Problem solve Get help with specific problems with your technologies, process and projects.

Vista WIL: How to take control of data integrity levels

In the past, Windows users could tweak NTFS permissions and decide who should have access to important data. With the introduction of the Windows Vista operating system, however, the Windows Integrity Levels (WIL) feature seeks to address previous access control shortcomings and avoid human error. Contributor Tony Bradley explains how WIL works and how it can be used to better manage access permissions.

NTFS file and folder permissions found in Microsoft Windows determine who has access to a given file or directory, and whether someone can modify or delete data. From a security perspective, however, there is one big problem with NTFS permissions: they depend on a human to set the restrictions appropriately and decide who should have access.

When Microsoft released the Windows Vista operating system, the software giant introduced a new security concept to address the NTFS shortcoming. Windows Integrity Levels (WIL) control how processes interact with the operating system kernel. The WIL controls are not arbitrary permissions set by the user, and, in fact, they supersede any set NTFS authorizations.

The levels of Windows Integrity Levels
Windows Integrity Levels assigns one of six different integrity levels to every object, whether it is a file, folder, registry key or other basic unit of code. The integrity level, or trustworthiness of a given object, determines how each interacts and whether it can access or act on another object. The six WIL integrity levels are:

  • Untrusted
    -- This is the lowest of the WIL integrity levels. Processes and users that are logged anonymously are automatically designated as untrusted.
  • Low -- This level is assigned by default for any interaction with the Internet. With the Low integrity level, Internet Explorer runs in a state called Protected Mode. All files and processes associated with the Web browser are therefore assigned the Low integrity level. Some folders, such as the Temporary Internet Folder, are also assigned this value by default.
  • Medium -- Medium is the default integrity level. Any object not explicitly designated with a lower or higher integrity level is Medium automatically. Authenticated users also receive a default integrity level of Medium.
  • High -- These objects are able to interact with and act upon any other object of High (or lower) integrity levels. Administrators, Backup Operators, and Cryptographic Operators are three groups that are assigned the High integrity level by default.
  • System -- The system integrity level is reserved for the Windows kernel and core services such as LocalService, LocalSystem, and NetworkService. This designation protects these core functions from being affected or compromised, even by administrators.
  • Installer -- The installer integrity level is the highest of all integrity levels. It was established as a special case specifically so that it would be higher than all other integrity values and be able to write and remove objects with the System integrity level. For that reason, objects assigned the installer integrity are able to uninstall all other objects.

For more on Vista features

Learn more about the encryption benefits of BitLocker.

Tony Bradley examines how PatchGuard locks down the kernel.

Get the latest news on Windows Vista security.
Working with Windows Integrity Levels
When troubleshooting access issues, it may be necessary to view or modify the integrity level of an object. Microsoft did not provide a Microsoft Management Console (MMC) plugin or any slick GUI interface to work with Windows Integrity Levels, but there is a command-line utility called ICACLS that displays both the discretionary and mandatory access controls for a given object, with the exception of objects that are classified as Medium by default. These did not actually have an integrity control assigned, and the WIL level will not be displayed for them.

To begin using ICACLS, open a command prompt window (click the Start button, followed by Run; type "cmd.exe" and click OK). Then list out all of the available switches, options and syntax by simply typing ICACLS and hitting enter.

See larger image

Here are specific examples of how to use ICACLS with Windows Integrity Levels. To view the access list properties associated with a given object, type "icacls" followed by the path of the object to be displayed. For example, to view the WIL integrity level of the calculator (calc.exe file), type: icacls c:\windows\system32\calc.exe. The results will look like this:

See larger image

The Windows calculator does not have an explicitly assigned WIL integrity level, so it defaults to Medium. As mentioned above, the default mandatory integrity level is not displayed by ICACLS because it is implied rather than assigned. If calc.exe were actually assigned a WIL integrity level of Medium, it would also appear with this additional entry:

Mandatory Label\Mandatory Level

Windows Integrity Levels were developed to provide mandatory access controls to protect the operating system. There are ways for developers or administrators to modify the integrity level of an object, but in general this should not need to be done, and those methods go beyond the scope of this article. Security and network administrators need to be aware that WIL exists, and remember that WIL trumps discretionary access. If an application or process is not functioning properly, it may be due to the Windows Integrity Level of the objects being acted on, and using ICACLS can help determine if WIL is impacting the object.

While WIL has not gotten the same level of attention that UAC, or other Vista features have, it is arguably one of the biggest advances in security for the Windows operating system. Vulnerability exploits and malware often execute with the privileges of the logged in user account. WIL ensures that critical system processes cannot be altered, even by an administrator, and protects the system against most Web-based or Internet Explorer attacks. By enforcing mandatory integrity controls that supersede assigned, discretionary controls, WIL is a significant step in the right direction for locking down Windows.

About the author:
Tony Bradley is a CISSP, and a Microsoft MVP (Most Valuable Professional). He is a Director with Evangelyze, a Microsoft Partner focused primarily on unified communications. Tony is also a respected expert and author in the field of information security whose work is translated and read around the world. He contributes regularly to a variety of web and print publications, and has written or co-written 8 books. In addition, Tony is the face of the site for Internet / Network Security, where he writes articles and tips on information security and has almost 40,000 subscribers to his weekly newsletter. Mr. Bradley has consulted with Fortune 500 companies regarding information security architecture, policies and procedures, and his knowledge and skills have helped organizations protect their information and their communications.

This was last published in May 2008

Dig Deeper on Web authentication and access control