP etc...


Thanks,



Dave
CENTREL Solutions
http://www.centrel-solutions.com