Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Mandatory access control
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
=== Microsoft === {{Main|Mandatory Integrity Control|User Interface Privilege Isolation}} Starting with [[Windows Vista]] and [[Windows Server 2008|Server 2008]], Microsoft has incorporated [[Mandatory Integrity Control]] (MIC) in the Windows operating system, which adds ''integrity levels'' (IL) to running processes. The goal is to restrict access of less trustworthy processes to sensitive info. MIC defines five integrity levels: Low, medium, high, system, and trusted installer.<ref name="symantec">{{cite web | url = http://www.symantec.com/enterprise/security_response/weblog/2006/08/windows_vista_windows_security.html | title = Analysis of the Windows Vista Security Model | author = Matthew Conover | publisher = [[Symantec Corporation]] | accessdate = 2007-10-08 | url-status = dead | archiveurl = https://web.archive.org/web/20080325024250/http://www.symantec.com/enterprise/security_response/weblog/2006/08/windows_vista_windows_security.html | archivedate = 2008-03-25 }}</ref> By default, processes started at medium IL. [[User Account Control|Elevated]] processes receive high IL.<ref name="steve">{{cite web | url = http://blogs.technet.com/steriley/archive/2006/07/21/442870.aspx | title = Mandatory Integrity Control in Windows Vista | author = Steve Riley | accessdate = 2007-10-08}}</ref> Child processes, by default, inherit their parent's integrity, although the parent process can launch them with a lower IL. For example, [[Internet Explorer 7]] launches its subprocesses with low IL. Windows controls access to [[Object Manager (Windows)|objects]] based on ILs. Named [[Object Manager (Windows)|objects]], including [[Computer file|files]], [[Windows Registry|registry]] keys or other [[Process (computing)|processes]] and [[Thread (computer science)|threads]], have an entry in their [[access-control list|ACL]] indicating the minimum IL of the process that can use the object. MIC enforces that a process can write to or delete an object only when its IL is equal to or higher than the object’s IL. Furthermore, to prevent access to sensitive data in memory, [[User Interface Privilege Isolation|processes can’t open processes with a higher IL for read access]].<ref name="mark">{{cite web | url = http://blogs.technet.com/markrussinovich/archive/2007/02/12/638372.aspx | title = PsExec, User Account Control and Security Boundaries | accessdate = 2007-10-08 | author = Mark Russinovich| author-link = Mark Russinovich }}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)