The Windows Vista Integrity Mechanism

The Windows Integrity Mechanism in Windows Vista is an example of how the security architecture of the operating system evolved in comparison with Windows XP. Essentially, the role of the Windows Integrity Mechanism is to apply limitations to the access permissions of various programs running on top of the operating system independently of the privileges associated with the user account. Windows Vista, via the Windows Integrity Mechanism, will label potentially malicious and untrustworthy code with low privileges and stop it from performing actions that would alter the system state, data files or additional programs installed in the operating system. The immediate noticeable result of the implementation of the Windows Integrity Mechanism in Vista is the all time favorite User Account Control.

"The Windows Vista integrity mechanism extends the security architecture of the operating system by assigning an integrity level to application processes and securable objects. The integrity level is a representation of the trustworthiness of running application processes and objects, such as files created by the application. The integrity mechanism provides the ability for resource managers, such as the file system, to use pre-defined policies that block processes of lower integrity, or lower trustworthiness, from reading or modifying objects of higher integrity. The integrity mechanism allows the Windows security model to enforce new access control restrictions that cannot be defined by granting user or group permissions in access control lists (ACLs)," explained Peter Brundrett, Windows Vista Integrity Levels Program Manager.

The User Account Control (UAC) in Admin Approval Mode is illustrative for the Windows Integrity Mechanism in Vista. The UAC is designed to treat applications distinctly even if the user runs into an administrative account. This is possible because privilege and integrity tiers are inherently assigned to code in accordance with Vista's assessment of the trustworthy level. In this manner, the Windows security subsystem builds a hierarchy of applications and keeps the potentially malicious programs at the bottom with the least amount of privileges.

"The Windows integrity mechanism is based on a mandatory label that the operating system assigns in order to differentiate it from discretionary access under user control. Discretionary access control allows the object owner, or the group that is granted permission, to change the object's access permissions. Windows provides a graphical user interface (UI) for advanced users to view and modify the security permissions (represented by the discretionary ACL) on objects, such as files and registry keys," Brundrett added in the Windows Vista Integrity Mechanism Technical Reference whitepaper he authored.