When Microsoft released the Windows Vista operating system, the software giant introduced a new security concept to address the NTFS shortcoming. Windows Integrity Levels (WIL) control how processes interact with the operating system kernel. The WIL controls are not arbitrary permissions set by the user, and, in fact, they supersede any set NTFS authorizations.
The levels of Windows Integrity Levels
Windows Integrity Levels assigns one of six different integrity levels to every
-- This is the lowest of the WIL integrity levels. Processes and users that are logged anonymously are automatically designated as untrusted.
When troubleshooting access issues, it may be necessary to view or modify the integrity level of an object. Microsoft did not provide a Microsoft Management Console (MMC) plugin or any slick GUI interface to work with Windows Integrity Levels, but there is a command-line utility called ICACLS that displays both the discretionary and mandatory access controls for a given object, with the exception of objects that are classified as Medium by default. These did not actually have an integrity control assigned, and the WIL level will not be displayed for them.
To begin using ICACLS, open a command prompt window (click the Start button, followed by Run; type "cmd.exe" and click OK). Then list out all of the available switches, options and syntax by simply typing ICACLS and hitting enter.
See larger image
Here are specific examples of how to use ICACLS with Windows Integrity Levels. To view the access list properties associated with a given object, type "icacls" followed by the path of the object to be displayed. For example, to view the WIL integrity level of the calculator (calc.exe file), type: icacls c:\windows\system32\calc.exe. The results will look like this:
See larger image
The Windows calculator does not have an explicitly assigned WIL integrity level, so it defaults to Medium. As mentioned above, the default mandatory integrity level is not displayed by ICACLS because it is implied rather than assigned. If calc.exe were actually assigned a WIL integrity level of Medium, it would also appear with this additional entry:
Mandatory Label\Mandatory Level
Windows Integrity Levels were developed to provide mandatory access controls to protect the operating system. There are ways for developers or administrators to modify the integrity level of an object, but in general this should not need to be done, and those methods go beyond the scope of this article. Security and network administrators need to be aware that WIL exists, and remember that WIL trumps discretionary access. If an application or process is not functioning properly, it may be due to the Windows Integrity Level of the objects being acted on, and using ICACLS can help determine if WIL is impacting the object.
While WIL has not gotten the same level of attention that UAC, or other Vista features have, it is arguably one of the biggest advances in security for the Windows operating system. Vulnerability exploits and malware often execute with the privileges of the logged in user account. WIL ensures that critical system processes cannot be altered, even by an administrator, and protects the system against most Web-based or Internet Explorer attacks. By enforcing mandatory integrity controls that supersede assigned, discretionary controls, WIL is a significant step in the right direction for locking down Windows.
About the author:
Tony Bradley is a CISSP, and a Microsoft MVP (Most Valuable Professional). He is a Director with Evangelyze, a Microsoft Partner focused primarily on unified communications. Tony is also a respected expert and author in the field of information security whose work is translated and read around the world. He contributes regularly to a variety of web and print publications, and has written or co-written 8 books. In addition, Tony is the face of the About.com site for Internet / Network Security, where he writes articles and tips on information security and has almost 40,000 subscribers to his weekly newsletter. Mr. Bradley has consulted with Fortune 500 companies regarding information security architecture, policies and procedures, and his knowledge and skills have helped organizations protect their information and their communications.
This was first published in May 2008