Set Access Control on Mandatory
Getting past the complexities in Windows Integrity Control.
- By Greg Shields
When is an access control not like an access control? When it's a mandatory
access control. Just when you thought you'd figured out all the nuances of setting
permissions on Windows files and folders, Windows Vista debuts a whole new layer
of permissioning based on mandatory access controls called Windows Integrity
Considering how cutting-edge this new permissions layer is for Windows, there's
precious little information online regarding how WIC actually works. To give
you some idea of what it is and why we have it, let's talk at a high level about
the academics of access control.
WIC is a variant of the Biba Integrity Model, which has been around since 1977
and describes a set of access control rules implemented to ensure data integrity.
"Integrity" is the key word here, because we as Windows administrators
are accustomed to the access controls we use every day on files and folders
to protect data confidentiality.
While data confidentiality makes sure only the right people get access, data
integrity ensures that the information itself is trustworthy.
Top Secret Spyware
Think about the proliferation of spyware on the Internet, some of which includes
rootkit cloaking technology. If your machine has been infected with stealthed
spyware, can you ever fully trust that the malicious code has been removed?
Not likely. If you can never see it, you can never truly be assured it's been
removed. When you lose that trust, you've lost the trust of the integrity of
your machine's software. The Biba Integrity Model -- and WIC -- helps address
[Click on image for larger view.]
|Figure 1. Microsoft's
Process Explorer tool for Vista now exposes Integrity Levels.
WIC adds a second layer of access control to every object on a Vista machine.
This layer of access control involves a mandatory access control bit that sets
that object's Integrity Level to one of six settings. In order they are: Untrusted,
Low, Medium, High, System and Application Installer. Where this gets even trickier
is when the user also gets an Integrity Level. Regular users are assigned the
Medium Integrity Level and administrators get the High Integrity Level. Every
process instantiated by that user then gets an Integrity Level, based on the
combination of the Integrity Levels of that process' .EXE file and the user
who launched it.
This second layer of access control is similar to how the government handles
classified information. Let's say our user Dan Bishop wants to read a document
classified as "top secret." To do this, two separate tests have to
- Dan's user account must be in the same Active Directory groups to which
the document is also a member. This is our classic Windows permissioning,
like what we're used to doing.
- Dan must also have a government clearance at the same level to which the
document is cleared, which in this case is "top secret." Both the
document and Dan must be at this level before access can occur. This is the
shared Integrity Level.
You're probably thinking, "Just wonderful. Now I've got to worry about
two separate permissioning structures when one is difficult enough." Well,
you're in luck. Microsoft was planning to use WIC to protect Windows' core files,
but chose not to do so before Vista's release.
Where it is used is in the permissioning of Internet Explorer (IE).
On Vista alone, IE has a new mode called Internet Explorer Protected Mode that
uses WIC -- among other security tricks -- to help prevent IE from being used
as a vector for attack.
Remember how we said regular users are assigned an Integrity Level of Medium?
Well, IE Protected Mode runs all its processes, downloaded files and associated
add-ons at the Low Integrity Level. Areas like Temporary Internet Files and
the iexplore.exe process are all set to Low, so IE can still download and execute
items from the Internet like it needs to do. But because all Vista files and
registry keys are set by default to the Medium Integrity Level, IE or any item
touched by IE receives an "Access Denied" error if it tries to modify
a system file. Because the IE process runs at the Low Integrity Level, we don't
have to care if we've messed up the permissions on our files and folders.
As an administrator, you have the ability to set Integrity Levels on virtually
any file, folder or registry key in your system.
There are four tools available today that expose the WIC Integrity Level bit.
Two are former Sysinternals tools now available on the Microsoft Web site: AccessChk
and Process Explorer. AccessChk is a command-line tool that shows file, folder
and registry access for stated users and groups. Process Explorer is a graphical
tool that shows running processes and their integrity level. To expose the Process
Explorer's Integrity Levels column, click View, then Select Columns, then check
the box next to Integrity Level.
Two other tools are also available, both in command-line format. The first
is the native icacls.exe, which is Vista's replacement for the old cacls.exe
tool and is used to view and modify permissions and integrity levels on files
and folders. The second is Mark Minasi's chml.exe tool, which is very similar
to the others but is specific to setting Integrity Levels only. Minasi's tool
is available at www.minasi.com.
So fret not. Although WIC and the mandatory access controls it enables are
complicated in theory, as of now they're not used all that often in practice
-- at least for Windows.
Greg Shields is an Author Evangelist with www.PluralSight.com, and is a globally-recognized expert on systems management, virtualization, and cloud technologies. A multiple-year recipient of the Microsoft MVP, VMware vExpert, and Citrix CTP awards, Greg is a contributing editor for Redmond Magazine and Virtualization Review Magazine, and is a frequent speaker at IT conferences worldwide. Reach him on Twitter at @ConcentratdGreg.