Last month, in "Icacls: The New and Improved Cacls?" (InstantDoc ID 95346),
I introduced you to Icacls, Windows Vista's eventual replacement of Cacls, the
command-line tool that lets you set NTFS file and folder permissions. This month,
I drill down into one of Icacls's new capabilities—setting integrity
levels for files and folders.
Integrity Levels
Vista has introduced the notion of integrity levels, which is a completely new
concept for Windows. An integrity level is a label that the OS applies to objects
(e.g., files, folders, registry keys), user sessions, and running processes.
Think of this label as a mark that indicates the trustworthiness of that object,
user, or process. This trustworthiness becomes useful through another new concept:
integrity policy. The default integrity policy for Vista is known as no write
up—a shorthand way of saying that processes of lower integrity can't
modify objects of higher integrity, no matter what NTFS permissions the processes
have on the objects.
How about an example? Suppose you're running the command prompt at a medium
integrity level. (I'll define all the integrity levels shortly.) You want to
examine a text file named test.txt, which has a high integrity level, by typing
type test.txt
Suppose you also have an NTFS permission of Full Control on test.txt. You would
find that using the Type command to merely read test.txt works just fine. However,
if you try to delete the file by typing
erase text.txt
you'll get an Access Denied error, despite your Full Control permission. It's
called a no write up policy because although lower-integrity-level processes
can read higher-integrity files just fine, any attempts at writing make the
integrity mechanism kick in. And as you've surmised by now, integrity levels
take precedence over standard NTFS permissions. Again, the no write up
policy is Vista's default behavior, but you can also create no read up
and no execute up policies. (I'll leave discussions of those for another
day.)
Vista defines five levels of integrity: untrusted, low, medium, high, and system.
Microsoft Internet Explorer (IE) in Protected Mode—an IE 7.0 feature
only in Vista—caches items as low integrity; Vista sets non-administrative
users and most objects on the computer to medium integrity; administrative user
accounts run as high integrity; and items that the OS itself owns operate at
system integrity. Vista assigns the untrusted level to objects created by people
who have the Anonymous Logon group associated with their tokens. However, I've
never actually seen the untrusted level in Vista, except when I explicitly create
untrusted objects.
Try It Out
To see integrity levels at work, you'll need an administrative account with
the new-to-Vista user privilege Modify an object label. Give yourself
that privilege in your local Group Policy Editor, reboot, and you'll be ready
to play around with integrity levels. (By default, only the System account has
this privilege, but any member of the Administrators group can grant it.)
Open an elevated command prompt (in Vista, elevated means to right-click
the Command Prompt icon and choose Run as administrator), and create
a folder to work in:
md C:\stuff
Press Enter, then make the \stuff directory your current directory by typing
cd C:\stuff
Press Enter. Now, create a file named test.txt by typing
echo We're testing integrity levels>test.txt
Press Enter. Finally, set the file test.txt to high integrity:
icacls test.txt /setintegritylevel h
Icacls will respond that it has processed the file successfully. Next, open
an unelevated command prompt and type
erase c:\stuff\test.txt
You'll get an Access Denied response, despite the fact that your NTFS permissions
are quite sufficient to delete the file. Interesting, huh? As it turns out,
Microsoft originally had big plans for integrity levels, but the company backed
off from using them in the final days of Vista's creation. To get the most out
of integrity levels, though, you'll need a different tool—which I'll
introduce you to next month.