A little discussed feature in Windows Vista is Mandatory Integrity Control (MIC). Unlike DACL (Discretionary Access Control Lists), MIC is designed to protect your operating system based on the trustworthiness of the code being run. High integrity files (e.g. system operating files) are protected from accidental damage by users, and user data is protected from damage by untrusted code from outside the machine (e.g. downloaded from the internet)

There are five Integrity Levels in Windows Vista, ranging from 0 (anonymous tokens) through to 400 (LocalSystem)

Mandatory Integrity Control

By default, user mode processes have a IL of 200. An exception is Internet Explorer 7 running in Protected Mode. It has an IL of 100 only. This means that IE has limited opportunities to be able to alter files on the machine without triggering an elevation prompt that the user must agree to.

Objects created by processes inherit the IL of the process. So files downloaded by IE still have an IL of just 100, and without the permission of the user can not damage documents created by the user using programs running at Medium (200) level IL. To be able to write to a file you need equal to, or higher, IL. If the process doesn’t have a high enough IL, the user will be prompted to elevate their rights. Only the TCB (trusted computing base) can present this prompt to the user – the process itself can not elevate its own IL (though it can downgrade its IL). MIC does not prevent processes from reading files – you still need to use DACLs for that.

MIC even trumps DACLs, meaning that Administrators can not overwrite critical system files. MIC does not apply to the built in Administrator account though – which provides access for users to alter files.

To view the new Integrity levels in action, the following screenshots show notepad.exe and lsass.exe running under Vista. Notepad.exe, as a normal user mode process, has a medium integrity level. LSASS.exe as a critical system process has a system (400) integrity level.

Mandatory Integrity Control