Presentation is loading. Please wait.

Presentation is loading. Please wait.

MAC in Windows Vista Autor : Martin ONDRÁČEK, Product Director SODATSW spol. s r. o.; Horní 32; Brno; Czech Republic.

Published byRoy Barrett Modified over 8 years ago

Similar presentations

Presentation on theme: "MAC in Windows Vista Autor : Martin ONDRÁČEK, Product Director SODATSW spol. s r. o.; Horní 32; Brno; Czech Republic."— Presentation transcript:

1 MAC in Windows Vista Autor : Martin ONDRÁČEK, Product Director E-mail : martin.ondracek@sodatsw.cz SODATSW spol. s r. o.; Horní 32; Brno; Czech Republic www.sodatsw.cz

2 Overview Windows NT kernel 6.0+ - Vista, 2008, 7, 2008 R2 Basic MAC (Mandatory Access Control) – called Mandatory Integrity Control (MIC) Based on trustworthiness of code Users interface = User Account Control Per process identity - based on file system path - not per user

3 Windows Integrity Control New layer in Access Checks Based on Integrity Levels User’s Access Token now contain new special SID for Integrity Levels Object can be assigned a single Security Descriptor with ACE = SID x access type Normal resources are not stamped with IL ACE

4 Defined integrity levels Microsoft: „The relative identifiers are separated by intervals of 0x1000 to allow for definition of additional levels in the future.“ ValueDescriptionIntegrity level SID Name 0x0000Untrusted level 0x1000Low integrity levelS-1-16-4096Mandatory Label\Low Mandatory Level 0x2000Medium integrity level S-1-16-8192Mandatory Label\Medium Mandatory Level 0x3000High integrity levelS-1-16-12288Mandatory Label\High Mandatory Level 0x4000System integrity level S-1-16-16384Mandatory Label\System Mandatory Level

5 Access checks SeAccessCheck (kernel mode security module) checks access permissions to objects It consideres process IL level first Process with a certain IL level can access any object with the same or lower level Only secondly, the actual permissions are considered when doing access checks

6 File System improvements NTFS permissions can store IL markings for files and folders –IL Read / IL Write / IL Execute Each marking must have a single level assigned –Trusted Installer/ System/ High/ Medium/ Low/ Untrusted

7 Read/Write markings Operating system objects (file, folder, registry) can be marked with a specific combination of IL markers –Read – read data, permissions, attributes –Write – write/append data, delete file/folder, create file/folder, change permissions If a file is not marked explicitly, it is considered to be marked Medium for both

8 Process level Each process is started from an executable file which can be marked with IL Execute marker If the executable is actually marked, then the process runs with the level specified If the file is not marked, by default the process runs with level depending on user’s identity

9 Process level based on user process can be started with a level lower than the previously defined User/process typeProcess level AnonymousUntrusted EveryoneLow Authenticated UsersMedium Crypthographic/Backup/Network Configuration Operators High AdministratorsHigh LocalSystem/LocalService/ NetworkService System Trusted Installer serviceTrusted Installer

10 Notes Non marked processes and files are running at Medium level Low processes are isolated to access only low resources There is a single system service that can access anything –Trusted Installer

11 User IL

12 Different process ILs

13

14 Current use Isolate non-trusted code into a limited access box –mainly to prevent malitious code from modifying system settings and stealing data –e.g. Internet Explorer Provide Microsoft with the ability to limit system administrators from being able to modify sensitive system resources Provide limited user/level boxing when combined with traditional permissions

15 Possible future use What needs to be done –Increase the number of levels above System more granular control –Enable provision of user accounts which are not members of Users group would enable complete user isolation This may provide enterprise level process/user/data isolation

16 The end Thanks for your attention! Autor : Martin ONDRÁČEK, Product Director E-mail : martin.ondracek@sodatsw.cz

Download ppt "MAC in Windows Vista Autor : Martin ONDRÁČEK, Product Director SODATSW spol. s r. o.; Horní 32; Brno; Czech Republic."

Similar presentations

IEs Protected Mode in Windows Vista TM January 20, 2006 Marc Silbey Program Manager.

IEs Protected Mode in Windows Vista TM January 20, 2006 Marc Silbey Program Manager.
When you combine NTFS permissions and share permissions the most restrictive effective permission applies. For example, if you share a folder and assign.

When you combine NTFS permissions and share permissions the most restrictive effective permission applies. For example, if you share a folder and assign.
11 CONFIGURING AND MANAGING SHARED FOLDER SECURITY Chapter 8.

11 CONFIGURING AND MANAGING SHARED FOLDER SECURITY Chapter 8.
Windows Vista Security model and vulnerabilities.

Windows Vista Security model and vulnerabilities.
1 Chapter Overview Understanding and Applying NTFS Permissions Assigning NTFS Permissions and Special Permissions Solving Permissions Problems.

1 Chapter Overview Understanding and Applying NTFS Permissions Assigning NTFS Permissions and Special Permissions Solving Permissions Problems.
1 Chapter Overview Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions.

1 Chapter Overview Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
11 WORKING WITH GROUPS Chapter 7. Chapter 7: WORKING WITH GROUPS2 CHAPTER OVERVIEW  Understand the functions of groups and how to use them.  Understand.

11 WORKING WITH GROUPS Chapter 7. Chapter 7: WORKING WITH GROUPS2 CHAPTER OVERVIEW  Understand the functions of groups and how to use them.  Understand.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.
Lesson 4: Configuring File and Share Access

Lesson 4: Configuring File and Share Access
Fall 2011 Nassau Community College ITE153 – Operating Systems Session 24 NTFS Permissions and Sharing Printers 1.

Fall 2011 Nassau Community College ITE153 – Operating Systems Session 24 NTFS Permissions and Sharing Printers 1.
By Rashid Khan Lesson 8-Crowd Control: Controlling Access to Resources Using Groups.

By Rashid Khan Lesson 8-Crowd Control: Controlling Access to Resources Using Groups.
5.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.

5.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.

1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.
Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.

Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.

Similar presentations

Ads by Google