EPFL Logo
fr|en
Login
Concept

Mandatory Integrity Control

Mandatory Integrity Control (MIC) is a core security feature of Windows Vista and later that adds mandatory access control to running processes based on their Integrity Level (IL). The IL represents the level of trustworthiness of an object. This mechanism's goal is to restrict the access permissions for potentially less trustworthy contexts (processes, files, and other securable objects), compared with other contexts running under the same user account that are more trusted. Mandatory Integrity Control is defined using a new access control entry (ACE) type to represent the object's IL in its security descriptor. In Windows, Access Control Lists (ACLs) are used to grant access rights (read, write, and execute permissions) and privileges to users or groups. An IL is assigned to a subject's access token when initialized. When the subject tries to access an object (for example, a file), the Security Reference Monitor compares the integrity level in the subject's access token against the integrity level in the object's security descriptor. Windows restricts the allowed access rights depending on whether the subject's IL is higher or lower than the object, and depending on the integrity policy flags in the new access control entry (ACE). The security subsystem implements the integrity level as a mandatory label to distinguish it from the discretionary access under user control that ACLs provide. Windows Vista defines four integrity levels: Low (SID: S-1-16-4096), Medium (SID: S-1-16-8192), High (SID: S-1-16-12288), and System (SID: S-1-16-16384). By default, processes started by a regular user gain a Medium IL and elevated processes have High IL. By introducing integrity levels, MIC allows classes of applications to be isolated, enabling scenarios like sandboxing potentially-vulnerable applications (such as Internet-facing applications). Processes with Low IL are called low-integrity processes, which have less access than processes with higher ILs where the Access control enforcement is in Windows.

Official source
About this result
This page is automatically generated and may contain information that is not correct, complete, up-to-date, or relevant to your search query. The same applies to every other page on this website. Please make sure to verify the information with EPFL's official sources.

Copyright © 2025 EPFL, all rights reserved

Graph Chatbot

Chat with Graph Search

Ask any question about EPFL courses, lectures, exercises, research, news, etc. or try the example questions below.

DISCLAIMER: The Graph Chatbot is not programmed to provide explicit or categorical answers to your questions. Rather, it transforms your questions into API requests that are distributed across the various IT services officially administered by EPFL. Its purpose is solely to collect and recommend relevant references to content that you can explore to help you answer your questions.