Windows Vista: integrity mechanism - Part 1

This is part one of a two-part series on Windows Vista's security feature, integrity mechanism. Look for part two of this series later this month. Most of the talk about new security in Microsoft Windows Vista focuses on User Account Control, or UAC. UAC itself, however, is simply one implementation of a deeper mechanism in […]

This is part one of a two-part series on Windows Vista's security feature, integrity mechanism. Look for part two of this series later this month.

Most of the talk about new security in Microsoft Windows Vista focuses on User Account Control, or UAC. UAC itself, however, is simply one implementation of a deeper mechanism in Vista that allows for more precise control over objects and programs in Windows than before: the integrity mechanism.

The integrity mechanism, or IM for short, is a way to allow the system to treat applications that run in the same user account(s) with different grades of trust. Things that have been signed with a high grade of trust can't be modified by things that have a low grade of trust, even if they're both running as the same user. This puts an additional layer of protection around system files, as well as data used by key executables.

Keep in mind that this isn't a replacement for existing security mechanisms like access control lists, but something that works alongside them -- as a way to allow data, programs, objects and user accounts to be handled with an extra dimension of flexibility. It is not a cure-all for Windows security issues and isn't intended to be one, but the integrity mechanism does provide a more granular and intelligent way to lock down the way apps and data behave than has been traditionally provided in Windows.

Full Article

Microsoft, Windows Vista, Vista Integrity, Tutorial, Knowledgebase, Article