Mandatory Integrity Control

In the context of the Microsoft Windows family of operating systems, Mandatory Integrity Control (MIC) is a core security feature introduced in Windows Vista and implemented in subsequent desktop line of Windows operating systems, that adds Integrity Levels (IL)-based isolation to running processes. The IL represents the level of trustworthiness of an object. This mechanism's goal is to use pre-existing integrity control policies and the involved objects' IL to selectively restrict the access permissions in contexts that are considered to be potentially less trustworthy, compared with other contexts running under the same user account that are more trusted.

Implementation

Mandatory Integrity Control is defined using a new access control entry (ACE) type to represent the object's IL in its security descriptor. In Windows, Access Control Lists (ACLs) are used to grant access rights (read, write, and execute permissions) and privileges to users or groups. An IL is assigned to a subject's access token when initialized. When the subject tries to access an object (for example, a file), the Security Reference Monitor compares the integrity level in the subject's access token against the integrity level in the object's security descriptor. Windows restricts the allowed access rights depending on whether the subject's IL is higher or lower than the object, and depending on the integrity policy flags in the new access control entry (ACE). The security subsystem implements the integrity level as a mandatory label to distinguish it from the discretionary access under user control that ACLs provide.

Windows Vista defines four integrity levels: Low (SID: S-1-16-4096), Medium (SID: S-1-16-8192), High (SID: S-1-16-12288), and System (SID: S-1-16-16384).[1] By default, processes started by a regular user gain a Medium IL and elevated processes have High IL.[2] By introducing integrity levels, MIC allows classes of applications to be isolated, enabling scenarios like sandboxing potentially-vulnerable applications (such as Internet-facing applications). Processes with Low IL are called low-integrity processes, which have less access than processes with higher ILs where the Access control enforcement is in Windows.

Objects with Access control lists, such as Named objects, including files, registry keys or even other processes and threads, have an entry in the System Access Control List governing access to them, that defines the minimum integrity level of the process that can use the object. Windows makes sure that a process can write to or delete an object only when its integrity level is equal to or higher than the requested integrity level specified by the object.[2] Additionally, for privacy reasons process objects with higher IL are out-of-bounds for even read access from processes with lower IL.[3]

Consequently, a process cannot interact with another process that has a higher IL. So a process cannot perform functions such as inject a DLL into a higher IL process by using the CreateRemoteThread()[4] API function or send data to a different process by using the WriteProcessMemory()[5] function.

Application

While processes inherit the integrity level of the process that spawned it, the integrity level can be customized at the time of process creation. As well as for defining the boundary for window messages in the User Interface Privilege Isolation (UIPI) technology, Mandatory Integrity Control is used by applications like Adobe Reader, Google Chrome, Internet Explorer, and Windows Explorer to isolate documents from vulnerable objects in the system.[1]

Internet Explorer 7 introduces a MIC-based "Protected Mode" setting to control whether a web page is opened as a low-integrity process or not (provided the operating system supports MIC), based on security zone settings, thereby preventing some classes of security vulnerabilities. Since Internet Explorer in this case runs as a Low IL process, it cannot modify system level objects—file and registry operations are instead virtualized. Adobe Reader 10 and Google Chrome are two other notable applications that are introducing the technology in order to reduce their vulnerability to malware.[6]

Microsoft Office 2010 introduced the "Protected View" isolated sandbox environment for Excel, PowerPoint, and Word that prohibits potentially unsafe documents from modifying components, files, and other resources on a system.[7] Protected View operates as a low-integrity process and, in Windows Vista and later versions of Windows, uses MIC and UIPI to further restrict the sandbox.[8]

However, in some cases a higher IL process do need to execute certain functions against the lower IL process, or a lower IL process need to access resources that only a higher IL process can access (for example, when viewing a webpage in protected mode, save a file downloaded from the internet to a folder specified by the user).[1] High IL and Low IL processes can still communicate with each other by using files, Named pipes, LPC or other shared objects. The shared object must have an integrity level as low as the Low IL process and should be shared by both the Low IL and High IL processes.[3] Since MIC does not prevent a Low IL process from sharing objects with a higher IL process, it can trigger flaws in the higher IL process and have it work on behalf of the low IL process, thereby causing a Squatting attack.[3] Shatter attacks, however, can be prevented by using User Interface Privilege Isolation which takes advantage of MIC.

