Case of the Internet Favourite That Couldn’t Be Added

After a Windows XP to Windows 7 migration using the User State Migration tool we had a user who could add to their Internet Explorer favourites perfectly fine…until they tried to add favourites into one of their already existing folders. This resulted in the unhelpful message ‘Unable to create ‘<website>’: Unspecified Error

Oh no I can’t add favorites!

image

So first obvious thought was to check user’s permissions on their favourites folder under %USERPROFILE%\Favorites

The user had Full Control over the favorites folder, and all subfolders.

image

Just to make sure there was no other permissions taking affect, such as a deny, we used the Advanced button and Effective Permissions tab, still showed all good

image

That looks good so we then Process Monitor to see what kind of issue is going on. (http://live.sysinternals.com/ProcMon.exe)

For bizarre errors, especially when writing files, one of my first suspects is ACCESS DENIED so I filtered to include Process Name is iexplore.exe and Result is ACCESS DENIED

I added the Integrity column using Options –> Select Columns menu item.

There are five key columns you need to look at when dealing with access denied errors:

  • Operation
  • Path
  • Detail
  • User
  • Integrity. This is only applicable for local file/registry access on Vista or higher when User Account Control (UAC) is enabled

The path tells us the file that was being created. Detail tells us the desired access (i.e. read only/write/etc) The user column mentioned the user who had full control of the folder in the NTFS permissions.  How can they get access denied?

image

There are a few important points when diagnosing Windows file permissions. If files are being access remotely from a network share it is critical to check both Share Permissions and NTFS Permissions as the most restrictive of either will be the winner as to the eventual access rights of user.

For local users with UAC enabled we must check NTFS Permissions, Integrity Level Permissions, and Integrity Level of Process.

What are integrity levels?

Introduced in Windows Vista they provide additional level of security by giving all processes an integrity level, and access to registry/files can be denied/granted based on this integrity level.

Here it will be sufficient to say that Internet Explorer Protected Mode runs in Low Integrity. This is a level below that of standard user processes which run at Medium Integrity. Elevated (admin) processes run at High Integrity. There is also an Untrusted and System Integrity level.

These integrity levels are also assigned Security Identifiers (SIDs) just like user accounts, so they can be used for registry & file permissions.

But we won’t see these permissions via Windows Explorer security tab. To view and edit these permissions we must use the command line tool icacls

So in this case I compared the root folder of Favourites to which user could add shortcuts no problem, to a subfolder which they couldn’t. This was done simply by running icacls “<foldername>”

image

Notice the root level has Mandatory Label\Low Mandatory Level with OI (Object Inherit) CI (Container Inherit) and NW (No write-up). On the other hand the Travel folder has no integrity specified at all.

If no integrity level policy is specified for a registry key or file it will use the default policy which is Mandatory Label\Medium Mandatory Level with No Writeup.

What does this mean?

If there is no mandatory level specified when running icacls the process must be Medium Integrity or higher *plus* must be running as user with relevant NTFS permission to gain access to writing a file.

Because Internet Explorer Protected Mode is running as Low Integrity it will fail to write to the travel folder.

The problem is easily resolved by setting the No Write-up Policy for Mandatory Label\Low Mandatory Level to favorites folder and all subfolders using the following command  (one line) This will ensure if user’s account has write access to this folder any process of Low Integrity or higher will be able to write to this folder.

icacls “%USERPROFILE%\Favorites” /setintegritylevel (OI)(CI)L:(NW) /T

image

L specifies low integrity (NW) specifies No Write Up policy while /T specifies to include all subfolders and files.

After running this command the user could add favourites once again.

All in all there are 3 different policies you can set with the icacls command:

Policy   Description
SYSTEM_MANDATORY_POLICY_NO_WRITE_UP (NW) The default policy on all object mandatory labels. The flag is equivalent to the NO_WRITE_UP access token policy. The policy restricts write access to the object by a subject with a lower integrity level.
SYSTEM_MANDATORY_POLICY_NO_READ_UP (NR) Restricts read access to the object by a subject with a lower integrity level. The policy is used, for example, to restrict read access to the virtual memory address space of a process.
SYSTEM_MANDATORY_POLICY_NO_EXECUTE_UP (NE) Restricts execute access to the object by a subject with a lower integrity level. The policy is used, for example, to restrict launch activation permissions on a COM class by lower integrity subjects.

In conclusion integrity levels are an important component to increased security within Windows Vista and Windows 7 and Server 2008/2008 R2…but the lack of any built-in GUI for viewing their appearance can be confusing if you are new to them. In most corporate environments I’ve found Internet Explorer (and especially Internet Explorer add-ons) to have the most issues with integrity levels. However the internet is not a safe place and they are an important part to securing the browser further so as a result do not recommend disabling UAC, and avoid disabling Internet Explorer protected mode when possible.

I recommend reading these articles for further understanding on Internet Explorer Protected Mode and Windows Integrity mechanism.

About chentiangemalc

specializes in end-user computing technologies. disclaimer 1) use at your own risk. test any solution in your environment. if you do not understand the impact/consequences of what you're doing please stop, and ask advice from somebody who does. 2) views are my own at the time of posting and do not necessarily represent my current view or the view of my employer and family members/relatives. 3) over the years Microsoft/Citrix/VMWare have given me a few free shirts, pens, paper notebooks/etc. despite these gifts i will try to remain unbiased.
This entry was posted in Internet Explorer, Migration, ProcMon, USMT, Windows 7 and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s