A homemade tool makes Icacls even more useful
In last month's column, "Icacls Shows Integrity" (InstantDoc ID 95681), I used Windows Vista's new Icacls command-line tool to experiment with integrity levels—the new-to-Vista security notion of assigning labels to processes, users, and objects (e.g., files, folders, registry keys). This time, I want to address an Icacls shortcoming by sharing a free tool with you. My Chml file lets you take your integrity-level experiments to new areas of functionality.
A Short Review
Last month, I explained that Vista uses five integrity levels—Untrusted, Low, Medium, High, and System—to indicate an object's degree of trustworthiness. Administrators get a High integrity level, and non-administrative users get a Medium integrity level. By default, Windows enforces a no write up policy, which means that when a process tries to modify an object, Windows checks the integrity levels of the process and the object. If the process is running at a lower integrity level than the object, Windows blocks the modification attempt—even if the user has a Full Control permission on that object.
Icacls lets you modify integrity levels between Low, Medium, and High, but it won't let you do anything involving Untrusted or System levels, and it won't let you change the default no write up policy. That's a shame, because Windows can also enforce a no read up policy, which blocks any low-integrity process from reading the object. Having the ability to change the no write up policy to no read up could by quite useful: Wouldn't it be nice to add a little protection to personal files by setting them to a High integrity level with a no read up policy? Because most applications run at a Medium integrity level, such a setting would foil any spyware attempting to peek at, for example, a file containing your passwords or credit card information.
A Free Tool
I wanted to explore no read up policies and experiment with Untrusted and System integrity levels, so I wrote a tool that I call Chml, which you can find at my Web site (http://www.minasi.com/vista/chml.htm). Download the chml.exe file, and copy it to your \Windows\System32 folder so that it will be on your system path and thus always accessible from a command prompt. Then, ensure that you have the Modify an object label user privilege that I discussed last month. Open an elevated command prompt, change to the C:\stuff folder that you created last month, and you're ready to start running Chml.
Create a text file of some kind, and call it test1.txt. Now, you've got something to work with. Ask Chml to tell you the file's current integrity level by typing
and it will inform you that the file is unlabeled, but that unlabeled means the OS treats it as having a Medium integrity level. Now, raise the file's integrity level to High by typing
chml test1.txt -i:h
The -i: option can take the values u, l, m, h, or s, and these values are case-sensitive (as are all Chml options). Chml will confirm that it has successfully set test1.txt's integrity level to High. If you type
Icacls will confirm that the file has a label of Mandatory Label\High Mandatory Level, which—as you learned last month—is Vista's way of saying that a file has a High integrity level.
Now, give test1.txt a no read up policy by typing
chml test1.txt -i:h -nr
You can use any combination of the -nr, -nw, and -nx options to assign the no read up, no write up, or no execute up policies. (I haven't come up with any uses for the no execute up policy.)
Running Icacls on test1.txt will show a different label than before: Mandatory Label\High Mandatory Level:(NR). This label is different from the labels you've seen before because previous labels have ended with (NW). As you've probably guessed, NW means a no write up policy, and NR means a no read up policy.
Now open a non-elevated command prompt and try to examine test1.txt by typing
You'll get an Access Denied error message, despite the fact that you're the owner of the object. That's no read up in action. But that's not all that Chml can do, as you'll see next month.