See also

References

  1. ^ a b c Matthew Conover. "Analysis of the Windows Vista Security Model" (PDF). Symantec Corporation. Retrieved 2007-10-08.
  2. ^ a b Steve Riley. "Mandatory Integrity Control in Windows Vista". Retrieved 2007-10-08.
  3. ^ a b c Mark Russinovich. "PsExec, User Account Control and Security Boundaries". Retrieved 2007-10-08.
  4. ^ "CreateRemoteThread Function (Windows)". MSDN. Retrieved 2007-10-08.
  5. ^ "WriteProcessMemory Function". MSDN. Retrieved 2007-10-08.
  6. ^ Brad Arkin (2010-07-10). "Introducing Adobe Reader Protected Mode". Adobe Systems. Retrieved 2010-09-10.
  7. ^ "Plan Protected View settings for Office 2010". TechNet. Microsoft. May 8, 2011. Retrieved January 22, 2017.
  8. ^ Keizer, Gregg (August 19, 2009). "Microsoft struts Office 2010 'sandbox' security". ComputerWorld. IDG. Retrieved January 23, 2017.

External links

Enhanced Mitigation Experience Toolkit

Enhanced Mitigation Experience Toolkit (EMET) is a freeware security toolkit for Microsoft Windows, developed by Microsoft. It provides a unified interface to enable and fine-tune Windows security features. It can be used as an extra layer of defense against malware attacks, after the firewall and before antivirus software.EMET is targeted mostly at system administrators but the newest version is supported for any Windows user running Windows 7 and later, or Windows Server 2008 R2 and later, with .NET Framework 4.5 installed. Older versions can be used on Windows XP, but not all features are available. Version 4.1 was the last version to support Windows XP.

Microsoft has announced that EMET will reach end of life on July 31, 2018. The successors to EMET are the ProcessMitigations Module—aka Process Mitigation Management Tool—and the Windows Defender Exploit Guard only available on Windows 10 and Windows Server 2016.

Exchange Online Protection

Exchange Online Protection (EOP, formerly Forefront Online Protection for Exchange or FOPE) is a hosted e-mail security service, owned by Microsoft, that filters spam and removes computer viruses from e-mail messages. The service does not require client software installation, but is activated by changing each customer's MX record. Each customer pays for the service by means of a subscription.

Most administrative tasks are performed through the use of a web-based administrative console. The console allows customers to perform management tasks, such as adding users and configuring filtering.EOP is a part of the Exchange Online family of products.

Forefront Identity Manager

Microsoft Forefront Identity Manager (FIM) is a state-based identity management software product, designed to manage users' digital identities, credentials and groupings throughout the lifecycle of their membership of an enterprise computer system. FIM integrates with Active Directory and Exchange Server to provide identity synchronization, certificate management, user password resets and user provisioning from a single interface.

Part of the Microsoft Identity and Access Management platform product line, FIM superseded Microsoft Identity Lifecycle Manager (ILM), and was known as ILM 2 during development. ILM 2007 was created by merging Microsoft Identity Integration Server 2003 (MIIS) and Certificate Lifecycle Manager (CLM).

FIM 2010 utilizes Windows Workflow Foundation concepts, using transactional workflows to manage and propagate changes to a user's state-based identity. This is in contrast to most of the transaction-based competing products that do not have a state-based element. Administrators not only can create workflows with the web-based GUI of ILM 2 portal but also include more complex workflows designed outside of the portal by importing XAML filesFIM 2010 R2 (Release 2) was released in June 2012 and has extra capabilities:

Improved Self-service Password Reset which supports all current web browsers

Role Based Access Control (RBAC) via the acquisition of BHOLD Software

Improvement to the Reporting engine via the System Center Service Manager and MS SQL Server reporting Services (SSRS)

A WebServices Connector to connect to SAP ECC 5/6, Oracle PeopleSoft, and Oracle eBusiness

Improvements in the areas of performance, simplified deployment and troubleshooting, better documentation, and more language support.

MSAV

Microsoft Anti-Virus (MSAV) was an antivirus program introduced by Microsoft for its MS-DOS operating system. The program first appeared in MS-DOS version 6.0

(1993 )

and last appeared in MS-DOS 6.22. The first version of the antivirus program was basic, had no inbuilt update facility (updates had to be obtained from a BBS and manually installed by the user) and could scan for 1,234 different viruses. Microsoft Anti-Virus for Windows (MWAV), included as part of the package, was a front end that allowed MSAV to run properly on Windows 3.1x.

Mandatory access control

In computer security, mandatory access control (MAC) refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target. In practice, a subject is usually a process or thread; objects are constructs such as files, directories, TCP/UDP ports, shared memory segments, IO devices, etc. Subjects and objects each have a set of security attributes. Whenever a subject attempts to access an object, an authorization rule enforced by the operating system kernel examines these security attributes and decides whether the access can take place. Any operation by any subject on any object is tested against the set of authorization rules (aka policy) to determine if the operation is allowed. A database management system, in its access control mechanism, can also apply mandatory access control; in this case, the objects are tables, views, procedures, etc.

