Modifying the Mandatory Integrity Level for a Securable Object in Windows Vista

Windows has included securable objects for quite some time now, but Windows Vista adds a new concept: Mandatory Integrity Control. You can read a detailed description here; in essence, in addition to requiring a particular SID to access a secured resource, you must be running with a token containing the required integrity level. When you are running as a standard user, your token contains an ACE called Mandatory LabelMedium Mandatory Level. When you are running elevated, your token contains an ACE called Mandatory LabelHigh Mandatory Level. Internet Explorer Protected Mode runs the process with a Low Mandatory Level.

The obvious question is this: how do I set the mandatory level for a securable object?

Within code, you can use the AddMandatoryAce API to add a mandatory level to a securable object.

You can also modify the mandatory level reqirements without writing code using the icacls utility. It contains a command line switch: /setintegritylevel. For example, if I wanted to change the integrity level on a folder from medium (the default) to low, I could use "icacls c:myLowMicFolder /setintegritylevel l". Note that you cannot change the integrity level to high from a medium IL process, so if you wanted to change the value to high, you would need to do so from a high IL (elevated) command prompt.

Skip to main content