The Laptop Security Problem Today

Summary

We covered a lot of new concepts here, so let's summarize the high points:

• Vista includes a notion called "Windows Integrity Control" that is essentially a second set of permissions parallel to but superseding the standard file permissions.

• Under Windows Integrity Controls, every object, user token, and process token are marked with one of six "integrity levels" that are, from least to most trustworthy, "untrusted," "low," "medium," "high," "system," and "trusted installer."

• Files, folders, and other "securable objects" get their integrity levels as access control entries that are, again, sort of like an NTFS file/folder permission, but that are stored on the SACL, not the DACL.

• Users and processes' integrity control labels are stored in their tokens as a group SID looking like S-1-16-number.

• By default, the main effect of Windows Integrity Control is to block any process of lower integrity from modifying any object of higher integrity. WIC can also, however, block lower-integrity processes from reading or executing higher-integrity objects.

• Objects without labels are assigned a mandatory integrity level of medium.

• To block lower-integrity processes from deleting higher-integrity objects, always keep objects of a given integrity in folders of the same integrity.

• The tools you need to view and manage mandatory controls are whoami, icacls, Sysinternals' Process Explorer, and my chml program.

Windows Integrity Controls are, in some sense, one of the biggest architectural changes in Windows in quite a long time. Their first job, and their main job in Vista, is to protect us from Internet-borne malware. But I'd guess that Windows Integrity Controls will take a larger and larger place in Microsoft's security arsenal.