MAC in Windows Vista

Autor : Martin ONDRÁČEK,Product Director

E-mail : martin.ondracek@sodatsw.cz

SODATSW spol. s r. o.; Horní 32; Brno; Czech Republicwww.sodatsw.cz

OverviewOverview• Windows NT kernel 6.0+

- Vista, 2008, 7, 2008 R2• Basic MAC (Mandatory Access Control) – called Mandatory Integrity Control (MIC)• Based on trustworthiness of code• Users interface = User Account Control• Per process identity

- based on file system path- not per user

Windows Integrity Windows Integrity ControlControl

• New layer in Access Checks• Based on Integrity Levels• User’s Access Token now contain new special SID for Integrity Levels• Object can be assigned a single Security Descriptor with ACE = SID x access type• Normal resources are not stamped with IL ACE

Defined integrity levels

Microsoft: „The relative identifiers are separated by intervals of 0x1000 to allow for definition of additional levels in the future.“

Value

Description Integrity level SID

Name

0x0000

Untrusted level

0x1000

Low integrity level

S-1-16-4096 Mandatory Label\Low Mandatory Level

0x2000

Medium integrity level

S-1-16-8192 Mandatory Label\Medium Mandatory Level

0x3000

High integrity level

S-1-16-12288 Mandatory Label\High Mandatory Level

0x4000

System integrity level

S-1-16-16384 Mandatory Label\System Mandatory Level

Access checks

• SeAccessCheck (kernel mode security module) checks access permissions to objects

• It consideres process IL level first• Process with a certain IL level can access

any object with the same or lower level• Only secondly, the actual permissions

are considered when doing access checks

File System improvements

• NTFS permissions can store IL markings for files and folders– IL Read / IL Write / IL Execute

• Each marking must have a single level assigned– Trusted Installer/ System/ High/ Medium/

Low/ Untrusted

Read/Write markings

• Operating system objects (file, folder, registry) can be marked with a specific combination of IL markers– Read – read data, permissions, attributes– Write – write/append data, delete file/folder,

create file/folder, change permissions

• If a file is not marked explicitly, it is considered to be marked Medium for both

Process level

• Each process is started from an executable file which can be marked with IL Execute marker

• If the executable is actually marked, then the process runs with the level specified

• If the file is not marked, by default the process runs with level depending on user’s identity

Process level based on user

• process can be started with a level lower than the previously defined

User/process type Process levelAnonymous Untrusted

Everyone Low

Authenticated Users Medium

Crypthographic/Backup/Network Configuration Operators

High

Administrators High

LocalSystem/LocalService/ NetworkService

System

Trusted Installer service Trusted Installer

Notes

• Non marked processes and files are running at Medium level

• Low processes are isolated to access only low resources

• There is a single system service that can access anything– Trusted Installer

User ILUser IL

Different process ILs Different process ILs

Different process ILsDifferent process ILs

Current use

• Isolate non-trusted code into a limited access box– mainly to prevent malitious code from

modifying system settings and stealing data– e.g. Internet Explorer

• Provide Microsoft with the ability to limit system administrators from being able to modify sensitive system resources

• Provide limited user/level boxing when combined with traditional permissions

Possible future use

• What needs to be done– Increase the number of levels above

System• more granular control

– Enable provision of user accounts which are not members of Users group• would enable complete user isolation

• This may provide enterprise level process/user/data isolation

The endThe endThanks for your Thanks for your

attention!attention!

Autor : Martin ONDRÁČEK,Product Director

E-mail : martin.ondracek@sodatsw.cz