Last month, in "Icacls: The New and Improved Cacls?" (InstantDoc ID 95346), I introduced you to Icacls, Windows Vista's eventual replacement of Cacls, the command-line tool that lets you set NTFS file and folder permissions. This month, I drill down into one of Icacls's new capabilities—setting integrity levels for files and folders.
Vista has introduced the notion of integrity levels, which is a completely new concept for Windows. An integrity level is a label that the OS applies to objects (e.g., files, folders, registry keys), user sessions, and running processes. Think of this label as a mark that indicates the trustworthiness of that object, user, or process. This trustworthiness becomes useful through another new concept: integrity policy. The default integrity policy for Vista is known as no write up—a shorthand way of saying that processes of lower integrity can't modify objects of higher integrity, no matter what NTFS permissions the processes have on the objects.
How about an example? Suppose you're running the command prompt at a medium integrity level. (I'll define all the integrity levels shortly.) You want to examine a text file named test.txt, which has a high integrity level, by typing
Suppose you also have an NTFS permission of Full Control on test.txt. You would find that using the Type command to merely read test.txt works just fine. However, if you try to delete the file by typing
you'll get an Access Denied error, despite your Full Control permission. It's called a no write up policy because although lower-integrity-level processes can read higher-integrity files just fine, any attempts at writing make the integrity mechanism kick in. And as you've surmised by now, integrity levels take precedence over standard NTFS permissions. Again, the no write up policy is Vista's default behavior, but you can also create no read up and no execute up policies. (I'll leave discussions of those for another day.)
Vista defines five levels of integrity: untrusted, low, medium, high, and system. Microsoft Internet Explorer (IE) in Protected Mode—an IE 7.0 feature only in Vista—caches items as low integrity; Vista sets non-administrative users and most objects on the computer to medium integrity; administrative user accounts run as high integrity; and items that the OS itself owns operate at system integrity. Vista assigns the untrusted level to objects created by people who have the Anonymous Logon group associated with their tokens. However, I've never actually seen the untrusted level in Vista, except when I explicitly create untrusted objects.
Try It Out
To see integrity levels at work, you'll need an administrative account with the new-to-Vista user privilege Modify an object label. Give yourself that privilege in your local Group Policy Editor, reboot, and you'll be ready to play around with integrity levels. (By default, only the System account has this privilege, but any member of the Administrators group can grant it.)
Open an elevated command prompt (in Vista, elevated means to right-click the Command Prompt icon and choose Run as administrator), and create a folder to work in:
Press Enter, then make the \stuff directory your current directory by typing
Press Enter. Now, create a file named test.txt by typing
echo We're testing integrity levels>test.txt
Press Enter. Finally, set the file test.txt to high integrity:
icacls test.txt /setintegritylevel h
Icacls will respond that it has processed the file successfully. Next, open an unelevated command prompt and type
You'll get an Access Denied response, despite the fact that your NTFS permissions are quite sufficient to delete the file. Interesting, huh? As it turns out, Microsoft originally had big plans for integrity levels, but the company backed off from using them in the final days of Vista's creation. To get the most out of integrity levels, though, you'll need a different tool—which I'll introduce you to next month.