Windows Integrity Control (WIC) in Vista

Hacking Exposed Windows By Joel Scambray Have a look inside the third edition of Hacking Exposed Windows : Microsoft Windows Security Secrets and Solutions by Joel Scambray, with this excerpt from chapter 12, "Windows security features and tools."

One of the most exciting new features in Vista is the adoption of mandatory access control lists (MACLs), which are provided in the form of integrity levels. Vista supports four integrity levels: low, medium, high and system. Integrity levels allow Vista to make security decisions based on how trusted an object is. A great example of this is Internet Explorer (IE), which has a fairly long history of security issues and is, due to its very nature, commonly exposed to the Internet. As such, it may be wise to consider IE fairly suspect. With this in mind, on a default install of Vista, IE is assigned an integrity level of low, which prevents IE processes from modifying any object with a higher integrity level. We can observe this by running Process Explorer, as shown in figure 12-2.

Note: This low-integrity level implementation of IE7 on Vista is also referred to as Protected Mode IE (PMIE).

Windows Vista security Vista BitLocker Drive Encryption tips Top 10 Windows Vista security tips Windows Vista's security features: One year later

It's also important to note that integrity levels, which are stored in the object's system access control list (SACL, used for generating audit records), trump grants within discretionary access control lists (DACL), such as file permissions. For example, if an administrator is running a low integrity process that attempts to write to fun places like C:\ or C:\Users, the attempts will fail, regardless of DACLs granting administrators full control. This is because the default integrity level of all objects on Vista is set to medium. However, by default, most SACLs do not prevent lower integrity objects from reading or executing higher integrity objects. This is left up to the DACL. Support is available for such capabilities, however. According to MSDN, an object's SACL can contain the following:

• SYSTEM_MANDATORY_LABEL_NO_WRITE_UP
• SYSTEM_MANDATORY_LABEL_NO_READ_UP
• SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP

With these, we can raise the bar a bit more by preventing lower integrity processes from reading or executing data that exists at a higher integrity level.

Figure 12-2

Figure 12-2 Process Explorer showing Internet Explorer executing with Low integrity.

Managing integrity levels

So how do you configure this stuff? Along with Vista comes another tool, icacls, which allows us to establish and query the integrity levels for an object. The following listing demonstrates setting the C:\TempLow directory's integrity level to low:

c:\>icacls TempLow /setintegritylevel L
processed file: TempLow
Successfully processed 1 files; Failed processing 0 files
c:\>icacls TempLow
TempLow BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)

Mandatory Label\Low Mandatory Level:(NW)
Successfully processed 1 files; Failed processing 0 files

You can see that the integrity level for TempLow is now set to low mandatory level. Along with this new capability, managing integrity levels, comes a new user right: modify an object label, which is configurable in the local security policy, as shown in figure 12-3.

This right is required to modify the integrity level of an object and, by default, is not granted to any user or group. So how were we able to modify the integrity level of the TempLow directory in the example? We own the folder. Vista allows us to alter the integrity level of any object we own, provided we aren't attempting to set the integrity level higher than our own level. If a user or application were able to set an object's integrity level above their own level, the entire integrity system would collapse.

Figure 12-3

Figure 12-3 Modifying an object label user right.

Rate this Tip To rate tips, you must be a member of SearchEnterpriseDesktop.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Windows Vista security issues, updates and alerts Does Vista's strong security make it better than XP? Managing single sign-on security burdens in Windows Top 10 ways to improve Windows Vista security A Windows security checklist for IT managers Unauthenticated vs. authenticated security testing Enhancing patch management with NAP Why Windows Vista is superior to XP How to exploit two common Windows vulnerabilities The 10 most common Windows security vulnerabilities Hacking Exposed Windows: Windows security features and tools Windows desktop security tips Top 10 ways to improve Windows Vista security A Windows security checklist for IT managers Windows Mobile security tips for the on-the-go pro Build secure computer password policies Windows mobile security: Get it locked down Security tools that can boost Windows mobile security Check IT List: Five steps for rootkit detection Reduce resistance to creating strong computer passwords Top Windows client security tools for end users Remote user security checklist RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary drive-by download  (SearchEnterpriseDesktop.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.