Introduction to integrity control in Windows Vista

When software developers at Microsoft started building the latest version of the operating system, Windows Vista, they started to build it to be the best security version ever. of Windows. One of the built-in functions within Windows Vista makes it even more secure: WIC integrity control (Windows Integrity Control).

The purpose of WIC is to protect objects, whether they are files, printers, named pipes, registry keys from attackers, malware or even user errors. The WIC concept is based on establishing the reliability of different objects and controlling interactions between objects based on their integrity.

WIC integrity levels are a mandatory control and controls are used to override such as NTFS file and folder permissions that administrators are familiar with. WIC's main object is to ensure that only objects with an integrity level equal to or greater than the target object are allowed to interact with it. In essence, if an object is less reliable, it will be prevented from acting or interacting with more reliable objects.

WIC plays a major role for normal permissions. That means whether a file or process has full control permissions with another object, but if the file or process has a lower integrity level than the object it is trying to interact with. WIC will override permission and interaction will be denied.

Determining reliability using WIC

To control interactions between objects, Windows must first determine the integrity or integrity of each object. WIC will assign one of the following six integrity levels to each object:

• Unreliable - Anonymous login processes will automatically be assigned as an untrusted process.

• Low - Low integrity level is the default level used for interacting with the Internet. When Internet Explorer is used in the default state, protected mode, all files and processes associated with it are assigned a low integrity level. Many folders like Temporary Internet Folder are also assigned to the low integrity level by default.

• Medium - The average is the level at which most objects will be used. Standard users receive this average integrity and any object that is unclear in assigning a higher or lower integrity level is assigned to this average.

• High - Administrators are allowed to have a high level of integrity. This ensures that administrators are able to interact and can change the object that has assigned a low or medium integrity level but can also perform actions on other objects with a high integrity level, These actions are not available to standard users.

• System - As the name implies, the system integrity level is reserved for the system. Windows kernel and core services are allowed at this level. This level is higher than the high level of administrators to protect functions from being affected or hurt.

• Installer - The installer level is a special case and is the highest integrity level. Its validity is equal to or higher than all other WIC integrity levels, the objects assigned to this level can Uninstall all other objects.

By setting the average integrity level for standard users and for all unbranded objects, Vista protects the majority of objects on the computer to avoid any effect of Internet threats. .

Likewise, administrators have more precedence than standard users and are operating at a high level of integrity, operating system kernel and core functions with a higher integrity level, ensuring that an administrator Accident administrators or administrator accounts may not adversely affect the core system.

To repeat, WIC integrity levels and controls are the same as NTFS folder and file permissions. The main difference is that NTFS permissions are the controls used while the WIC integrity level is mandatory control. Basically, file and folder access privileges and permissions are assigned by the owner or administrator while the WIC integrity level is specified by the operating system.

When these four levels are used sparingly in practice, the difference between the low and the medium is in the function of WIC. The addition of mandatory controls is used more than relying on the user or administrator obviously showing better security issues at all levels. But the ability to isolate files and processes from the Internet and protect computers against malware in the Internet is one of the main reasons for WIC's existence.

Protect Vista from Internet threats

While standard users are operating at medium integrity and administrators are operating at a high level, WIC acknowledges that the Internet and its files or processes are completely unreliable and default to them. at low integrity level.

When a user receives an email that links to a dangerous website (the type of email we need to delete) and the person clicks on it, this malicious website can install one or more dangerous types of malware into the computer. this person. Malware will copy itself to many other locations on the hard drive and change the Registry key to make sure it persists. On the other hand it can also change or delete files or execute processes to conduct dangerous actions.

In Windows XP or older systems, it is very difficult to protect the system against malware. With Windows Vista, everything related to the Internet is operating at a low integrity level, the malware will not be able to change, delete or interact with anything in the system.

