Windows Integrity Control (WIC) in Vista

One of the most exciting new features in Vista is the adoption of mandatory access control lists (MACLs), which are provided in the form of integrity levels. Vista supports four integrity levels: low, medium, high and system. Integrity levels allow Vista to make security decisions based on how trusted an object is. A great example of this is Internet Explorer (IE), which has a fairly long history of security issues and is, due to its very nature, commonly exposed to the Internet. As such, it may be wise to consider IE fairly suspect. With this in mind, on a default install of Vista, IE is assigned an integrity level of low, which prevents IE processes from modifying any object with a higher integrity level. We can observe this by running Process Explorer, as shown in figure 12-2.

Note: This low-integrity level implementation of IE7 on Vista is also referred to as Protected Mode IE (PMIE).

It's also important to note that integrity levels, which are stored in the object's system access control list (SACL, used for generating audit records), trump grants within discretionary access control lists (DACL), such as file permissions. For example, if an administrator is running a low integrity process that attempts to write to fun places like C:\ or C:\Users, the attempts will fail, regardless of DACLs granting administrators full control. This is because the default integrity level of all objects on Vista is set to medium. However, by default, most SACLs do not prevent lower integrity objects from reading or executing higher integrity objects. This is left up to the DACL. Support is available for such capabilities, however. According to MSDN, an object's SACL can contain the following:

With these, we can raise the bar a bit more by preventing l

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Windows Vista security issues, updates and alerts Ten ways to sell security to management Improve Windows security with our top 10 tips Windows Vista management tutorial Minasi says Vista SP1 solves problems, adds new ones Does Vista's strong security make it better than XP? Are Windows Vista's features silencing critics? Managing single sign-on security burdens in Windows Top 10 ways to improve Windows Vista security A Windows security checklist for IT managers Unauthenticated vs. authenticated security testing Windows desktop security tips How Windows 7 stands up to security tests Securing sensitive data on Windows-based laptops Gathering and documenting your Windows desktop security policies Windows desktop security standards documentation best practices Desktop security preparation for a new wave of Windows apps Four Internet Explorer 8 group policy security settings The state of enterprise security and emerging threats in 2009 Why should Windows shops use Microsoft Baseline Security Analyzer? A first look at Windows 7 security enhancements Using Sysinternals tools in security management scenarios

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary drive-by download  (SearchEnterpriseDesktop.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ower integrity processes from reading or executing data that exists at a higher integrity level.

Figure 12-2
[IMAGE]
Figure 12-2 Process Explorer showing Internet Explorer executing with Low integrity.

Managing integrity levels

So how do you configure this stuff? Along with Vista comes another tool, icacls, which allows us to establish and query the integrity levels for an object. The following listing demonstrates setting the C:\TempLow directory's integrity level to low:

c:\>icacls TempLow /setintegritylevel L
processed file: TempLow
Successfully processed 1 files; Failed processing 0 files
c:\>icacls TempLow
TempLow BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)

Mandatory Label\Low Mandatory Level:(NW)
Successfully processed 1 files; Failed processing 0 files

You can see that the integrity level for TempLow is now set to low mandatory level. Along with this new capability, managing integrity levels, comes a new user right: modify an object label, which is configurable in the local security policy, as shown in figure 12-3.

This right is required to modify the integrity level of an object and, by default, is not granted to any user or group. So how were we able to modify the integrity level of the TempLow directory in the example? We own the folder. Vista allows us to alter the integrity level of any object we own, provided we aren't attempting to set the integrity level higher than our own level. If a user or application were able to set an object's integrity level above their own level, the entire integrity system would collapse.

Figure 12-3
[IMAGE]
Figure 12-3 Modifying an object label user right.

Rate this Tip To rate tips, you must be a member of SearchEnterpriseDesktop.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.