1

This has been always confusing me. Here is a statement which states "Principle of least privilege" whereas one more statement states, use UIPI to protect applications from low integrity level processes.

As an application I may not do any privileged operations, but in order to protect my UI (using UIPI), I will be forced to promote my application to high integrity.

Contradicting. Any one has a better explanation for this?

I am aware of the difference between those. I am not looking for what are these. I am looking at how to balance between these.

For example,

I am developing an application, I am not doing any privileged operation, so my application can run in low integrity level itself. So as per principle of least privilege, I am happy to execute my application as low integrity level. But if i run my application with low integrity level, i am prone to attacks by UIPI. Anyone can send messages and cause DOS attack. This makes me think, shall i go ahead and launch my application as high integrity so that no other medium integrity apps can attack my application. But this goes against "Principle of least privilege"

user738471
  • 879
  • 1
  • 8
  • 10

1 Answers1

3

Mandatory Integrity Control was added in Vista and has 6 major integrity levels but only 3 of them are used for normal user processes; Low, Medium and High.

Win32 processes run at medium integrity level by default (when started from Explorer etc.) so most Win32 apps are already protected from low integrity level processes (UWP apps, Edge, IE and Chrome).

UIPI inspects the sender and receivers integrity levels and allows the interaction if sender >= receiver. There are some exceptions. Signed UIAccess applications in system directories have special access and you can manually add exceptions in your application for specific messages if desired.

You can view a processes integrity level with Process Explorer.

Applications running at medium IL are trusted from the users point of view, you should not worry about protecting yourself from them. High IL applications are trusted by the user/administrator and the machine. You should not run at high IL unless you need those additional rights that come with it. Low IL is for high risk applications like web browsers and PDF readers.

This is not documented anywhere but the current implementation allows you to create your own levels, so you could run your application with a integrity level somewhere between low and medium.

Anders
  • 97,548
  • 12
  • 110
  • 164
  • Sorry , you got the question wrongly. May be i didn't draft it properly. I know what are those, i just need to understand the balance between those. I am updating the question now – user738471 Feb 15 '18 at 04:12