Setting downloads folder to Low Integrity via icalcs

Discussion in 'other software & services' started by Hungry Man, Jun 27, 2011.

Thread Status:
Not open for further replies.
  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    just did this. I don't think it'll cause any issues, right?
     
  2. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Have you removed execution rights from Users group?
     
  3. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Low Integrity Level applied with icacls is only applying to the directory.

    To apply to objects within the directory use the OI flag.

    To apply to subdirectories add the CI flag.

    I believe using the /t parameter causes traversal of all subdirectories.

    Once applied, depending on what you applied it to (objects or containers or both) things will (obviously) start at your specified IL.

    To remove the IL, use chml or an obscure .inf syntax and secedit (thats how I did it). You can also set the directory to Medium IL, which is the same as default anyway. I think after experimenting with it a lot that chml is the best bet to remove ILs.

    m00nbl00d refers to setting your downloads directory to disallow execution. I am not sure this is an Integrity answer, but he is none the less giving you infos that can go along with Integrity. Unless I am wrong, in which case m00nbl00d is about to fill us in ;)

    Sul.
     
  4. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    It actually depends on how you look at it. :D

    If by Integrity, you mean preventing a lower object from writing/reading/execution to higher objects, then no, what I mentioned is 100% unrelated to that.

    But, in this security context, integrity can also be looked at as a mean to prevent infections, including to other lower objects, or in other words keep the integrity of our system.

    And, considering icacls allows just that, I thought of mentioning it, anyway. *puppy*

    Applying only a low integrity level to a container, without any other sort of implementation, it gives a false sense of security.
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    If I disallow execution for users will it give me a UAC prompt when I try?

    I used this command:
    icacls "C:\Users\C*****\Downloads" /setintegritylevel(oi)(ci) low /t"
     
  6. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Weren't you given an error using that command? It should be
    Code:
    icacls "C:\Users\your_username\Downloads" /setintegritylevel (oi)(ci)Low
    Maybe both ways work.

    I also don't think you'd need to use the /t. Using (oi)(ci) already make the IL propagate to sub-folders and objects. I guess it doesn't hurt using it, but I don't think it would be really needed, though.

    And, answering to your question, no, there will be no UAC alert. You are removing execution rights. If the Users group cannot execute, they will get an error message only.

    Would you like an UAC alert if something gets to your Downloads folder without you knowing it?
     
  7. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I also believe you need a space between /setintegritylevel (oi)(ci), if memory serves.

    Maybe you formatted it correctly when you used it, but not when you posted it?

    Sul.
     
  8. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Nope, it worked fine when I did it.
     
Loading...
Thread Status:
Not open for further replies.