What's Mandatory Integrity Control?

Mandatory Integrity Control (MIC) is a cool new security feature built in to Windows Vista and Windows Server 2008. It adds another "layer" of security to Windows resources (files, processes, etc.) over the usual DACL (Discretionary Access Control Lists) that we have in Windows XP and Windows Server 2003.

Essentially, Mandatory Integrity Control adds an "Integrity Level" to resources present in the Windows operating system. There are four possible integrity levels. They are (from most privileged to least privileged): System IL, High IL, Medium IL, and Low IL. System Services run at System IL, Administrative Processes run at High IL, and all resources in Windows with an explicitly set integrity level exist at Medium IL by default. When one resource wants access to another resource, the first resource's integrity level must be greater than or equal to the integrity level of the requested resource. This integrity level check takes place before we even check the DACLs on each resource.

Processes, for instance, can access files that have an integrity level lower than or equal to their own integrity level. So let's say I have Notepad running under my own local account (not an administrative account). By default, Notepad.exe is launched with an integrity level of Medium. As long as I am trying to write to a file that has an integrity level of Medium or below, then the operation will success just fine.

However, if I have a file that is sitting there with an integrity level of High, the write operation from Notepad will fail because Notepad doesn't have the proper integrity rights to access and to write to that resource.

Let's go ahead and take a look at this in action (you can work through this "demo" if you are currently running Windows Vista or Windows Server 2008).

Demo

You _must_ be running Vista and Windows Server 2008 for this demo to work

1) Launch Notepad

2) Enter some text and save the file as “test.txt” on your desktop. Now we have a text file with the default Medium IL.

3) Launch a command prompt as Administrator (from the shortcut, right click and choose “Run As Administrator”)

4) Navigate to your desktop (“cd C:\Users\USER_NAME\Desktop” in the command line for a default Vista installation).

5) Issue this command to set the created file’s integrity level to a High IL: “icacls test.txt /setintegritylevel H”. Now that the file has a high integrity level a default notepad process won’t be able to save the file.

6) Launch Notepad again (make sure it isn’t launched as Administrator since Administrator permissions will make it have an integrity level of High, voiding this experiment).

7) Open test.txt from your desktop

8) Change the file and try to save it. Notepad will fail while trying to save (Notepad gives a “user-friendly” error, but the underlying error is actually “Access Is Denies”).

There you have it, Mandatory Integrity Control in action! However, that's not the end to the story!

Did You Know? Internet Explorer “Protected Mode” actually uses Mandatory Integrity Levels under the hood to achieve its goals. Since IE Protected Mode runs with a low integrity level, and all files on the file system (and running processes) are a medium integrity level by default, an attempt to write to those files or processes fails.

Comments

  • Anonymous
    December 14, 2007
    While enhanced security is a good thing, I think a “user friendly” message is not. In this demo the error message Windows XP shows is “cannot create…<filename>…make sure the path and filename is correct”. The message should state exactly what is the issue to help the user correctly diagnose the problem.

  • Anonymous
    December 14, 2007
    Agreed. But this isn't coming from MIC. This error is because of Notepad (Notepad is bad at giving good error information). Under the hood, the actual exception thrown to the application is "Access is Denied" as it should be since the user doesn't have access to modify the file.