How to grant Network Share access to Low Mandatory Level process?

StackOverflow https://stackoverflow.com/questions/7708318

Question

Is there any way to grant access to network shares to Low Mandatory Level processes (UAC)?

Further explanation: To migrate some third-party library security issues we are considering setting Integrity Mode to isolating process to Low, but we do need to have process read/write freely from specified single file system share (UNC path, possibly on separate computer).

Does anyone know is there a way to do this?

Thanks

Was it helpful?

Solution

Yes this is available by default. Integrity of a process only affects local security not remote security. This can be proven by creating a low integrity version of notepad -

  1. Copy C:\windows\system32\notepad.exe to a location i.e. C:\test\lownote.exe
  2. Run icacls C:\test\lownote.exe /setintegritylevel Low
  3. Run lownote
  4. Confirm with Process Explorer (http://live.sysinternals.com/procexp.exe) it is running as low integrity. Note you can open files on HDD but can't save to them, except in low integrity sections of user profile Browse to network, path using UNC share - you can open/save files fine.

That being said you may come across access denied messages when using a low integrity process to write to network shares. This cause can be found by using procmon on the computer running your app http://live.sysinternals.com/ProcMon.exe and filtering to include Result is "ACCESS DENIED" and Process Name is - the name of your process.

What will not available is drive mappings...you will see an "access denied" thrown when trying to read HKCU[location of drive letter]

As per MSDN documentation:

However, you can use other types of communication between a low-integrity process and a higher-integrity process. The types of communication that you can use include:

  • Clipboard (copy and paste)
  • Remote procedure call (RPC)
  • Sockets
  • Window messages that the higher-integrity process has been explicitly allowed to receive from lower-integrity processes by calling ChangeWindowMessageFilter
  • Shared memory, where the higher-integrity process explicitly lowers the mandatory label on the shared memory section ( Important This is particularly dangerous, and the higher-integrity process must be careful to validate all data that is written to the shared section.)
  • COM interfaces, where the launch activation rights are set programmatically by the higher-integrity process to allow binding from low integrity clients
  • Named pipes, where the creator explicitly sets the mandatory label on the pipe to allow access to lower-integrity processes

ref http://msdn.microsoft.com/en-us/library/bb625960.aspx

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top