Security architecture of Windows Vista, Part 2

Thursday, January 24th, 2008

Part 1 did not cover how processes generally acquire their permissions and integrity levels. According to the Windows security model, which is known from Vista predecessors, a child process normally inherits the access token of its parent. Vista adds one bit to this process in the access token, TOKEN_MANDATORY_POLICY_NEW_PROCESS_MIN, which is set for normal users but which is cleared in administrator tokens.

The effect is that new processes acquire an integrity level which is the lesser of that of the generated process and that of the file which contains the executable code. A normal user is therefore unable to start any processes with an integrity level which is higher than the integrity level of the exe file. If malicious code does manage to get through a security hole in Internet Explorer at Low integrity level, then this program can only start at the Low level. Files which IE writes in its folders also inherit the Low integrity level. This protects the user from starting at a higher level by mistake. Vista’s Integrity Levels, Part 2 - heise Security