Setting downloads folder to Low Integrity via icalcs

just did this. I don't think it'll cause any issues, right?

 

Have you removed execution rights from Users group?

 

Low Integrity Level applied with icacls is only applying to the directory.

To apply to objects within the directory use the OI flag.

To apply to subdirectories add the CI flag.

I believe using the /t parameter causes traversal of all subdirectories.

Once applied, depending on what you applied it to (objects or containers or both) things will (obviously) start at your specified IL.

To remove the IL, use chml or an obscure .inf syntax and secedit (thats how I did it). You can also set the directory to Medium IL, which is the same as default anyway. I think after experimenting with it a lot that chml is the best bet to remove ILs.

m00nbl00d refers to setting your downloads directory to disallow execution. I am not sure this is an Integrity answer, but he is none the less giving you infos that can go along with Integrity. Unless I am wrong, in which case m00nbl00d is about to fill us in

Sul.

 

It actually depends on how you look at it.

If by Integrity, you mean preventing a lower object from writing/reading/execution to higher objects, then no, what I mentioned is 100% unrelated to that.

But, in this security context, integrity can also be looked at as a mean to prevent infections, including to other lower objects, or in other words keep the integrity of our system.

And, considering icacls allows just that, I thought of mentioning it, anyway.

Applying only a low integrity level to a container, without any other sort of implementation, it gives a false sense of security.

 

If I disallow execution for users will it give me a UAC prompt when I try?

I used this command:
icacls "C:\Users\C*****\Downloads" /setintegritylevel(oi)(ci) low /t"

 

Weren't you given an error using that command? It should be

Code:

icacls "C:\Users\your_username\Downloads" /setintegritylevel (oi)(ci)Low

Maybe both ways work.

I also don't think you'd need to use the /t. Using (oi)(ci) already make the IL propagate to sub-folders and objects. I guess it doesn't hurt using it, but I don't think it would be really needed, though.

And, answering to your question, no, there will be no UAC alert. You are removing execution rights. If the Users group cannot execute, they will get an error message only.

Would you like an UAC alert if something gets to your Downloads folder without you knowing it?

 

I also believe you need a space between /setintegritylevel (oi)(ci), if memory serves.

Maybe you formatted it correctly when you used it, but not when you posted it?

Sul.

 

Nope, it worked fine when I did it.