WIC Components | Administering Windows Vista Security: The Big Surprises

As I've said before, the Internet drives Microsoft security people crazy, and you can see why. XP's a pretty stable and secure operating system…just so long as you patch, don't install any bad applications, and if you do install one, don't give it administrator-level powers. Of course, however, that's just what we do all of the time because getting anything done in XP and earlier versions of Windows requires running ourselves and our applications as administrators. As you've seen so far in this book, Microsoft is trying to administer some strong medicine to Windows and, to extent, to the way that we use our computers in order to keep the worms, bots, and Trojans away.

Now, if you thought that User Account Control (UAC) was a real change in the way that Windows works, get ready for Windows integrity control, WIC for short. With WIC, Microsoft introduces a piece of Windows infrastructure that is as important and ubiquitous as NTFS file permissions and that has appeared in other operating systems in the past-but those operating systems were all military ones!

Note

During Vista's development process, Windows integrity control was called "mandatory integrity control" and then "Windows Integrity Mechanism." As I write this in late September 2006, Windows integrity control seems to be the final name, but that could change by the time that Vista releases to manufacturing.

In short, WIC's job is to define several different levels of what might be called "trustworthiness" but that Microsoft calls "integrity." Processes of the same level of integrity interact with one another as they always have in Windows. But where WIC changes things is when a process from a lower integrity level (IL) tries to read, write, or execute an object (for example, a file) with a higher integrity level. At that point, WIC steps in and may-just may, it's configurable if you know how-block that attempt. That may sound like a small change but, as you'll see in this chapter, it's got some big effects for how Vista works.

Windows Integrity Control Overview

Microsoft's primary approach with WIC is to basically put the Internet and anything downloaded from it into its own little universe or, in WIC-speak, "integrity level," separated from your user data and the system's files. There are six integrity levels in Windows Integrity Control, as you'll read later in this chapter. Things from the Internet go into the second lowest of the six levels, a level named "low." Microsoft put standard users, in contrast, into a different, higher integrity level named "medium." That way, anything downloaded from the Internet can't start deleting things or modifying your system without either at best just failing or, at worst, waking up User Account Control, which will start asking you whether you actually wanted that lovely game that you just downloaded to start emailing your passwords to a server in China.

WIC is one method of implementing a notion in security called process isolation. The whole idea with process isolation is that if we can't make the Internet a safer place, then we can at least watch more closely what things from the Internet do. Processes and objects in different integrity levels can communicate, but in a way that you can restrict and monitor or, more likely, you'll just let Windows' default behavior monitor for you.

For example, suppose you've clicked a hyperlink on some web page that causes Internet Explorer to download and run a program from the Internet. Suppose further that that program is some-insert minor chord from the lower end of the scale-malware. Now, the first thing that most malware needs to do is to ensure that it gets loaded every time that you start the operating system. That means writing something to the Registry. As it's been downloaded from the Internet, then, as you just learned, the malware's running at the Internet's integrity level-low, that is. About 99.9 percent of the Registry, however, has the higher medium integrity level. Thus, when the malware tries to modify the Registry to ensure that the malware gets run every time you boot, the write attempt will either fail or cause User Account Control to raise the Consent UI, depending on how the malware was written.

Thus far I've talked about WIC as a way to keep an eye on the Internet, but that's only Microsoft's first use of it so far. As we examine how WIC works you'll probably see many ways to use it to secure your systems. In brief, here are the big concepts in WIC, all of which we'll cover in greater detail in the rest of this chapter:

Six levels Windows Integrity Control defines six different levels of integrity, described in detail in the section "WIC's Six Integrity Levels" below.

They're mandatory, not discretionary An object, process, or user's integrity level is very much like the sort of permissions that we've known in NT ever since version 3.1, but not exactly so. Traditional NT permissions are technically known as "discretionary access controls" because they're intended have values set at the discretion of their owner, who can be a standard user. Integrity levels are, in contrast, based on a notion of mandatory access controls because in general integrity levels aren't set by the user, but instead by either the operating system or an administrator, or in some cases both.

Note

Thus, in a mandatory access world controlled partially by the operating system, as is Vista, you end up with the uncomfortable notion that you might have a file on your computer's hard disk that you might own and have NTFS full control permissions on…but that you're unable to delete, even if you are an administrator. It's a good concern, but Vista doesn't create files with integrity levels too high for administrators to delete.

Objects "trust up, not down" Windows Integrity Control's main job is as a protection structure activated whenever a lower-integrity process tries to read, write, or execute a higher-integrity object. (By default, WIC only tracks writes, but you can tell it to watch reads and executes, as you'll see later.) When that happens, WIC will typically send the process an "access denied" error, although the developer of a Vista-aware application could keep that error from occurring by requesting elevation for his low-integrity process. That would raise the Consent UI, offering the user the chance to allow or deny the elevation. Either way, the higher-integrity object-database, file, folder, Registry key, or whatever-is protected from the lower-integrity process. WIC's Prime Directive is "in order for you to act on me, you must have an integrity level that is greater than or equal to mine."

Integrity levels supersede normal permissions Recall the example where, a few paragraphs back, I laid out what would happen if you were to accidentally click a link in Internet Explorer 7 under Vista. In that example, I said that when the malware tried to write to the medium-integrity Registry key, it would be rebuffed because of the malware's lower integrity level. But let me take that a step further and highlight a point that might not have been obvious when I first explained it. When the malware tries to write to the Registry, that attempt will fail even if for some reason the malware has a Full Control permission on that Registry key. Integrity levels "trump" regular NTFS and Registry permissions, essentially. The integrity checks that I've been talking about happen before and override any checks on more traditional permissions on NTFS, Registry keys, and so on. In other words, if the NTFS permissions say "sure, let the process do whatever" but WIC's comparison of integrity levels says "no, don't let it!" then Windows Integrity Control always wins.