Mandatory Integrity Control (MIC) provides a mechanism for controlling access to securable objects. This mechanism is in addition to discretionary access control and evaluates access before access checks against an object's discretionary access control list (DACL) are evaluated.
(强制完整性控制MIC提供了对访问安全对象进行控制的安全机制。该机制除了自主访问控制之外,在检查安全对象的DACL之前会对该访问进行评估。)
MIC uses integrity levels and mandatory policy to evaluate access. Security principals and securable objects are assigned integrity levels that determine their levels of protection or access. For example, a principal with a low integrity level cannot write to an object with a medium integrity level, even if that object's DACL allows write access to the principal.
(MIC使用完整性级别和强制策略来评估访问行为。安全实体和安全对象都会被分配一个完整性级别,用来确定他们的受保护级别和访问级别。比如,一个完整性级别为低的实体无法对一个完整性级别为中的对象进行写操作,即使该对象的DACL中允许该实体进行写操作。)
Windows defines four integrity levels: low, medium, high, and system. Standard users receive medium, elevated users receive high. Processes you start and objects you create receive your integrity level (medium or high) or low if the executable file's level is low; system services receive system integrity. Objects that lack an integrity label are treated as medium by the operating system; this prevents low-integrity code from modifying unlabeled objects. Additionally, Windows ensures that processes running with a low integrity level cannot obtain access a process which is associated with an app container.
(Windows定义了四个完整性级别:低、中、高和系统级别。标准用户的完整性级别为中,评估的用户为高。我们创建的进程和内核对象的完整性级别与我们自身的保持一致,中或者高,如果可执行文件的级别为低则这些进程和内核对象则为低;系统服务为系统级别的完整性级别。操作系统将缺少完整性标签的内核对象的完整性级别视为中级,这样可以防止低完整性级别的代码修改为标签的内核对象。除此以外,Windows确保一个运行在低完整性级别的进程无法获取一个已经分配了应用容器的进程的访问权。)
Integrity Labels
Integrity labels specify the integrity levels of securable objects and security principals. Integrity labels are represented by integrity SIDs. The integrity SID for a securable object is stored in its system access control list (SACL). The SACL contains a SYSTEM_MANDATORY_LABEL_ACE access control entry (ACE) that in turn contains the integrity SID. Any object without an integrity SID is treated as if it had medium integrity.
The integrity SID for a security principal is stored in its access token. An access token may contain one or more integrity SIDs.
For detailed information about the defined integrity SIDs, see Well-known SIDs.
(完整性标签指定了安全对象和安全实体的完整性级别。完整性SID是完整性标签的代表。安全对象的完整性SID存储于该对象的SACL中。该SACL中的SYSTEM_MANDATORY_LABEL_ACE这个ACE包含了完整性SID。没有完整性SID的安全对象,它的完整性级别为中级。安全实体的完整性SID存储与该实体的访问令牌。一个访问令牌可能拥有一个或多个完整性SID。)
Process Creation
When a user attempts to launch an executable file, the new process is created with the minimum of the user integrity level and the file integrity level. This means that the new process will never execute with higher integrity than the executable file. If the administrator user executes a low integrity program, the token for the new process functions with the low integrity level. This helps protect a user who launches untrustworthy code from malicious acts performed by that code. The user data, which is at the typical user integrity level, is write-protected against this new process.
(当用户试图启动一个可执行文件时,就会创建新的进程,进程的完整性级别为用户和该文件的完整性级别的最小值。这就意味着新的进程将不会以高于该可执行文件的完整性级别执行。如果管理员执行一个低级别的程序,该进程的令牌将会以低级别运行。这有助于保护一个用户执行了不受信任的代码,避免受到该代码恶意行为的危害。在典型的用户完整性级别的用户数据,对于新进程是写保护的。)
Mandatory Policy
The SYSTEM_MANDATORY_LABEL_ACE ACE in the SACL of a securable object contains an access mask that specifies the access that principals with integrity levels lower than the object are granted. The values defined for this access mask are SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, SYSTEM_MANDATORY_LABEL_NO_READ_UP, and SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP. By default, the system creates every object with an access mask of SYSTEM_MANDATORY_LABEL_NO_WRITE_UP.
(安全对象SACL中的的SYSTEM_MANDATORY_LABEL_ACE包含了一个访问掩码,该掩码指定了完整性级别低于该对象的实体的访问权限。这个访问掩码的值被定义为SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, SYSTEM_MANDATORY_LABEL_NO_READ_UP,以及SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP。默认情况下,系统为每个创建的安全对象的访问掩码设置为SYSTEM_MANDATORY_LABEL_NO_WRITE_UP。)
Every access token also specifies a mandatory policy that is set by the Local Security Authority (LSA) when the token is created. This policy is specified by a TOKEN_MANDATORY_POLICY structure associated with the token. This structure can be queried by calling the GetTokenInformation function with the value of the TokenInformationClass parameter set to TokenMandatoryPolicy.(当访问令牌创建时,访问令牌会指定一个由LSA规定的强制策略。该策略由令牌的TOKEN_MANDATORY_POLICY结构体定义。通过调用GetTokenInformation函数,向TokenInformationClass参数传递TokenMandatoryPolicy值,可以查询TOKEN_MANDATORY_POLICY结构体的内容。)