4.8 Windows Integrity Mechanism

The Windows integrity mechanism extends the security architecture by defining a new access control entry (ACE) type to represent an integrity level in an object’s security descriptor. The new ACE represents the object integrity level. An integrity level is also assigned to the security access token when the access token is initialized. The integrity level in the access token represents a subject integrity level. The integrity level in the access token is compared against the integrity level in the security descriptor when the security reference monitor performs an access check. Windows Vista operating system, Windows 7 operating system, Windows 8 operating system, and Windows 8.1 operating system use the AccessCheck function to determine what access rights are allowed to a securable object. Windows restricts the allowed access rights depending on whether the subject's integrity level is higher or lower than the object, and depending on the integrity policy flags in the new access control ACE. The security subsystem implements the integrity level as a mandatory label to distinguish it from the discretionary access under user control that ACLs provide.

Note: The mandatory integrity labels are not evaluated as part of the descretionary access control by the AccessCheck algorithm ([MS-DTYP] section These SIDs are not set in the token with the SE_GROUP_ENABLED attributes, which means that even though these SIDs are added to the SIDS_AND_ATTRIBUTES array in the token, they are not evaluated as part of sidintoken.