160 likes | 173 Views
Learn about Windows Vista's MAC system, Mandatory Integrity Control, which enhances access control based on code trustworthiness. Understand access checks, file system improvements, and future possibilities.
E N D
MAC in Windows Vista Autor : Martin ONDRÁČEK, ProductDirector E-mail : martin.ondracek@sodatsw.cz SODATSW spol. s r. o.; Horní 32; Brno; Czech Republic www.sodatsw.cz
Overview • Windows NT kernel 6.0+ - Vista, 2008, 7, 2008 R2 • Basic MAC (Mandatory Access Control) – called Mandatory Integrity Control (MIC) • Based on trustworthiness of code • Users interface = User Account Control • Per process identity - based on file system path - not per user
Windows Integrity Control • New layer in Access Checks • Based on Integrity Levels • User’s Access Token now contain new special SID for Integrity Levels • Object can be assigned a single Security Descriptor with ACE = SID x access type • Normal resources are not stamped with IL ACE
Defined integrity levels Microsoft: „The relative identifiers are separated by intervals of 0x1000 to allow for definition of additional levels in the future.“
Access checks SeAccessCheck (kernel mode security module) checks access permissions to objects It consideres process IL level first Process with a certain IL level can access any object with the same or lowerlevel Only secondly, the actual permissions are considered when doing access checks
File System improvements • NTFS permissions can store IL markings for files and folders • IL Read / IL Write / IL Execute • Each marking must have a single level assigned • Trusted Installer/ System/ High/ Medium/ Low/ Untrusted
Read/Write markings • Operating system objects (file, folder, registry) can be marked with a specific combination of IL markers • Read – read data, permissions, attributes • Write – write/append data, delete file/folder, create file/folder, change permissions • If a file is not marked explicitly, it is considered to be marked Medium for both
Process level • Each process is started from an executable file which canbe marked with IL Execute marker • If the executable is actually marked, then the process runs with the level specified • If the file is not marked, by default the process runs with level depending on user’s identity
Process level based on user • process can be started with a level lower than the previously defined
Notes • Non marked processes and files are running at Mediumlevel • Lowprocesses are isolated to access only low resources • There is a single system service that can access anything • Trusted Installer
Current use • Isolate non-trusted code into a limited access box • mainly to prevent malitious code from modifying system settings and stealing data • e.g. Internet Explorer • Provide Microsoft with the ability to limit system administrators from being able to modify sensitive system resources • Provide limited user/level boxing when combined with traditional permissions
Possible future use • What needs to be done • Increase the number of levels above System • more granular control • Enable provision of user accounts which are not members of Users group • would enable complete user isolation • This may provide enterprise level process/user/data isolation
Theend Thanksforyourattention! Autor : Martin ONDRÁČEK, Product Director E-mail : martin.ondracek@sodatsw.cz