1 / 16

Windows Vista Mandatory Integrity Control System Overview

Learn about Windows Vista's MAC system, Mandatory Integrity Control, which enhances access control based on code trustworthiness. Understand access checks, file system improvements, and future possibilities.

rle
Download Presentation

Windows Vista Mandatory Integrity Control System Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. MAC in Windows Vista Autor : Martin ONDRÁČEK, ProductDirector E-mail : martin.ondracek@sodatsw.cz SODATSW spol. s r. o.; Horní 32; Brno; Czech Republic www.sodatsw.cz

  2. Overview • Windows NT kernel 6.0+ - Vista, 2008, 7, 2008 R2 • Basic MAC (Mandatory Access Control) – called Mandatory Integrity Control (MIC) • Based on trustworthiness of code • Users interface = User Account Control • Per process identity - based on file system path - not per user

  3. Windows Integrity Control • New layer in Access Checks • Based on Integrity Levels • User’s Access Token now contain new special SID for Integrity Levels • Object can be assigned a single Security Descriptor with ACE = SID x access type • Normal resources are not stamped with IL ACE

  4. Defined integrity levels Microsoft: „The relative identifiers are separated by intervals of 0x1000 to allow for definition of additional levels in the future.“

  5. Access checks SeAccessCheck (kernel mode security module) checks access permissions to objects It consideres process IL level first Process with a certain IL level can access any object with the same or lowerlevel Only secondly, the actual permissions are considered when doing access checks

  6. File System improvements • NTFS permissions can store IL markings for files and folders • IL Read / IL Write / IL Execute • Each marking must have a single level assigned • Trusted Installer/ System/ High/ Medium/ Low/ Untrusted

  7. Read/Write markings • Operating system objects (file, folder, registry) can be marked with a specific combination of IL markers • Read – read data, permissions, attributes • Write – write/append data, delete file/folder, create file/folder, change permissions • If a file is not marked explicitly, it is considered to be marked Medium for both

  8. Process level • Each process is started from an executable file which canbe marked with IL Execute marker • If the executable is actually marked, then the process runs with the level specified • If the file is not marked, by default the process runs with level depending on user’s identity

  9. Process level based on user • process can be started with a level lower than the previously defined

  10. Notes • Non marked processes and files are running at Mediumlevel • Lowprocesses are isolated to access only low resources • There is a single system service that can access anything • Trusted Installer

  11. User IL

  12. DifferentprocessILs

  13. DifferentprocessILs

  14. Current use • Isolate non-trusted code into a limited access box • mainly to prevent malitious code from modifying system settings and stealing data • e.g. Internet Explorer • Provide Microsoft with the ability to limit system administrators from being able to modify sensitive system resources • Provide limited user/level boxing when combined with traditional permissions

  15. Possible future use • What needs to be done • Increase the number of levels above System • more granular control • Enable provision of user accounts which are not members of Users group • would enable complete user isolation • This may provide enterprise level process/user/data isolation

  16. Theend Thanksforyourattention! Autor : Martin ONDRÁČEK, Product Director E-mail : martin.ondracek@sodatsw.cz

More Related