jspωiki
Mandatory Integrity Control

Overview#

Mandatory Integrity Control (MIC) provides a mechanism for controlling access to Securable objects.

Mandatory Integrity Control mechanism is in addition toDiscretionary Access Control and evaluates access before Access Control checks against an object's Discretionary Access Control List (DACL) are evaluated.

Mandatory Integrity Control uses integrity levels and Mandatory Access Control policy to determine access. Security Principal Objects and Securable objects are assigned Integrity Levels that determine their level of protection or access.

For example, a principal with a low Integrity Level cannot write to an object with a medium Integrity Level, even if that object's Discretionary Access Control List (DACL) allows write access to the Security Principal Objects.

Mandatory Policy#

The SYSTEM_MANDATORY_LABEL_ACE Access Control Entry (ACE) in the System Access Control List (SACL) of a Security Principal Objects contains an access mask that specifies the access that principals with Integrity Levels lower than the object are granted.

The values defined for this access mask are

  • SYSTEM_MANDATORY_LABEL_NO_WRITE_UP
  • SYSTEM_MANDATORY_LABEL_NO_READ_UP
  • SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP.
By default, the system creates every object with an access mask of SYSTEM_MANDATORY_LABEL_NO_WRITE_UP.

Every MSFT Access Token also specifies a mandatory policy that is set by the Local Security Authority (LSA) when the MSFT Access Token is created. This Access Control Policy is specified by a TOKEN_MANDATORY_POLICY structure associated with the MSFT Access Token. This structure can be queried by calling the GetTokenInformation function with the value of the TokenInformationClass parameter set to TokenMandatoryPolicy.

More Information#

There might be more information for this subject on one of the following: ...nobody