From the ‘smarter-than-you’ category, we have Digest fav Joanna Rutkowska’s blog:
Mark Minasi wrote to me recently to point out that his new tool, chml, is capable of setting NoReadUp and NoExecuteUp policy on file objects, in addition to the standard NoWriteUp policy, which is used by default on Vista.
As I wrote before the default IL policy used on Vista assumes only the NoWriteUp policy. That means that all objects which do not have assigned any IL explicitly (and consequently are treated as if they were marked with Medium IL) can be read by low integrity processes (only writes are prevented). Also, the standard Windows icacls command, which allows to set IL for file objects, assumes always the NoWriteUp policy only (unless I’m missing some secret switch).
Joanna has a great blog that you should really subscribe to. Read on.
[tags]Joanna Rutkowska, Windows Integrity, Mark Minasi[/tags]
