 |
Hacking Exposed Windows
By Joel Scambray
Have a look inside the third edition of Hacking Exposed Windows : Microsoft Windows Security Secrets and Solutions by Joel Scambray, with this excerpt from chapter 12, "Windows security features and tools." |
One of the most exciting new features in Vista is the adoption of mandatory access control lists (MACLs), which are provided in the form of integrity levels. Vista supports
four integrity levels: low, medium, high and system. Integrity levels allow Vista to make security decisions based on how trusted an object is. A great example of this is Internet Explorer (IE), which has a fairly long history of security issues and is, due to its very nature, commonly exposed to the Internet. As such, it may be wise to consider IE fairly suspect. With this in mind, on a default install of Vista, IE is assigned an integrity level of low, which prevents IE processes from modifying any object with a higher integrity level. We can observe this by running Process Explorer, as shown in figure 12-2.
Note: This low-integrity level implementation of IE7 on Vista is also referred to as Protected Mode IE (PMIE).
It's also important to note that integrity levels, which are stored in the object's system access control list (SACL, used for generating audit records), trump grants within
discretionary access control lists (DACL), such as file permissions. For example, if an administrator is running a low integrity process that attempts to write to fun places like C:\ or C:\Users, the attempts will fail, regardless of DACLs granting administrators full control. This is because the default integrity level of all objects on Vista is set to medium. However, by default, most SACLs do not prevent lower integrity objects from reading or executing higher integrity objects. This is left up to the DACL. Support is available for such capabilities, however. According to MSDN, an object's SACL can contain the following:
- SYSTEM_MANDATORY_LABEL_NO_WRITE_UP
- SYSTEM_MANDATORY_LABEL_NO_READ_UP
- SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP
With these, we can raise the bar a bit more by preventing lower integrity processes from reading or executing data that exists at a higher integrity level.
Figure 12-2
Figure 12-2 Process Explorer showing Internet Explorer executing with Low integrity.
Managing integrity levels
So how do you configure this stuff? Along with Vista comes another tool, icacls, which allows us to establish and query the integrity levels for an object. The following listing
demonstrates setting the C:\TempLow directory's integrity level to low:
c:\>icacls TempLow /setintegritylevel L
processed file: TempLow
Successfully processed 1 files; Failed processing 0 files
c:\>icacls TempLow
TempLow BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
Mandatory Label\Low Mandatory Level:(NW)
Successfully processed 1 files; Failed processing 0 files
You can see that the integrity level for TempLow is now set to low mandatory level. Along with this new capability, managing integrity levels, comes a new user right: modify an object label, which is configurable in the local security policy, as shown in figure 12-3.
This right is required to modify the integrity level of an object and, by default, is not granted to any user or group. So how were we able to modify the integrity level of the TempLow directory in the example? We own the folder. Vista allows us to alter the integrity level of any object we own, provided we aren't attempting to set the integrity level higher than our own level. If a user or application were able to set an object's integrity level above their own level, the entire integrity system would collapse.
Figure 12-3
Figure 12-3 Modifying an object label user right.
