2007-02-02
In Windows XP or older systems, whether or not the malware succeeds is more or less a function of the rights and privileges of the logged in user and whether or not the system and Registry have been hardened or protected in any way to block such attempts. With Vista, because everything related to the Internet runs at a Low integrity level, the malware will be unable to modify, delete or interact with virtually anything else on the system.
These protections will protect Vista systems from the vast majority of malware. Most of the time, users now become compromised or infected by malware through visiting malicious web sites, or opening email file attachments. The same protection does not apply when a user brings in files on CD, DVD, USB drive or other removable media however. These files will execute in the context of the integrity level of the logged in user.
Using Protected Mode
The automatic designation of Low integrity relies on Internet Explorer running in Protected Mode. Protected Mode has been hyped as one of the significant security updates in Windows Vista and in Internet Explorer 7. As long as Protected Mode is on, everything that Internet Explorer does is assigned Low integrity by default.
Some sites may not function properly with the restrictions imposed by Protected Mode. It is possible, on the Security tab of the Internet Options configuration console, to uncheck the option to ‘Enable Protected Mode’. Doing so removes most of the protection Vista provides against unauthorized or malicious activities via the Internet though, so it is highly recommended that you leave Protected Mode on.
In an enterprise, the ability to enable or disable Protected Mode can, and should be, be removed using Group Policy. For individual users, rather than disabling Protected Mode to access sites that have issues, simply add those sites to the Trusted security zone in Internet Explorer. Each security zone in Internet Explorer has its own unique security configuration, and the Trusted zone runs with Protected Mode disabled by default.
Using ICACLS to view integrity levels
One of the issues that Administrators typically run into when it comes to dealing with rights and permissions in a Windows environment is trying to figure out who has access to what? If a process fails, or a file won’t execute, or a user can’t write data to a folder, one of the troubleshooting methods might be to examine the WIC integrity level of the object in question and the object it is trying to act on to determine if perhaps WIC is behind the failure.
Windows Vista does not provide anything slick or pretty to let you view or alter the integrity level of an object. There is, however, a command line utility called ICACLS which will display the contents of the discretionary ACL, as well as mandatory labels. As stated earlier, objects that are not explicitly assigned a label are automatically designated as Medium integrity, however the Medium integrity label won’t show up using ICACLS because it is implied and not explicit.
To use the ICACLS utility, you first need to open a command prompt window. There are a number of switches and syntax possibilities to use with the ICACLS tool. You can get information and details on each of the options and examples of their uses by simply typing ‘icacls’ at the command prompt and hitting Enter. We will focus on two uses of ICACLS here.
First, viewing the integrity level. To view the integrity level, and other contents of the discretionary access list, type icacls followed by the path of the object you wish to examine. For example, if you wish to view the mandatory integrity level of the explorer.exe file, you would type icacls c:\windows\explorer.exe. The results will look like this:
C:\windows\explorer.exe NT SERVICE\TrustedInstaller:(F)
BUILTIN\Administrators:(RX)
NT AUTHORITY\SYSTEM:(RX)
BUILTIN\Users:(RX)
As mentioned above, the mandatory integrity level assigned to the explorer.exe file is implied by the fact that it does not have a specific mandatory integrity level assigned. If there were a mandatory integrity level, there would be an additional entry that would look like this:
Mandatory Label\Medium Mandatory Level
Just keep in mind that if you are using ICACLS to try and determine the mandatory integrity level being used to determine object interactions in WIC, no mandatory label entry means that it is a Medium by default.
It is also possible to change an object’s integrity level using ICACLS. To do so, a user must be assigned the SeRelabelPrivilege. In order to change the integrity level of an object, the user needs the authority to “change permissions” as well as “take ownership” of the target object. As long as these privileges are in place, a user may modify or elevate the integrity level of an object. However, the user can never set the object to a higher integrity level than their own.
Assuming you have the proper permissions and privileges, you can modify the mandatory integrity level of an object with the ICACLS tool by typing icacls . The label at the end, either H, M or L, assigns a mandatory integrity level of High, Medium or Low to the specified object respectively.
Safer and more secure with WIC
When it comes to securing data on a Windows-based computer, one of the most unpredictable and uncontrollable variables is the human component. Organizations have started to realize that users can not be relied upon to properly classify and encrypt sensitive information, so there is a growing trend to implement whole disk encryption, especially on mobile computing devices, and remove that variable.
Windows Integrity Control operates from a similar perspective. Users may have the ability to own files and folders and assign rights and privileges regarding which groups or individuals should be allowed to view, modify, delete, or otherwise perform actions on them. However, the user’s discretion can not always be relied upon, therefore discretionary access controls can not be relied upon to protect the objects in question.
With WIC, Microsoft has added the concept of mandatory access controls which are more or less set by the operating system, and trump, or override the discretionary access controls. Segregating all files and processes that originate from the Internet and prohibiting them from interacting with or modifying files or objects on the system help to make the system more secure when surfing the Web.
WIC is not a silver bullet. There are some improvements that could be made, for example providing a better management and configuration tool than the ICACLS command line tool. The security provided by WIC is not perfect, but it is superior to the current Windows security model and helps protect a Vista system from many threats which could impact Windows XP, Windows 2000 or older operating systems.
Further reading
Mandatory Integrity Control in Windows Vista:
http://blogs.technet.com/steriley/archive/2006/07/21/442870.aspx
First Look: New Security Features in Windows Vista:
http://www.microsoft.com/technet/technetmag/issues/2006/05/FirstLook/default .aspx
Protected Mode in Vista IE7:
http://blogs.msdn.com/ie/archive/2006/02/09/528963.aspx
Why Vista? Mandatory Integrity Control (MIC) (Security, Stability, System Integrity):
http://adopenstatic.com/cs/blogs/ken/archive/2006/08/18/Why-Vista_3F00_-Mand atory-Integrity-Control-_2800_MIC_2900_-_2800_Security_2C00_-Stability_2C00_ -System-Integrity_2900_.aspx
0 Comments:
Post a Comment