This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
Mandatory Integrity Control...nobody
Mandatory Integrity Control

Version management

Difference between version and

At line 1 added 217 lines
!!! Overview
[{$pagename}] (MIC) provides a mechanism for controlling access to [Securable objects].
[{$pagename}] mechanism is in addition to[Discretionary Access Control] and evaluates access __before__ [Access Control] checks against an object's [Discretionary Access Control List] ([DACL]) are evaluated.
[{$pagename}] uses integrity levels and [Mandatory Access Control] [policy|Access Control Policy] to determine [access]. [Security Principal Objects] and [Securable objects] are assigned [Integrity Levels] that determine their level of protection or [access].
For example, a principal with a low [Integrity Level] cannot write to an object with a medium [Integrity Level], even if that object's [Discretionary Access Control List] ([DACL]) allows write access to the [Security Principal Objects].
!! Mandatory Policy
The SYSTEM_MANDATORY_LABEL_ACE [Access Control Entry] ([ACE]) in the [System Access Control List] ([SACL]) of a [Security Principal Objects] contains an access mask that specifies the [access] that principals with [Integrity Levels] lower than the object are granted.
The values defined for this access mask are
* SYSTEM_MANDATORY_LABEL_NO_WRITE_UP
* SYSTEM_MANDATORY_LABEL_NO_READ_UP
* SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP.
By default, the system creates every object with an access mask of SYSTEM_MANDATORY_LABEL_NO_WRITE_UP.
Every [MSFT Access Token] also specifies a mandatory policy that is set by the [Local Security Authority] ([LSA]) when the [MSFT Access Token] is created. This [Access Control Policy] is specified by a TOKEN_MANDATORY_POLICY structure associated with the [MSFT Access Token]. This structure can be queried by calling the GetTokenInformation function with the value of the TokenInformationClass parameter set to TokenMandatoryPolicy.
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Mandatory_Integrity_Control|Wikipedia:Mandatory_Integrity_Control|target='_blank'] - based on information obtained 2020-09-02
* [#2] - [Mandatory Integrity Control|https://docs.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control|target='_blank'] - based on information obtained 2020-09-02
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop