The Windows integrity mechanism enables a number of important scenarios in Windows Vista. In order to address the requirements, the Windows integrity mechanism's design had to meet the following goals.
The Windows integrity mechanism meets these goals by defining a new mandatory label ACE type for assigning an integrity level to objects. Details of this structure are described in a later section of this paper. However, the mandatory label ACE defines an object integrity level without changes to the existing security descriptor data structure definition or to the commonly used discretionary access control list.
The Windows integrity mechanism is based on a mandatory label that the operating system assigns in order to differentiate it from discretionary access under user control. Discretionary access control allows the object owner, or the group that is granted permission, to change the object's access permissions. Windows provides a graphical user interface (UI) for advanced users to view and modify the security permissions (represented by the discretionary ACL) on objects, such as files and registry keys. Mandatory labels are always assigned to specific objects, and there are controls on how the object creator can set or initialize the label on object creation. No graphical UI for managing integrity labels was implemented for Windows Vista because label management is available or necessary for relatively few areas.
The purpose of the Windows integrity mechanism is to restrict the access permissions of applications that are running under the same user account and that are less trustworthy. Unknown, potentially malicious code that is downloaded from the Internet must be prevented from modifying system state, changing user data files, or manipulating the behavior of other application programs. The Windows security subsystem assigns a simple hierarchy of integrity levels to code running at different privilege levels for the same user. Previous versions of Windows can adjust the security access token privileges of an application process, although such adjustment is not common. Before Windows Vista, most applications ran using an administrative account with full administrator rights. Windows Vista incorporates the concept of least privilege by enabling broader use of standard user accounts. User Account Control (UAC) in Admin Approval Mode for administrator accounts means that multiple applications on the same desktop are running with different privilege levels. For example, Protected Mode Internet Explorer uses the integrity mechanism to run the Web browser in a process with limited access permissions.
|Part||Lr window mechanism|