Weekly quickTIP

Integrity Check

Part 2: How to customize integrity levels for files and folders using the Windows Integrity Control.

Last week, we talked about the new Windows Integrity Control and how you can assign a low integrity level to an object within the system to prevent it from interacting with other objects at higher integrity levels. This prevention works no matter how you’ve set up your NTFS or share permissions.

The major user of WIC with Windows Vista and Server 2008 is Internet Explorer. If you’ve clicked on Tools | Internet Options and then click on the Security tab, you’ll see a checkbox for Enable Protected Mode. What does this checkbox actually do?

To answer the question, let’s continue our conversation from last week on integrity levels. We recall that the default integrity level for regular users, system objects and most processes is set to medium. Now think about our Temporary Internet Files folder. This location is a potentially hazardous place. where malware can set up camp if we accidentally click the wrong link on a Web page. The items in this location are those downloaded off the Internet and probably shouldn’t interact directly with our system.

So, what would happen if we reset the integrity level to low for this folder and all its files? Those items would no longer be able to access other resources on our system. Even if we’ve reset the permissions to Everyone | Full Control for the C:\Windows folder and its subfolders (which is not a good idea, nonetheless), our "protected" area can’t interact with them. That’s essentially what happens when you enable Protected Mode.

For Internet Explorer on Vista and Server 2008, the folders that are actually set to Low Integrity level are:

  • Cache: %UserProfile%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low
  • Temp: %userprofile%\AppData\Local\Temp\Low
  • Cookies: %userprofile%\AppData\Roaming\Microsoft\Windows\ Cookies\Low
  • History: %userprofile%\AppData\Local\Microsoft\Windows\History\Low
  • Other Files (Like Java & Crypto): %userprofile%\AppData\LocalLow

As we said last week, you can use the native tool icacls to view the integrity levels on these folders. Take a second to check it out. For each of these folders above (and a few others), you’ll see a resulting entry that looks like this:

Low SPECIALIZED\gshields:(I)(F)
SPECIALIZED\gshields:(I)(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
Mandatory Label\Low Mandatory Level:(OI)(CI)(NW)

Tech Help—Just An
E-Mail Away

Got a Windows, Exchange or virtualization question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to the MCPmag.com editors at [email protected]; the best questions get answered in this column and garner the questioner with a nifty Redmond T-shirt.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message, but submit the requested information for verification purposes.)

This functionality isn’t just limited to Internet Explorer. Using the same icacls tool you can set new integrity levels for files and folders. To set the level to Low for a file, type:

icacls {filename} /setintegritylevel L

Nifty, eh?

About the Author

Greg Shields is Author Evangelist with PluralSight, and is a globally-recognized expert on systems management, virtualization, and cloud technologies. A multiple-year recipient of the Microsoft MVP, VMware vExpert, and Citrix CTP awards, Greg is a contributing editor for Redmond Magazine and Virtualization Review Magazine, and is a frequent speaker at IT conferences worldwide. Reach him on Twitter at @concentratedgreg.

comments powered by Disqus
Most   Popular