Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


July 2007

Chml Fills the Gap

A homemade tool makes Icacls even more useful
From the July 2007 Edition
of Windows IT Pro
Mark Minasi
Windows Power Tools
InstantDoc #95973
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More User Management and Profiles Articles Here | Reprints
Or get the Monthly Online Pass—only $5.95 a month!

In last month's column, "Icacls Shows Integrity" (InstantDoc ID 95681), I used Windows Vista's new Icacls command-line tool to experiment with integrity levels—the new-to-Vista security notion of assigning labels to processes, users, and objects (e.g., files, folders, registry keys). This time, I want to address an Icacls shortcoming by sharing a free tool with you. My Chml file lets you take your integrity-level experiments to new areas of functionality.

A Short Review
Last month, I explained that Vista uses five integrity levels—Untrusted, Low, Medium, High, and System—to indicate an object's degree of trustworthiness. Administrators get a High integrity level, and non-administrative users get a Medium integrity level. By default, Windows enforces a no write up policy, which means that when a process tries to modify an object, Windows checks the integrity levels of the process and the object. If the process is running at a lower integrity level than the object, Windows blocks the modification attempt—even if the user has a Full Control permission on that object.

Icacls lets you modify integrity levels between Low, Medium, and High, but it won't let you do anything involving Untrusted or System levels, and it won't let you change the default no write up policy. That's a shame, because Windows can also enforce a no read up policy, which blocks any low-integrity process from reading the object. Having the ability to change the no write up policy to no read up could by quite useful: Wouldn't it be nice to add a little protection to personal files by setting them to a High integrity level with a no read up policy? Because most applications run at a Medium integrity level, such a setting would foil any spyware attempting to peek at, for example, a file containing your passwords or credit card information.

A Free Tool
I wanted to explore no read up policies and experiment with Untrusted and System integrity levels, so I wrote a tool that I call Chml, which you can find at my Web site (http://www.minasi.com/vista/chml.htm). Download the chml.exe file, and copy it to your \Windows\System32 folder so that it will be on your system path and thus always accessible from a command prompt. Then, ensure that you have the Modify an object label user privilege that I discussed last month. Open an elevated command prompt, change to the C:\stuff folder that you created last month, and you're ready to start running Chml.

Create a text file of some kind, and call it test1.txt. Now, you've got something to work with. Ask Chml to tell you the file's current integrity level by typing 

chml test1.txt

and it will inform you that the file is unlabeled, but that unlabeled means the OS treats it as having a Medium integrity level. Now, raise the file's integrity level to High by typing 

chml test1.txt -i:h

The -i: option can take the values u, l, m, h, or s, and these values are case-sensitive (as are all Chml options). Chml will confirm that it has successfully set test1.txt's integrity level to High. If you type 

icacls tes1t.txt

Icacls will confirm that the file has a label of Mandatory Label\High Mandatory Level, which—as you learned last month—is Vista's way of saying that a file has a High integrity level.

Now, give test1.txt a no read up policy by typing 

chml test1.txt -i:h -nr

You can use any combination of the -nr, -nw, and -nx options to assign the no read up, no write up, or no execute up policies. (I haven't come up with any uses for the no execute up policy.)

Running Icacls on test1.txt will show a different label than before: Mandatory Label\High Mandatory Level:(NR). This label is different from the labels you've seen before because previous labels have ended with (NW). As you've probably guessed, NW means a no write up policy, and NR means a no read up policy.

Now open a non-elevated command prompt and try to examine test1.txt by typing 

type test1.txt

You'll get an Access Denied error message, despite the fact that you're the owner of the object. That's no read up in action. But that's not all that Chml can do, as you'll see next month.

End of Article

Reader Comments

You must log on before posting a comment.

If you don't have a username & password, please register now.




Top Viewed ArticlesView all articles
The Memory-Optimization Hoax

Don't believe the hype. At best, RAM optimizers have no effect. At worst, they seriously degrade performance. ...

VMware and the Future of Virtualization

What's next for virtualization and business IT? Windows IT Pro senior editor Jeff James speaks with VMware President and CEO Diane Greene on the future of virtualization technology. ...

What service packs and fixes are available?

...
Windows OSs Whitepapers Replay for Exchange: Enterprise Protection and an Affordable Price

Are You Satisfied?

A Preliminary Look at Deployment Plans for Microsoft Windows Vista
Related Events Check out our list of Free Email Newsletters!
Windows OSs eBooks Understanding and Leveraging Code Signing Technologies

A Guide to Windows Disaster Recovery and Backup

A Guide to Windows Certification and Public Keys
Related Windows OSs Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.


ADS BY GOOGLE SPONSORED LINKS FEATURED LINKS

Critical Challenges of ESI & Email Retention
Are you storing too much electronic information? Get expert legal advice and better understanding of what you are required to do as an IT professional.

Become a fan of Windows IT Pro on Facebook!
Join us on Facebook and be a fan of Windows IT Pro!

Sustainable Compliance: Are You Having a Resource Crisis?
Read this white paper to examine trends in compliance and security management and review approaches to reducing the cost and operational burden of compliance.

Rev Up Your IT Know-How with Our Recharged Magazine!
The improved Windows IT Pro provides trusted IT content with an enhanced new look and functionality! Get comprehensive coverage of industry topics, expert advice, and real-world solutions—PLUS access to over 10,000 articles online. Order today!

Get It All with Windows IT Pro VIP
Stock your IT toolbox with every solution ever printed in Windows IT Pro and SQL Server Magazine plus bonus Web-exclusive content on hot topics. Subscribe to receive the VIP CD and a subscription to your choice of Windows IT Pro or SQL Server Magazine!



Order Your Fundamentals CD Today!
Gain an introduction to Exchange, learn server security requirements, and understand how unified communications can play a role in your messaging strategies with this free Exchange CD.
Windows IT Pro Home Register About Us Affiliates / Licensing Media Kit Contact Us/Customer Service  
SQL Connected Home IT Library SuperSite FAQ Wininfo News
Europe Edition Office & SharePoint Pro Windows Dev Pro Windows Excavator 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing