<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] (MIC) provides a mechanism for controlling access to [Securable objects]. 


[{$pagename}] mechanism is in addition to[Discretionary Access Control] and evaluates access __before__ [Access Control] checks against an object's [Discretionary Access Control List] ([DACL]) are evaluated.



[{$pagename}] uses integrity levels and [Mandatory Access Control] [policy|Access Control Policy] to determine [access]. [Security Principal Objects] and [Securable objects] are assigned [Integrity Levels] that determine their level of protection or [access]. 

For example, a principal with a low [Integrity Level] cannot write to an object with a medium [Integrity Level], even if that object's [Discretionary Access Control List] ([DACL]) allows write access to the [Security Principal Objects].


!! Mandatory Policy
The SYSTEM_MANDATORY_LABEL_ACE [Access Control Entry] ([ACE]) in the [System Access Control List] ([SACL]) of a [Security Principal Objects] contains an access mask that specifies the [access] that principals with [Integrity Levels] lower than the object are granted. 

The values defined for this access mask are 
* SYSTEM_MANDATORY_LABEL_NO_WRITE_UP
* SYSTEM_MANDATORY_LABEL_NO_READ_UP
* SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP. 
By default, the system creates every object with an access mask of SYSTEM_MANDATORY_LABEL_NO_WRITE_UP.

Every [MSFT Access Token] also specifies a mandatory policy that is set by the [Local Security Authority] ([LSA]) when the [MSFT Access Token] is created. This [Access Control Policy] is specified by a TOKEN_MANDATORY_POLICY structure associated with the [MSFT Access Token]. This structure can be queried by calling the GetTokenInformation function with the value of the TokenInformationClass parameter set to TokenMandatoryPolicy.


!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Mandatory_Integrity_Control|Wikipedia:Mandatory_Integrity_Control|target='_blank'] - based on information obtained 2020-09-02 
* [#2] - [Mandatory Integrity Control|https://docs.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control|target='_blank'] - based on information obtained 2020-09-02 


























































































































































































</pre>