S 4.341 Integrity protection in Windows Vista and higher versions

Initiation responsibility: Head of IT

Implementation responsibility: Administrator, Head of IT

Microsoft has introduced various new security mechanisms in Windows Vista to protect the integrity of critical system resources and to protect the integrity of user data. These security mechanisms include the Windows Integrity Mechanism (WIM), integrity levels (ILs), the Protected Mode of Internet Explorer, the Windows Resource Protection (WRP), the Trusted Installer and the Windows Resource Checker (sfc.exe). Which security mechanisms are to be used for integrity protection must be specified depending on the protection requirements.

Windows Integrity Mechanism (WIM) and Integrity Levels

WIM is used in connection with User Account Control (UAC) to protect the system integrity and protect user data against undetected integrity violations by malware. Technically, WIM is based on the integrity levels (ILs) assigned to certain operating system objects, which are referred to as Securable Objects. Examples of Securable Objects are user accounts, group accounts, files, folders, processes, and registry keys.

The following integrity levels are available for operating system objects (placed in order of decreasing importance to the integrity of the overall system):

Three rules can be specified for the interaction between operating system objects in different integrity levels:

By default, only the nw rule is enabled, and the nr and nx rules are disabled.

The highest integrity level for processes started by a standard user and objects created by a standard user is Medium. For administrators, High is the highest possible integrity level available for such actions. System services are assigned the System integrity level. If an object is not explicitly assigned an integrity level, then Medium is assigned as the default level. Integrity levels are inherited in a manner similar to the entries in an ACL.

The restrictions specified by the nw, nr, or nx rules for the interaction between operating system objects are enforced by the operating system independently from the ACL of the corresponding object. For example, an administrator working as a standard user is assigned the Medium integrity level when User Account Control is enabled and the administrator has not elevated his privileges. According to the nw rule, an administrator cannot write to objects in the High integrity level even when he is entitled to full access to the object as an owner according to the ACL. To enable write access to an object in the High integrity level, the administrator (operating as an operating system object in this case) requires the High integrity level. This level is only assigned to the administrator after privilege elevation by the User Account Control. In the default configuration, this privilege elevation requires the explicit consent of the administrator. However, write access to system processes will still be impossible for the administrator since they run on an even higher integrity level then High, namely in the System integrity level.

The Protected Mode and Internet Explorer 7 (IE7)

The Protected Mode as implemented by Microsoft primarily assigns the Low integrity level to processes instead of the Medium integrity level. Internet Explorer 7 (IE7) and higher runs in Windows Vista / Server 2008 by default in the Protected Mode, which means in the Low integrity level. Previous versions of the Internet Explorer (prior to the release of IE7) and IE7 when used in Windows versions prior to Windows Vista / Server 2008 (e.g. Windows XP) do not support the Protected Mode.

User Account Control must be enabled on the system to enable the Protected Mode of IE7, which is the case in the default configuration of Windows Vista / Server 2008. When User Account Control is disabled, IE7 immediately (and without the operating system issuing a warning) loses its ability to operate in the Protected Mode.

Data downloaded by IE7, such as executable program code, can only be written to directories in the Low integrity level since the Low integrity level is assigned to IE7. The data itself is then located in the Low level. Due to the nw rule, the downloaded program code cannot write to the data of the user (generally stored in the Medium integrity level) or of the operating system (to the High or System levels) without being noticed. The Protected Mode therefore makes it more difficult to download and execute program code using the IE7 without being detected.

If necessary, though, IE7 can download and store data in the Medium integrity level when necessary. This is necessary, for example, when the user uses an application to edit or process his data (in the Medium level). To enable this, a User Broker Process (IEUser.exe) runs in parallel to the Internet Explorer process. This process can only be used to store data in the Medium integrity level after confirmation has been provided explicitly by the user. To prevent the IT system from being infected by malicious software unintentionally, the users must be trained in the handling of the Protected Mode.

There are extensions to the Internet Explorer available (also called add-ons) that are incompatible with the Protected Mode since they need to store downloaded data in areas of the file system or the registry at the Medium integrity level. IE7 virtualises the file system and the registry to provide support for these extensions. Virtualisation means in this context that the IE7 redirects write accesses issued by these extensions to copies of the areas needed. These duplicated (or virtualised) areas are located in the Low integrity level. This means that the integrity of the user data not virtualised is not threatened. In Vista / Server 2008 and higher, Windows uses the same technology to run legacy applications in a protected mode (see S 4.338 Use of Windows Vista and Windows 7 File and Registry Virtualization).

In IE7, the Protected Mode can be enabled or disabled individually for each of the four security zones of a standard user. It must be noted that in the default configuration the Protected Mode is disabled for the Trusted Sites security zone. The Protected Mode is only enabled for the other three security zones Internet, Local Intranet and Restricted Sites.

A standard user should not be able to disable the Protected Mode for the three security zones Internet, Local Intranet and Restricted Sites. To ensure this is the case, it is necessary to enable the Turn on the Protected Mode policy for each of the three security zones for the Group Policy Object Computer Configuration | Administrative Templates| Windows Components | Internet Explorer | Internet Control Panel | Security Page | Locked-Down <name of the zone> .

If a web page that has been proven trustworthy is incompatible with the Protected Mode, then it should be assigned to the Trusted Sites security zone. The Protected Mode should remain disabled for this security zone. The correspondingly higher risk of undetected downloads and executions of program code by IE7 must be weighed against the requirements of the availability of the corresponding web page.

Windows Resource Protection and Trusted Installer

In addition to the WIM, integrity levels, and Protected Mode, the Windows Resource Protection (WRP) offers an additional security mechanism for protecting the integrity of critical system resources in Windows Vista / Server 2008 and higher. WRP is the new name for the security mechanism referred to as Windows File Protection (WFP) in previous Windows versions.

The critical system resources in this case include certain registry keys, directories, and files. The files are all files of type .dll, .exe, .ocx, and .sys as well as selected critical files (for a total of approx. 90 file types) in a Windows installation.

Trusted Installer is a central component of the WRP. Trusted Installer refers to a system service used for the proper modification of the critical system resources as well as to a user group whose members are the owners of the critical system resources.

Full access rights to the critical system resources are limited to the owner of the Trusted Installer. The System and Administrator accounts only have limited access rights to critical system resources, and in particular no write access. This prevents unintentional integrity violations of critical system resources, for example by an administrator. However, an administrator can assign himself as the owner and grant himself full access rights. Deliberate integrity violations are only made more difficult in this manner, but are not prevented in general.

Modifications to critical system resources, for example the installation of Service Packs or Hotfixes, should only be made using the WRP and the Trusted Installer (in form of the TrustedInstaller system service).

The Windows Resource Checker command line tool sfc.exe is available to administrators to manually check the integrity of critical system files. In cases where integrity violations are detected, this tool can be used to replace the affected files manually with uncorrupted versions.

Review questions:

© Federal Office for Information Security. All rights reserved.