Weekly quickTIP
I Could Tell You, But Then I’d Have to Kill You
Part 1: Windows Integrity Control in Vista and the upcoming Windows Server 2008
- By Greg Shields
- 09/17/2007
Incorporated with Windows Vista and also soon to come in Server 2008 is the concept of Windows Integrity Control. If you’ve played around with Vista’s IE and noticed a new checkbox for Enable Protected Mode, then you’re looking in the right place.
But, what exactly is Protected Mode? Before we talk about how it relates to IE, let’s first talk about Windows Integrity Control and how WIC changes slightly the way we do permissioning in Vista and Server 2008. WIC adds a new layer of permissions to a computer that are Mandatory Access Controls. These new access controls are used to lock prying eyes away from data -- and in the case of Internet Explorer, prying malware away from delicate system processes.
It works a little like this: Think about the servers that store data for the government’s Top Secret programs. For them, it really doesn’t matter if your user account has Full Control privileges to a file share on a top-secret classified server -- if you don’t have top-secret clearance, you’ll never get to see those files (in some cases, enforced with the business end of an M-16).
With WIC, you can set Integrity Levels on files and folders on your system. There are a number of Integrity Levels, but the important ones are those marked Low, Medium, and High. Administrators who are currently using their administrator token reside at the High Integrity Level. Regular users, standard system objects and processes are all at the Medium Integrity Level.
Processes and other items in the operating system cannot interact with other items at a higher Integrity Level. If we wanted to prevent a process or a file from interacting with others at the Medium Integrity Level, we could assign it a Low Integrity Level. Then, no matter what NTFS permissions we have assigned to folders on our network, that item can’t touch our standard system files.
Tech Help—Just An
E-Mail Away |
Got a Windows, Exchange or virtualization question
or need troubleshooting help? Or maybe you want a better
explanation than provided in the manuals? Describe
your dilemma in an e-mail to the MCPmag.com editors
at [email protected];
the best questions get answered in this column and garner
the questioner with a nifty Redmond T-shirt.
When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message, but submit the requested
information for verification purposes.) |
|
|
The new Vista tool icacls can be used to set Integrity Levels on objects. To see the Integrity Levels on a particular folder, from a Vista or Server 2008 machine type icacls {foldername}. You’ll first notice that not a lot of folders actually have Integrity Levels shown in the interface. Where this new capability comes in quite handy is in protecting Internet Explorer. Next time, I'll show you how it works.
About the Author
Greg Shields is Author Evangelist with PluralSight, and is a globally-recognized expert on systems management, virtualization, and cloud technologies. A multiple-year recipient of the Microsoft MVP, VMware vExpert, and Citrix CTP awards, Greg is a contributing editor for Redmond Magazine and Virtualization Review Magazine, and is a frequent speaker at IT conferences worldwide. Reach him on Twitter at @concentratedgreg.