Omnipotent owner
The security model just described is also called Discretionary Access Control (DAC). It is so called because the access rights are issued at the discretion of the object owner. The owner therefore has a special role - he can change the DACL of his object at any time. If the DACL of one of his objects denies him access, he can acquire it in two steps - first, by changing the DACL so that it gives him the rights, then by opening the object.
Administrators who are not the object owner can do this in three steps. They hold the SeTakeOwnership privilege in their access token which entitles them to change the owner of any objects. If an administrator wishes to access a stubborn object, he must first take ownership of it, then place an access right in the DACL and then he can finally open it.
Because of these properties, Discretionary Access Control is not ideal for selectively restricting the rights of a process, such as Internet Explorer in order to protect against security holes. Of course, it is also possible to write a special SID for IE in its access token and set minutely detailed DACLs which deny this SID all kinds of things. However, providing the process is running under the user ID of the registered user, access to the objects of this user cannot be prevented.
This may be a reason why Microsoft has decided to implement an additional security mechanism in Vista which has priority over the DAC, i.e. it prevents access where the DAC would otherwise allow it. Every process is also obliged to have an integrity level in its access token which expresses how trustworthy it is. In Vista, there are four levels - Low, Medium, High and System. At Medium level, programs run with standard user rights; High is intended for administrative activities and the even higher level, System, is reserved for a few operating system services. Internet Explorer is ranked right at the bottom at Low level.
From top to bottom
Each object in the system is located on one of four named levels, marked with a label in its security descriptor. The basic idea behind the integrity levels is that processes running at the lower level are prevented from gaining access to objects at a higher level. Thus, IE at Low level cannot touch user data stored on media and certainly cannot access system components at an even higher level. Access from bottom to top is limited while everything is permitted at the same level or from a higher level to a lower level - within the framework of discretionary access control which also has a part to play.
Microsoft has placed the label for the integrity level of an object in a component of the descriptor which has so far not been mentioned, the System Access Control List (SACL). In principle, this has the same structure as the DACL and is therefore also a list of entries consisting of a type, an SID and a handful of permission bits. In XP, the SACL is used to log specific attempts to access an object.
Vista introduces a new entry type for the integrity label as well as special SIDs for the four levels (in the documentation there is also apparently a fifth level called untrusted, which we have not yet seen in reality). The integrity level is in good hands in the SACL because special privileges are required to change it. Specifically, it is not sufficient to be the owner of an object in order to change the SACL.