Dialing Up Custom Labels

Previous page
Table of content
Next page

Things WIC ACEs Can't Do

When I learned of Windows Integrity Controls, I was fascinated by this new dimension to Windows securitybut I imagined more. So I spent some time searching down some blind alleys. In this section, let me save you the trouble of visiting those alleys.

You Cannot Apply Mandatory Labels with Group Policy

The whole idea of applying "no read up" mandatory labels wholesale across an operating system appealed to me, as I really liked the notion that I could point to, say, my personal finance files and do something like

 chml C:\personalfinance -i:m -nr

With the idea that I could be nearly certain that malware from the Web would be unable to read my personal finance files, no matter how clueless I was in visiting the wrong websites. That led me to thinking that it'd be neat to construct a whole structure of NRs, NXs, and NWs for my computer's folder structure. That led to the notion that after I'd figured all of that out that I might want to apply those NRs, NXs, and NWs to many systems on my network. But how to do that? Well, one of the best ways to roll out a set of new NTFS permissions wholesale across a network is through group policies. So I wondered if I could use group policies to roll out mandatory labels.

Unfortunately that does not work; I tried such an application with a security template and nothing happened save for a few choice errors. As it turns out, I was just being a bit clueless. When asked about the possibility of rolling out integrity labels with group policies, the Microsoft folks said that they really didn't have any plans for supporting anything like that. I guess I was just a bit overeager to play with my new tools. But I still think that many people will want a capability like this; perhaps in Windows Vienna?

You Cannot Create Standard Permissions That Name Mandatory Labels

I was told in an early WIC briefing that you could use the integrity levels in regular old access control entries-you know, a regular old allow or deny permission. That led me to think that perhaps I could create a file that you could access solely on the basis of your integrity level, rather than being a member of Users, Administrators, or the like. To create such a thing, I first removed all existing permissions from the file, wiping it clean of all discretionary ACEs.

Next, I wrote a program that allowed me to add just about any kind of ACE to a file that I wanted to. That gave me the flexibility to set the file up so that it had just five discretionary ACEs that looked like this:

  • Mandatory Label\System Mandatory Level: Full Control

  • Mandatory Label\High Mandatory Level: Full Control

  • Mandatory Label\Medium Mandatory Level: Full Control

  • Mandatory Label\Low Mandatory Level: No Access

  • Mandatory Label\Untrusted Mandatory Level: No Access

    Looking at its permissions in the Vista Security tab on the file's Properties page looked like Figure 4.8.

    image from book
    Figure 4.8: A file with only label-related ACEs

Again, that doesn't work, but it may bring a chuckle, as it's sort of the "security research" version of some of those amusing pictures of would-be heavier-than-aircraft that people built in the late 19th and early 20th centuries but that never went anywhere. The exercise did, however, teach me something quite useful about icacls. I'd spent a few days writing a program that would let me paste an arbitrary SID into a permissions ACE so that I could produce that chimera that you saw in Figure 4.8, only to learn later that icacls could do the job for me. You've already seen that icacls will create permissions with its /grant and /deny options, but you haven't seen yet a neat feature of those commands. Instead of specifying a user or group name in an ACE, you can specify a SID by prefixing it with an asterisk. Thus, to create a permission that grants the Everyone permissions of Full Control on a file named a.txt, you could type

 icacls a.txt /grant *S-1-1-0:F

(Recall from earlier that S-1-1-0 is the SID of the Everyone group.)

Thus, I could have saved myself the trouble of creating the program to add ACEs, as icacls could have done the job with references to *S-1-16-0 (the untrusted integrity level), *S-1-16-4096 (the low integrity level), and so on, like so:

 icacls macesonly.txt /grant *S-1-16-0 icacls macesonly.txt /grant *S-1-16-4096 icacls macesonly.txt /grant *S-1-16-8192 icacls macesonly.txt /grant *S-1-16-12288

In any case, it was a fool's errand because Microsoft chose not to extend WIC to (in my opinion) its fullest potential, but at least now you're saved the time of carrying out similar errands, and I got a chance to show some of icacls ' syntax.



Previous page
Table of content
Next page
Administering Windows Vista Security. The Big Surprises
Administering Windows Vista Security: The Big Surprises
ISBN: 0470108320
EAN: 2147483647
Year: 2004
Pages: 101
Authors: Mark Minasi, Byron Hynes
BUY ON AMAZON
Crystal Reports 9 on Oracle (Database Professionals)
Data Structures and Algorithms in Java
Twisted Network Programming Essentials
Professional Struts Applications: Building Web Sites with Struts ObjectRelational Bridge, Lucene, and Velocity (Experts Voice)
Java All-In-One Desk Reference For Dummies
Understanding Digital Signal Processing (2nd Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy