I just had a somewhat interesting security problem in Vista that I thought I’d share.
The problem was in Internet Explorer when creating a bookmark, I’d receive a message “Unable to create [URL]. Unspecified error”. The problem only occurred in protected mode websites which led me to believe it might have been a permissions issue. Indeed, trying to propagate my local account with full access generated an Access is Denied error, so I replaced ownership on the folder successfully, however the problem was still occurring. A bit of research later and here is what I discovered in a nutshell
- Windows Vista introduces a new concept called “Integrity Level”. Basically, along with every ACL, there is also a “class” – this defines what types of applications can modify a particular file.
- By default, all files allow “Medium” or higher applications to modified them, however Internet Explorer running Protected Mode runs at a “Low” integrity level (basically, IE can only directly write to files with a Low integrity level associated with them, otherwise, the write has to go through the protected mode broker process which runs as a medium level application)
- The icacls command line utility (introduced in W2K2 SP2 and Vista) includes a new switch that allows you to set the integrity level
To resolve the issue, navigate to c:\users\USERNAME and run the following command against the favorites folder:
icacls Favorites /setintegritylevel (OI)(CI)low
The (OI) and (CI) stand for “object inherit” and “container inherit” respectively (propagate permissions basically), and the low is pretty obviously assigning a low integrity level requirement to the file.
[Updated: June 19, 2008 - Step-by-step instructions due to popular demaind]
Step-by-step Instructions
- Choose Start -> Run
- Type "cmd" (without the quotes) and press OK
- Navigate to your user folder. By default, this is c:\users\Username. In my case:
cd /d c:\users\steven - Run icacls:
icacls Favorites /setintegritylevel (OI)(CI)low
The sequence should look like this:
0 comments:
Post a Comment