Chml Fills the Gap

In last month's column, "Icacls Shows Integrity" (InstantDoc ID 95681), I used Windows Vista's new Icacls command-line tool to experiment with integrity levels—the new-to-Vista security notion of assigning labels to processes, users, and objects (e.g., files, folders, registry keys). This time, I want to address an Icacls shortcoming by sharing a free tool with you. My Chml file lets you take your integrity-level experiments to new areas of functionality.

A Short Review
Last month, I explained that Vista uses five integrity levels—Untrusted, Low, Medium, High, and System—to indicate an object's degree of trustworthiness. Administrators get a High integrity level, and non-administrative users get a Medium integrity level. By default, Windows enforces a no write up policy, which means that when a process tries to modify an object, Windows checks the integrity levels of the process and the object. If the process is running at a lower integrity level than the object, Windows blocks the modification attempt—even if the user has a Full Control permission on that object.

Icacls lets you modify integrity levels between Low,Medium, and High, but it won't let you do anythinginvolving Untrusted or System levels, and it won't let youchange the default no write up policy. That's a shame,because Windows can also enforce a no read up policy,which blocks any low-integrity process from reading theobject. Having the ability to change the no write up policyto no read up could by quite useful: Wouldn't it be nice toadd a little protection to personal files by setting them toa High integrity level with a no read up policy? Becausemost applications run at a Medium integrity level, such asetting would foil any spyware attempting to peek at, forexample, a file containing your passwords or credit cardinformation.

A Free Tool
I wanted to explore no read up policies and experiment with Untrusted and System integrity levels, so I wrote a tool that I call Chml, which you can find at my Web site (http://www.minasi.com/vista/chml.htm). Download the chml.exe file, and copy it to your WindowsSystem32 folder so that it will be on your system path and thus always accessible from a command prompt. Then, ensure that you have the Modify an object label user privilege that I discussed last month. Open an elevated command prompt, change to the C:stuff folder that you created last month, and you're ready to start running Chml.

Create a text file of some kind, and call it test1.txt. Now, you've got something to work with. Ask Chml to tell you the file's current integrity level by typing

chml test1.txt 

and it will inform you that the file is unlabeled, but that unlabeled means the OS treats it as having a Medium integrity level. Now, raise the file's integrity level to High by typing

chml test1.txt -i:h 

The -i: option can take the values u, l, m, h, or s, and these values are case-sensitive (as are all Chml options). Chml will confirm that it has successfully set test1.txt's integrity level to High. If you type

icacls tes1t.txt 

Icacls will confirm that the file has a label of Mandatory LabelHigh Mandatory Level, which—as you learned last month—is Vista's way of saying that a file has a High integrity level.

Now, give test1.txt a no read up policy by typing

chml test1.txt -i:h -nr 

You can use any combination of the -nr, -nw, and -nx options to assign the no read up, no write up, or no execute up policies. (I haven't come up with any uses for the no execute up policy.)

Running Icacls on test1.txt will show a different labelthan before: Mandatory LabelHigh Mandatory Level:(NR).This label is different from the labels you've seen beforebecause previous labels have ended with (NW). As you'veprobably guessed, NW means a no write up policy, and NRmeans a no read up policy.

Now open a non-elevated command prompt and try to examine test1.txt by typing

type test1.txt 

You'll get an Access Denied error message, despite the fact that you're the owner of the object. That's no read up in action. But that's not all that Chml can do, as you'll see next month.