Weekly quickTIP

I Could Tell You, But Then I’d Have to Kill You

Part 1: Windows Integrity Control in Vista and the upcoming Windows Server 2008

Incorporated with Windows Vista and also soon to come in Server 2008 is the concept of Windows Integrity Control. If you’ve played around with Vista’s IE and noticed a new checkbox for Enable Protected Mode, then you’re looking in the right place.

But, what exactly is Protected Mode? Before we talk about how it relates to IE, let’s first talk about Windows Integrity Control and how WIC changes slightly the way we do permissioning in Vista and Server 2008. WIC adds a new layer of permissions to a computer that are Mandatory Access Controls. These new access controls are used to lock prying eyes away from data -- and in the case of Internet Explorer, prying malware away from delicate system processes.

It works a little like this: Think about the servers that store data for the government’s Top Secret programs. For them, it really doesn’t matter if your user account has Full Control privileges to a file share on a top-secret classified server -- if you don’t have top-secret clearance, you’ll never get to see those files (in some cases, enforced with the business end of an M-16).

With WIC, you can set Integrity Levels on files and folders on your system. There are a number of Integrity Levels, but the important ones are those marked Low, Medium, and High. Administrators who are currently using their administrator token reside at the High Integrity Level. Regular users, standard system objects and processes are all at the Medium Integrity Level.

Processes and other items in the operating system cannot interact with other items at a higher Integrity Level. If we wanted to prevent a process or a file from interacting with others at the Medium Integrity Level, we could assign it a Low Integrity Level. Then, no matter what NTFS permissions we have assigned to folders on our network, that item can’t touch our standard system files.

Tech Help—Just An
E-Mail Away

Got a Windows, Exchange or virtualization question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to the MCPmag.com editors at [email protected]; the best questions get answered in this column and garner the questioner with a nifty Redmond T-shirt.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message, but submit the requested information for verification purposes.)

The new Vista tool icacls can be used to set Integrity Levels on objects. To see the Integrity Levels on a particular folder, from a Vista or Server 2008 machine type icacls {foldername}. You’ll first notice that not a lot of folders actually have Integrity Levels shown in the interface. Where this new capability comes in quite handy is in protecting Internet Explorer. Next time, I'll show you how it works.

About the Author

Greg Shields is Author Evangelist with PluralSight, and is a globally-recognized expert on systems management, virtualization, and cloud technologies. A multiple-year recipient of the Microsoft MVP, VMware vExpert, and Citrix CTP awards, Greg is a contributing editor for Redmond Magazine and Virtualization Review Magazine, and is a frequent speaker at IT conferences worldwide. Reach him on Twitter at @concentratedgreg.

comments powered by Disqus
Most   Popular