In 2002, Microsoft undertook a Trustworthy Computing initiative to make the Windows platform more secure. The company put all new development on hold while developers reviewed their existing code for problems that could lead to security breaches. Many Windows Server 2003 components have benefited from the security initiative. For example, developers made changes at the Windows Management Instrumentation (WMI) COM/Distributed COM (DCOM) level. Most of these changes are fairly minor and affect primarily C++ programmers who use the WMI COM low-level interfaces, but some of these changes affect administrators and WMI scriptwriters. You need to be aware of these three changes:
- Windows 2003 has a lockdown mechanism to secure WMI asynchronous operations.
- Windows 2003 doesn't let you set the Security Descriptor (SD) on a Common Information Model (CIM) repository namespace to Null.
- Windows 2003 removes the Active Directory Service Interfaces (ADSI)WMI extension.
Locking Down Asynchronous Scripts
An asynchronous WMI script has a main routine and a subroutine that's executed in parallel, or asynchronously, to the main routine. The subroutine performs some WMI operations, such as stopping a Windows service or handling an event that occurred during execution of the main routine. The new locking mechanism ensures that the callback of the asynchronous subroutine comes from an authorized entity. For a sample asynchronous script, see the GenericEventAsyncConsumer.wsf script explained in "Exchange 2000 SP2 WMI Updates," January 2003, http://www.winnetmag.com/microsoftexchangeoutlook, InstantDoc ID 27211. . . .
