|
| | | 
Administrator
Group: Administrators
Last Login: 11/9/2009 11:29:53 AM
Posts: 2,112, Visits: 2,281 |
| Understanding Vista's New File Integrity Controls
When the developers at Microsoft set out to create the latest version of their operating system, Windows Vista, they set out to ensure it was the most secure version of Windows yet. One of the functions that has been built in to Windows Vista which helps to make it more secure is Windows Integrity Control, or WIC.
The purpose of WIC is to protect objects, whether they are files, printers, named pipes, registry keys, and so on from attacks, malware or even innocent user error. The concept of WIC is based on establishing the trustworthiness of the various objects and controlling the interactions between objects based on their integrity, or level of trustworthiness.
The integrity levels of WIC are a mandatory control and override discretionary controls such as NTFS file and folder permissions which most administrators are familiar with. The primary objective of WIC is to ensure that only objects with an integrity level equal to or greater than the target object are allowed to interact with it. Essentially, if an object is less trustworthy, it is prohibited from acting on, or interacting with more trustworthy objects.
Again, WIC trumps normal permissions. That means that even if a file or process has Full Control permissions to another object, if the file or process has a lower integrity level than the object it is trying to interact with WIC will override the permissions and the interaction will be denied.
Determining trustworthiness using WIC
In order to police the interactions between objects, Windows must first determine the trustworthiness, or integrity level of each object. WIC assigns one of the following six integrity levels to each object:
* Untrusted – processes that are logged on anonymously are automatically designated as Untrusted
* Low – The Low integrity level is the level used by default for interaction with the Internet. As long as Internet Explorer is run in its default state, Protected Mode, all files and processes associated with it are assigned the Low integrity level. Some folders, such as the Temporary Internet Folder, are also assigned the Low integrity level by default.
* Medium – Medium is the context that most objects will run in. Standard users receive the Medium integrity level, and any object not explicitly designated with a lower or higher integrity level is Medium by default.
* High – Administrators are granted the High integrity level. This ensures that Administrators are capable of interacting with and modifying objects assigned Medium or Low integrity levels, but can also act on other objects with a High integrity level, which standard users can not do.
* System – As the name implies, the System integrity level is reserved for the system. The Windows kernel and core services are granted the System integrity level. Being even higher than the High integrity level of Administrators protects these core functions from being affected or compromised even by Administrators.
* Installer – The Installer integrity level is a special case and is the highest of all integrity levels. By virtue of being equal to or higher than all other WIC integrity levels, objects assigned the Installer integrity level are also able to uninstall all other objects.
In terms of the impact on Windows Vista security, these integrity levels and WIC protect objects from intentional or unintentional modification or deletion by less trusted objects. By setting the Medium integrity level as the default mode for standard users and for all unlabeled objects, Vista protects the majority of objects on the computer from being affected in any way by threats from the Internet, which run at the Low integrity level by default.
Similarly, although Administrators are more powerful than standard users and operate at the High integrity level, the operating system kernel and core functionality receive a higher System integrity level, ensuring that even an absent-minded Administrator or compromised Administrator account can not adversely impact the core system.
To reiterate, the WIC integrity levels and controls are very similar to normal NTFS file and folder permissions. The primary difference is that NTFS permissions are discretionary controls while WIC integrity levels are mandatory controls. Basically, file and folder access privileges and permissions are assigned by the object owner or an administrator, while WIC integrity levels are dictated by the operating system.
Using ICACLS to view integrity levels
One of the issues that Administrators typically run into when it comes to dealing with rights and permissions in a Windows environment is trying to figure out who has access to what? If a process fails, or a file won’t execute, or a user can’t write data to a folder, one of the troubleshooting methods might be to examine the WIC integrity level of the object in question and the object it is trying to act on to determine if perhaps WIC is behind the failure.
Windows Vista does not provide anything slick or pretty to let you view or alter the integrity level of an object. There is, however, a command line utility called ICACLS which will display the contents of the discretionary ACL, as well as mandatory labels. As stated earlier, objects that are not explicitly assigned a label are automatically designated as Medium integrity, however the Medium integrity label won’t show up using ICACLS because it is implied and not explicit.
To use the ICACLS utility, you first need to open a command prompt window. There are a number of switches and syntax possibilities to use with the ICACLS tool. You can get information and details on each of the options and examples of their uses by simply typing ‘icacls’ at the command prompt and hitting Enter. We will focus on two uses of ICACLS here.
First, viewing the integrity level. To view the integrity level, and other contents of the discretionary access list, type icacls followed by the path of the object you wish to examine. For example, if you wish to view the mandatory integrity level of the explorer.exe file, you would type icacls c:\windows\explorer.exe. The results will look like this:
C:\windows\explorer.exeNT SERVICE\TrustedInstaller: (F)
BUILTIN\Administrators: (RX)
NT AUTHORITY\SYSTEM: (RX)
BUILTIN\Users: (RX)
As mentioned above, the mandatory integrity level assigned to the explorer.exe file is implied by the fact that it does not have a specific mandatory integrity level assigned. If there were a mandatory integrity level, there would be an additional entry that would look like this:
Mandatory Label\Medium Mandatory Level
Just keep in mind that if you are using ICACLS to try and determine the mandatory integrity level being used to determine object interactions in WIC, no mandatory label entry means that it is a Medium by default.
It is also possible to change an object’s integrity level using ICACLS. In order to change the integrity level of an object, the user needs the authority to “change permissions” and "read permissions“ on the object/file in question as well as “take ownership” of the target object. As long as these privileges are in place, a user may modify or elevate the integrity level of an object. However, the user can never set the object to a higher integrity level than their own. You can change the permissions such as read/change/take ownership by right clicking the object > properties > security and clicking the advanced button.
Assuming you have the proper permissions and privileges, you can modify the mandatory integrity level of an object with the ICACLS tool by typing icacls /setintegritylevel H|M|L. The label at the end, either H, M or L, assigns a mandatory integrity level of High, Medium or Low to the specified object respectively.
AMD64 X2 5200+ 2.60GHz | 3GB DDR 667 | RAID 0 SATA3.0 WD Caviars 320GB total | Foxconn MCP61VM2MA-RS2H Geforce 6100 nforce400 chipset | Vista Ultimate x86
 |
| |
| | | |
Group: Forum Members
Last Login: 6/22/2009 9:26:19 AM
Posts: 1, Visits: 3 |
|
Good article Jason, it cleared up the reason I can't delete a problem application folder in my users profile.
It should, though, be a lot easier to over-ride or modify this new built-in behaviour. This is a major change from the way XP worked and so MS SHOULD have made administration of this new facet part of the mainstream, and not force us to go hunting for yet another obscure command line utility to get round another of their their poorly implemented designs.
I'm totally reliant on MS for my work but am TOTALLY sick of the amount of time their products make me waste JUST so as I can get them working well enough to use them for their original purpose. |
| |
| |
|