Windows Integrity Control

Another invisible feature of Vista thatyou should understand is the Windows Integrity
Control (WIC). Previously, a system used Access Control Lists (ACLs)to determine
whether an individual could modify an object. For example, if you attempt to access a
file, and that file has a permission setting that denies you access, you are done, you
have no access. Files, folders, processes, threads, Registry keys, and so forth all have
ACLs.
Now, however objects also have an Integrity rating. There are four levels: low, medium,
high, and system. Standard users receive medium, and elevated users receive high.
Processes that you (as a user) start receive the integrity you are running (medium or
high). But this isnt the case if the file already has a setting of low on it. System serv-
ices receive the highest-level system rating.
How does this work? Well, lets say you are running IE 7 in protected mode (so its run-
ning with a level of low integrity) and something from the Internet wants to write a
virus to the operating system. The attack fails because, if it tries to access an object with
a higher integrity level, it is stopped.
Objects that dont have an integrity code assigned are treated as medium so that lower-
level integrity processes cannot harm them.
As for changing integrity levels, only users with the Change Label privilege can change
integrity levels to a higher level. The primary point in WIC is that an object cannot be
modified if it has a higher integrity level than that which is trying to modify it.



Windows Integrity control,assigning integrity levels,integrity code,WIC,Access control list,change integrity level