Use protection mode

Automatically set a low integrity level on Internet Explorer that is active in protected mode. Protection mode has been mentioned as one of the significant security enhancements in Windows Vista and in Internet Explorer 7. When protection is enabled, all functions in Internet Explorer will be assigned by default to the integrity level. low.

Many websites may not function properly with limited functionality set in protected mode. You can go to the Security tab in Internet Options to uncheck the option to ' Enable Protected Mode '. This will remove most of Vista's protection features provided to prevent unauthorized and dangerous actions through the Internet. However, we recommend that you leave the security mode in the 'On' state.

When doing business, enabling or disabling protection mode is a problem, this problem is removed by using Group Policy. For single users, disabling protection mode to access sites that have many problems are used, simply by adding these pages to a trusted security zone in Internet Explorer. Each security zone in Internet Explorer has a unique security configuration and the trusted zone works with protection that has been disabled by default.

Use ICACLS to observe integrity levels

One of the problems that administrators encounter when solving problems properly and permissions in the Windows environment to find out what problems someone is accessing. If a process fails, a file will not be executed or the user cannot write data to the folder, one of the troubleshooting methods may be WIC integrity level checking of the object in questions and subjects trying to act to determine if there is any WIC hidden behind.

Windows Vista does not provide functionality so that you can observe or change the integrity level of an object. However, the ICACLS command-line utility will display the contents of the CAL as well as the required labels. Objects that are not explicitly assigned a label will automatically be assigned an average integrity, although the average integrity label will not display the use of ICACLS because it is implied and not explicit.

To use the ICACLS utility, you must first open a command prompt. There are a number of transitions and syntax to use ICACLS tool. You can get information and details on each option using them simply by typing 'icacls' at the command window and pressing the Enter key. We will focus on the two ICACLS applications here.

First, observe the integrity level. To view the integrity level and other contents of the arbitrary access list, type icacls after the path of the object you want to check. For example, if you want to observe the mandatory integrity level of the explorer.exe file, type icacls c: windowsexplorer.exe. Results will be obtained as shown in the picture below.

C: windowsexplorer.exe NT SERVICETrustedInstaller: (F)
BUILTINAdministrators: (RX)
NT AUTHORITYSYSTEM: (RX)
BUILTINUsers: (RX)

As above, the mandatory integrity level assigned to the explorer.exe file is implied that it is not assigned a specific mandatory integrity level. If there is a specific mandatory integrity level, there will be an additional entry as follows:

Mandatory LabelMedium Mandatory Level

You need to know that if you are using ICACLS to test and determine the mandatory integrity level used to identify interactive objects in WIC, if there is no mandatory label, it is assigned to the average. default.

It is possible to change an object's integrity level using ICACLS. To do this, a user must be assigned SeRelabelPrivilege. To change the integrity level of an object, users need to have the authority to change as well as acquire ownership of the target audience. As long as these privileges are satisfactory, this person can change or raise the integrity level of an object. However, users cannot set the object to a higher integrity level outside of authority.

By acknowledging the correct permissions and privileges, you can change the integrity level of an object with the ICACLS tool by typing icacls / setintegritylevel H | M | L. Labels at the end of H, M or L are assigned a high, medium and low integrity level, respectively.

Safer with WIC

When it comes to data security on Windows computers, one of the most unpredictable and uncontrollable variables is the human component. Today, organizations have begun to realize that users cannot depend on proper classification and encryption of sensitive information so there is a tendency to develop disk encryption on computing devices. Special mobility and removing variables.

WIC also works similarly. Users have the ability to manage files / folders and assign privileges to allow individual groups or individuals to view, adjust, delete or perform their actions. However, arbitrary access controls still have to issue query messages to make sure the user is performing the activity.

Many improvements can be made, for example: providing better management and configuration tools than the ICACLS command-line tool. The security provided by WIC is incomplete, but it is better than the security mode of previous Windows versions and it protects the Vista system from many threats that could affect Windows XP, Windows 2000 or previous operating systems.