After a Windows XP to Windows 7 migration using the User State Migration tool we had a user who could add to their Internet Explorer favourites perfectly fine…until they tried to add favourites into one of their already existing folders. This resulted in the unhelpful message ‘Unable to create ‘<website>’: Unspecified Error
Oh no I can’t add favorites!
So first obvious thought was to check user’s permissions on their favourites folder under %USERPROFILE%\Favorites
The user had Full Control over the favorites folder, and all subfolders.
Just to make sure there was no other permissions taking affect, such as a deny, we used the Advanced button and Effective Permissions tab, still showed all good
That looks good so we then Process Monitor to see what kind of issue is going on. (http://live.sysinternals.com/ProcMon.exe)
For bizarre errors, especially when writing files, one of my first suspects is ACCESS DENIED so I filtered to include Process Name is iexplore.exe and Result is ACCESS DENIED
I added the Integrity column using Options –> Select Columns menu item.
There are five key columns you need to look at when dealing with access denied errors:
- Integrity. This is only applicable for local file/registry access on Vista or higher when User Account Control (UAC) is enabled
The path tells us the file that was being created. Detail tells us the desired access (i.e. read only/write/etc) The user column mentioned the user who had full control of the folder in the NTFS permissions. How can they get access denied?
There are a few important points when diagnosing Windows file permissions. If files are being access remotely from a network share it is critical to check both Share Permissions and NTFS Permissions as the most restrictive of either will be the winner as to the eventual access rights of user.
For local users with UAC enabled we must check NTFS Permissions, Integrity Level Permissions, and Integrity Level of Process.
What are integrity levels?
Introduced in Windows Vista they provide additional level of security by giving all processes an integrity level, and access to registry/files can be denied/granted based on this integrity level.
Here it will be sufficient to say that Internet Explorer Protected Mode runs in Low Integrity. This is a level below that of standard user processes which run at Medium Integrity. Elevated (admin) processes run at High Integrity. There is also an Untrusted and System Integrity level.
These integrity levels are also assigned Security Identifiers (SIDs) just like user accounts, so they can be used for registry & file permissions.
But we won’t see these permissions via Windows Explorer security tab. To view and edit these permissions we must use the command line tool icacls
So in this case I compared the root folder of Favourites to which user could add shortcuts no problem, to a subfolder which they couldn’t. This was done simply by running icacls “<foldername>”
Notice the root level has Mandatory Label\Low Mandatory Level with OI (Object Inherit) CI (Container Inherit) and NW (No write-up). On the other hand the Travel folder has no integrity specified at all.
If no integrity level policy is specified for a registry key or file it will use the default policy which is Mandatory Label\Medium Mandatory Level with No Writeup.
What does this mean?
If there is no mandatory level specified when running icacls the process must be Medium Integrity or higher *plus* must be running as user with relevant NTFS permission to gain access to writing a file.
Because Internet Explorer Protected Mode is running as Low Integrity it will fail to write to the travel folder.
The problem is easily resolved by setting the No Write-up Policy for Mandatory Label\Low Mandatory Level to favorites folder and all subfolders using the following command (one line) This will ensure if user’s account has write access to this folder any process of Low Integrity or higher will be able to write to this folder.
icacls “%USERPROFILE%\Favorites” /setintegritylevel (OI)(CI)L:(NW) /T
L specifies low integrity (NW) specifies No Write Up policy while /T specifies to include all subfolders and files.
After running this command the user could add favourites once again.
All in all there are 3 different policies you can set with the icacls command:
|SYSTEM_MANDATORY_POLICY_NO_WRITE_UP||(NW)||The default policy on all object mandatory labels. The flag is equivalent to the NO_WRITE_UP access token policy. The policy restricts write access to the object by a subject with a lower integrity level.|
|SYSTEM_MANDATORY_POLICY_NO_READ_UP||(NR)||Restricts read access to the object by a subject with a lower integrity level. The policy is used, for example, to restrict read access to the virtual memory address space of a process.|
|SYSTEM_MANDATORY_POLICY_NO_EXECUTE_UP||(NE)||Restricts execute access to the object by a subject with a lower integrity level. The policy is used, for example, to restrict launch activation permissions on a COM class by lower integrity subjects.|
In conclusion integrity levels are an important component to increased security within Windows Vista and Windows 7 and Server 2008/2008 R2…but the lack of any built-in GUI for viewing their appearance can be confusing if you are new to them. In most corporate environments I’ve found Internet Explorer (and especially Internet Explorer add-ons) to have the most issues with integrity levels. However the internet is not a safe place and they are an important part to securing the browser further so as a result do not recommend disabling UAC, and avoid disabling Internet Explorer protected mode when possible.
I recommend reading these articles for further understanding on Internet Explorer Protected Mode and Windows Integrity mechanism.
- Understanding and Working in Protected Mode Internet Explorer http://msdn.microsoft.com/en-us/library/bb250462(v=vs.85).aspx
- What is the Windows Integrity Mechanism http://msdn.microsoft.com/en-us/library/bb625957.aspx