Even the most casual observer of Windows Vista (in its prerelease stages) will walk away with two impressions. The first, of course, is that the Aero Glass UI provides some seriously snappy new eye candy. The second and perhaps more powerful impression, after perusing Vista's long list of new features, is that Microsoft is really attempting to secure this thing.
After just a few minutes playing with a Vista beta, you’ll encounter the new User Access Control (UAC) feature, which—even if you're logged on as an administrator—essentially asks, "Are you sure?" every time you do anything even vaguely under the umbrella of administrative action. Some people disable this feature immediately, but I don't. Yes, it can be an irritating feature, but I admire its overall goal to wean us off the dangerous, malware-friendly habit of spending our entire days logged on to our systems as administrators.
UAC's in-your-face approach obviously attracts attention and has impelled many writers to spill a ton of ink, most of whom complain about what they see as an overly intrusive security feature. What’s surprising is that almost no one discusses a different, equally important Vista security feature: Mandatory Integrity Control (MIC).
Under MIC, every process, user, and object (e.g., file, folder, registry entry) has a "rating" called a mandatory integrity level (MIL)—or, in some cases, simply an IL. Think of MILs as similar to the levels in government security classification systems, as in unclassified, restricted, confidential, secret, and top secret. In the government security model, objects (e.g., memos, reports) marked as "secret" can be viewed by any person who has either a "secret" or "top secret" level but not a “confidential” level. The MIC model has six mandatory integrity levels, and a process with a given MIL can’t modify or delete any object that has a higher MIL. The levels work as follows:
Untrusted—Anonymous users get this level.
Low—Anything downloaded from the Internet gets this integrity level.
Medium—This is the most popular rating. Anyone running a standard user account gets a medium IL, and most files on the computer have medium ILs.
High—Administrators get this level.
System—This setting goes to most processes in the OS and to most services.
Application Installer—Only one process, the application installer, has this setting.
Processes get their MILs from whoever runs them and from the MIL that's optionally embedded in the process itself. The OS then gives the process the lower of the two. So, for example, even if I'm logged on as an administrator (with a MIL of High), and I start up Microsoft Internet Explorer (IE)—which has an embedded MIL of Medium—the resultant process will have a MIL of Medium. Furthermore, much of IE's browsing happens with an IE component known as Low Privilege IE (LPIE), which runs with a MIL of Low.
MIC is useful in many ways, but the easiest to understand is the way MIC protects us from malware. For example, suppose you receive an attachment in an email message and decide to execute it, and suppose it's actually malware that would delete files. You're logged in as a regular user (Medium), and most files have a MIL of Medium, so you have the ability to delete most files, provided that you also have the proper NTFS permissions. That attachment came from the Internet, and so LPIE downloaded and decoded it—at least, if you use Microsoft Outlook, Outlook Express, or a Web-based mail client. (Other mail clients probably end up using LPIE as well, but I can't guarantee it.) Because LPIE runs in the context of a Low MIL, any application that it launches (e.g., malware) also runs at a Low MIL. So, when the malware tries to delete a file, it fails because the process has a MIL of Low and it's trying to delete something with a MIL of Medium. Again, note that this scenario would be true even if you, LPIE, and the malware all had the NTFS permissions to delete the file. MIC supersedes NTFS permissions.
That's a very brief introduction to MIC. Mandatory-type integrity controls have existed in secure (i.e., "top secret") computing environments for years; it'll be interesting to see how such a thing succeeds in a retail OS.
