Windows Insider

Set Access Control on Mandatory

Getting past the complexities in Windows Integrity Control.

When is an access control not like an access control? When it's a mandatory access control. Just when you thought you'd figured out all the nuances of setting permissions on Windows files and folders, Windows Vista debuts a whole new layer of permissioning based on mandatory access controls called Windows Integrity Control (WIC).

Considering how cutting-edge this new permissions layer is for Windows, there's precious little information online regarding how WIC actually works. To give you some idea of what it is and why we have it, let's talk at a high level about the academics of access control.

WIC is a variant of the Biba Integrity Model, which has been around since 1977 and describes a set of access control rules implemented to ensure data integrity. "Integrity" is the key word here, because we as Windows administrators are accustomed to the access controls we use every day on files and folders to protect data confidentiality.

While data confidentiality makes sure only the right people get access, data integrity ensures that the information itself is trustworthy.

Top Secret Spyware
Think about the proliferation of spyware on the Internet, some of which includes rootkit cloaking technology. If your machine has been infected with stealthed spyware, can you ever fully trust that the malicious code has been removed? Not likely. If you can never see it, you can never truly be assured it's been removed. When you lose that trust, you've lost the trust of the integrity of your machine's software. The Biba Integrity Model -- and WIC -- helps address that trust.

Figure 1
[Click on image for larger view.]
Figure 1. Microsoft's Process Explorer tool for Vista now exposes Integrity Levels.

WIC adds a second layer of access control to every object on a Vista machine. This layer of access control involves a mandatory access control bit that sets that object's Integrity Level to one of six settings. In order they are: Untrusted, Low, Medium, High, System and Application Installer. Where this gets even trickier is when the user also gets an Integrity Level. Regular users are assigned the Medium Integrity Level and administrators get the High Integrity Level. Every process instantiated by that user then gets an Integrity Level, based on the combination of the Integrity Levels of that process' .EXE file and the user who launched it.

This second layer of access control is similar to how the government handles classified information. Let's say our user Dan Bishop wants to read a document classified as "top secret." To do this, two separate tests have to occur:

  • Dan's user account must be in the same Active Directory groups to which the document is also a member. This is our classic Windows permissioning, like what we're used to doing.
  • Dan must also have a government clearance at the same level to which the document is cleared, which in this case is "top secret." Both the document and Dan must be at this level before access can occur. This is the shared Integrity Level.

You're probably thinking, "Just wonderful. Now I've got to worry about two separate permissioning structures when one is difficult enough." Well, you're in luck. Microsoft was planning to use WIC to protect Windows' core files, but chose not to do so before Vista's release.

Where it is used is in the permissioning of Internet Explorer (IE). On Vista alone, IE has a new mode called Internet Explorer Protected Mode that uses WIC -- among other security tricks -- to help prevent IE from being used as a vector for attack.

Remember how we said regular users are assigned an Integrity Level of Medium? Well, IE Protected Mode runs all its processes, downloaded files and associated add-ons at the Low Integrity Level. Areas like Temporary Internet Files and the iexplore.exe process are all set to Low, so IE can still download and execute items from the Internet like it needs to do. But because all Vista files and registry keys are set by default to the Medium Integrity Level, IE or any item touched by IE receives an "Access Denied" error if it tries to modify a system file. Because the IE process runs at the Low Integrity Level, we don't have to care if we've messed up the permissions on our files and folders.

Top-Secret Toolkit
As an administrator, you have the ability to set Integrity Levels on virtually any file, folder or registry key in your system.

There are four tools available today that expose the WIC Integrity Level bit. Two are former Sysinternals tools now available on the Microsoft Web site: AccessChk and Process Explorer. AccessChk is a command-line tool that shows file, folder and registry access for stated users and groups. Process Explorer is a graphical tool that shows running processes and their integrity level. To expose the Process Explorer's Integrity Levels column, click View, then Select Columns, then check the box next to Integrity Level.

Two other tools are also available, both in command-line format. The first is the native icacls.exe, which is Vista's replacement for the old cacls.exe tool and is used to view and modify permissions and integrity levels on files and folders. The second is Mark Minasi's chml.exe tool, which is very similar to the others but is specific to setting Integrity Levels only. Minasi's tool is available at

So fret not. Although WIC and the mandatory access controls it enables are complicated in theory, as of now they're not used all that often in practice -- at least for Windows.

About the Author

Greg Shields is Author Evangelist with PluralSight, and is a globally-recognized expert on systems management, virtualization, and cloud technologies. A multiple-year recipient of the Microsoft MVP, VMware vExpert, and Citrix CTP awards, Greg is a contributing editor for Redmond Magazine and Virtualization Review Magazine, and is a frequent speaker at IT conferences worldwide. Reach him on Twitter at @concentratedgreg.


comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.