With mandatory access control, this security policy is centrally controlled by a security policy administrator; users do not have the ability to override the policy and, for example, grant access to files that would otherwise be restricted. By contrast, discretionary access control (DAC), which also governs the ability of subjects to access objects, allows users the ability to make policy decisions and/or assign security attributes. (The traditional Unix system of users, groups, and read-write-execute permissions is an example of DAC.) MAC-enabled systems allow policy administrators to implement organization-wide security policies. Under MAC (and unlike DAC), users cannot override or modify this policy, either accidentally or intentionally. This allows security administrators to define a central policy that is guaranteed (in principle) to be enforced for all users.

Historically and traditionally, MAC has been closely associated with multilevel security (MLS) and specialized military systems. In this context, MAC implies a high degree of rigor to satisfy the constraints of MLS systems. More recently, however, MAC has deviated out of the MLS niche and has started to become more mainstream. The more recent MAC implementations, such as SELinux and AppArmor for Linux and Mandatory Integrity Control for Windows, allow administrators to focus on issues such as network attacks and malware without the rigor or constraints of MLS.

Microsoft Baseline Security Analyzer

Microsoft Baseline Security Analyzer (MBSA) is a software tool released by Microsoft to determine security state by assessing missing security updates and less-secure security settings within Microsoft Windows, Windows components such as Internet Explorer, IIS web server, and products Microsoft SQL Server, and Microsoft Office macro settings. Security updates are determined by the current version of MBSA using the Windows Update Agent present on Windows computers since Windows 2000 Service Pack 3. The less-secure settings, often called Vulnerability Assessment (VA) checks, are assessed based on a hard-coded set of registry and file checks. An example of a VA might be that permissions for one of the directories in the /www/root folder of IIS could be set at too low a level, allowing unwanted modification of files from outsiders.

Microsoft Forefront

Microsoft Forefront is a discontinued family of line-of-business security software by Microsoft Corporation. Microsoft Forefront products are designed to help protect computer networks, network servers (such as Microsoft Exchange Server and Microsoft SharePoint Server) and individual devices. As of 2015, the only actively developed Forefront product is Forefront Identity Manager.

Microsoft Safety Scanner

Microsoft Safety Scanner is a free disposable virus scanner similar to Windows Malicious Software Removal Tool that can be used to scan a system for computer viruses and other forms of malware. This program was released on 15 April 2011, following the discontinuation of Windows Live OneCare Safety Scanner.Microsoft Safety Scanner is not meant to be used as a day-to-day tool, since it does not provide real-time protection against viruses, cannot update its virus definitions and expires after ten days. On the other hand, it can be run on a computer which already has an antivirus product without any potential interference. Therefore, it can be used to scan a computer where there is a potential infection and the user wants a second check from another antivirus. It uses the same detection engine and malware definitions that Microsoft Security Essentials and Microsoft Forefront Endpoint Protection use.

RootkitRevealer

RootkitRevealer is a proprietary freeware tool for rootkit detection on Microsoft Windows by Bryce Cogswell and Mark Russinovich. It runs on Windows XP and Windows Server 2003 (32-bit-versions only). Its output lists Windows Registry and file system API discrepancies that may indicate the presence of a rootkit. It is the same tool that triggered the Sony BMG copy protection rootkit scandal.RootkitRevealer is no longer being developed.

Security descriptor

Security descriptors are data structures of security information for securable Windows objects, that is objects that can be identified by a unique name. Security descriptors can be associated with any named objects, including files, folders, shares, registry keys, processes, threads, named pipes, services, job objects and other resources.Security descriptors contain discretionary access control lists (DACLs) that contain access control entries (ACEs) that grant and deny access to trustees such as users or groups. They also contain a system access control list (SACLs) that control auditing of object access. ACEs may be explicitly applied to an object or inherited from a parent object. The order of ACEs in an ACL is important, with access denied ACEs appearing higher in the order than ACEs that grant access. Security descriptors also contain the object owner.

Mandatory Integrity Control is implemented through a new type of ACE on a security descriptor.Files and folder permissions can be edited by various tools including Windows Explorer, WMI, command line tools like Cacls, XCacls, ICacls, SubInACL, the freeware Win32 console FILEACL, the free software utility SetACL, and other utilities. To edit a security descriptor, a user needs WRITE_DAC permissions to the object, a permission that is usually delegated by default to administrators and the object's owner.

