Preventing lower-integrity processes from reading higher-integrity data on Windows Vista

Joanna Rutkowska has posted an article about how to use Mark Minasi's chml tool to improve the security of your sensitive data from potential IE exploits when running IE in Protected Mode on Windows Vista.

Vista introduces the concept of Integrity Controls, where a program that runs at a lower integrity level is unable to access data that are associated with a higher integrity level, even if the program would otherwise have all the necessary permissions.

Internet Explorer is currently the only browser I know of that runs on Vista at a low integrity level by default. This means that any exploits against IE will find it more difficult to install themselves permanently into the system - the easiest way right now might be for them to trick you into absent-mindedly allowing them to run at a higher integrity level.

However, by default, Vista only prevents low-integrity processes from changing your medium-integrity data. What it does not do is prevent low-integrity processes from reading your medium-integrity data. This means that any IE exploit can still scan your system for sensitive data and passwords and silently transmit them somewhere without your knowledge.

So here is where the chml tool comes in. It allows you to apply an SACL (System Access Control List) to your files which tells Windows to prevent lower-integrity processes not only from writing, but also from reading or executing any of the files protected with such an SACL.

If you use Vista, I would definitely recommend using a browser that runs well as a low integrity process. Then I would further recommend downloading chml and applying "chml FolderName -i:m -nr -nx -nw" to all of your data folders. I think it is sensible to leave the Program Files and Windows directories readable though, because after all, those low integrity processes do have to load DLLs.


Popular posts from this blog

"Unreachable" beauty standards

When monospace fonts aren't: The Unicode character width nightmare

Is the internet ready for DMARC with p=reject?