Without permission
The SACL entry with the integrity label contains three flags which define in detail which types of access from bottom to top should be denied - No Write Up, No Read Up or No Execute Up. In the file system, Vista defaults to using "No Write Up". Since Medium level is intended for most objects, Vista takes this as the default value when nothing has been explicitly indicated in the security descriptor. In the end, this means that Internet Explorer, which is running at low-level, is not allowed to write most of the files and folders although it can probably read them and execute programs from them.
While we are on the subject of Internet Explorer, it always appears as an example since it is the only program which defaults to running at integrity level Low. Explaining the security architecture of IE fully is beyond the scope of this article. We will therefore just mention the following. A broker process at Medium integrity level helps IE so the user can save a downloaded file in any folder he chooses. It is shown in Process Explorer under the name ieuser.exe. Whenever Internet Explorer is mentioned in the following, this will always refer to the main component iexplore.exe running at Low integrity level, which must be secured against potential security holes.
Going down
Vista's properties dialog for files and folders knows nothing about integrity levels so command-line tools have to be used to look at them. The command icacls allows the DACL and the integrity level of files and folders to be displayed and edited. For example, if you enter the command
icacls AppData\LocalLow
in your user folder, you will find in its output "\label\Low Mandatory Level", i.e. the label for the integrity level Low, followed by "(OI)(CI)(NW)". NW stands for the access flag, "No Write Up", mentioned above; OI and CI stand for the inheritance flags "Object inherit" and "Container inherit". The inheritance flags define whether objects which have just been created in a folder inherit the relevant ACL entry. Here, Windows makes a distinction between bequeathal to simple objects (files) and bequeathal to container objects (folders). The output of icacls therefore means that the folder LocalLow has the integrity level Low and bequeaths this to all files and folders created in it. Microsoft has expressly intended this to be a store location for data from applications running at Low level.
The small command line program AccessChk from Mark Russinovich offers some interesting options for investigating access rights and integrity levels in greater detail. Thus, the command
accesschk -d -e -s c:\
lists all the folders which explicitly have an integrity level set. In this way, as well as AppData\LocalLow in the user folder, it is also possible to find numerous other folders in the system which carry the integrity level Low and can therefore be written by Internet Explorer - for example, the "Favorites" sub-folder of the user folder, various folders for temporary files and the history etc.
The second part of this article describes how processes in general access their privileges and, therefore, their integrity level. We also use a practical example to show how Firefox gets to run with the integrity level Low. (bo)
Tools for the article
- Process Explorer in the software folder
Sysinternals/Microsoft-Tool, which displays detailed information on all the processes in the system. - Windows XP Service Pack 2 Support Tools in the software folder
Contains among other things the command-line program whoami.exe mentioned in this article - AccessChk in the software folder
Tool from Mark Russinovich for checking access rights, in particular, for displaying integrity levels. - chml from Mark Minasi in the software folder
A utility for handling integrity levels.
[1] Mark E. Russinovich, David A. Solomon, Microsoft Windows Internals, Fourth Edition, Microsoft Press 2005