Shatter attack

In computing, a shatter attack is a programming technique employed by crackers on Microsoft Windows operating systems to bypass security restrictions between processes in a session. A shatter attack takes advantage of a design flaw in Windows's message-passing system whereby arbitrary code could be injected into any other running application or service in the same session, that makes use of a message loop. This could result in a privilege escalation exploit.

System Center Data Protection Manager

System Center Data Protection Manager (DPM) is a software product from Microsoft that provides near-continuous data protection and data recovery in a Microsoft Windows environment. It is part of the Microsoft System Center family of products and is Microsoft's first entry into the near-continuous backup and data recovery. It uses Shadow Copy technology for continuous backups.

User Account Control

User Account Control (UAC) is a technology and security infrastructure introduced with Microsoft's Windows Vista and Windows Server 2008

operating systems, with a more relaxed version also present in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012 and Windows 10. It aims to improve the security of Microsoft Windows by limiting application software to standard user privileges until an administrator authorizes an increase or elevation. In this way, only applications trusted by the user may receive administrative privileges, and malware should be kept from compromising the operating system. In other words, a user account may have administrator privileges assigned to it, but applications that the user runs do not inherit those privileges unless they are approved beforehand or the user explicitly authorizes it.

UAC uses Mandatory Integrity Control to isolate running processes with different privileges. To reduce the possibility of lower-privilege applications communicating with higher-privilege ones, another new technology, User Interface Privilege Isolation, is used in conjunction with User Account Control to isolate these processes from each other. One prominent use of this is Internet Explorer 7's "Protected Mode".

User Interface Privilege Isolation

User Interface Privilege Isolation (UIPI) is a technology introduced in Windows Vista and Windows Server 2008 to combat shatter attack exploits. By making use of Mandatory Integrity Control, it prevents processes with a lower "integrity level" (IL) from sending messages to higher IL processes (except for a very specific set of UI messages). Window messages are designed to communicate user action to processes. However, they can be used to run arbitrary code in the receiving process' context. This can be used by a malicious low IL process to run arbitrary code in the context of a higher IL process, which constitutes an unauthorized privilege escalation. By restricting access to some vectors for code execution and data injection, UIPI can mitigate these kinds of attacks.UIPI, and Mandatory Integrity Control more generally, is a security feature, but not a security boundary. UI Accessibility Applications can be allowed bypass UIPI by setting their "uiAccess" value to TRUE as part of their manifest file. However, for this flag to be honored by Windows UIPI, the application must be installed in the Program Files or Windows directory, and the application must be signed by a valid code signing authority. To install an application to either of these locations requires at least a user with local administrator privilege running in an elevated process with high integrity level.

Thus, malware trying to move into a position from where it can bypass UIPI must:

use a valid code signing certificate issued by an approved code signing authority,

perform the attack against a user with administrator privileges

convince the user to grant use of his/her administrative privileges in the UAC prompt.Microsoft Office 2010 uses UIPI for its Protected View sandbox to prohibit potentially unsafe documents from modifying components, files, and other resources on a system.

Windows Defender

Windows Defender (known as Windows Defender Antivirus in Windows 10 Creators Update and later) is an anti-malware component of Microsoft Windows. It was first released as a downloadable free antispyware program for Windows XP, and was later shipped with Windows Vista and Windows 7. It has evolved into a full antivirus program, replacing Microsoft Security Essentials as part of Windows 8 and later versions.

Windows Firewall

Windows Firewall (officially called Windows Defender Firewall in Windows 10), is a firewall component of Microsoft Windows. It was first included in Windows XP and Windows Server 2003. Prior to the release of Windows XP Service Pack 2 in 2004, it was known as Internet Connection Firewall. With the release of Windows 10 version 1709, in September 2017, it was renamed Windows Defender Firewall as part of the "Windows Defender" branding campaign.

Windows Live OneCare Safety Scanner

Windows Live OneCare Safety Scanner (formerly Windows Live Safety Center and codenamed Vegas) was an online scanning, PC cleanup, and diagnosis service to help remove of viruses, spyware/adware, and other malware. It was a free web service that was part of Windows Live.

On November 18, 2008, Microsoft announced the discontinuation of Windows Live OneCare, offering users a new free anti-malware suite Microsoft Security Essentials, which had been available since the second half of 2009. However, Windows Live OneCare Safety Scanner, under the same branding as Windows Live OneCare, was not discontinued during that time. The service was officially discontinued on April 15, 2011 and replaced with Microsoft Safety Scanner.

Management
tools
Apps
Shell
Services
File systems
Server
Architecture
Security
Compatibility
API
Games
Discontinued
Spun off to
Microsoft Store

This page is based on a Wikipedia article written by authors (here).
Text is available under the CC BY-SA 3.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.