According to the Biba model
of integrity, any subject who has the clearance level of a particular integrity level must not be able to "read down"
from that level, and must not be able to "write up" from that level.
Meaning that if my security clearance level is ‘Confidential’, then I must not be able to read any data classified as ‘Unclassified’ and ‘Classified’.
On the other hand, while I can read ‘Secret’ and ‘Top Secret’ data, I must not be able to go and modify it (so as not to compromise its integrity).
So, the situation in Windows XP was like, the session in which the administrator worked, that entire session used to run in a privileged mode i.e. anything running in that session had admin privileges, much greater and unrestricted access to system resources that a normal user’s session.
So in Windows XP, while an administrator is logged in his session, anything running in the background, like a service etc., assumes admin privileges and can easily be compromised to perform any tasks that require privilege mode access.
Also, when an admin privilege user surfs a website in Internet Explorer (while logged in as admin), the Internet Explorer application works in a privileged mode!
So what? So, in this mode, any website that the user surfs, can download or save any file in the system folders like C:Windows or System32 folder, or can even install anything it wants in the background without the user’s permission, or the user even coming to know about it! This is because, as administrator, you have full permission to modify the system folders, or system registry in any way possible. So when an application or a service assumes admin privileges, even it can make any changes to the system it wants without any restrictions, just like the administrator can!
However, in Windows Vista, even the admin privilege user’s session normally runs in a user mode (low privilege mode), just like a normal user’s session!Now you must be wondering – Oh! Then? how will I install all the drivers and the applications I want to? Where are my admin privileges?
Since Windows follows a Discretionary Access Control Model, the administrator is still given full privileges to make all the changes to the system as desired. The only difference is that, while working normally on the computer, the admin user’s sessions works in a low privilege mode, so that anything that runs in the background and all the applications he uses, also work in a low privilege mode. But when this user double-clicks an exe file to install an application, or he tries to open Computer Management MMC to create a user account, or tries to change the Local Security Policy settings, or any task that actually requires enhanced privileges, the user is prompted with a message, that that particular program requires your permission to run and will change the system settings. The user is supposed to either allow or deny the action based upon his own decision. In case he allows, the application executes, else fails.
What is the advantage? The advantage is that, now even Internet Explorer runs in a user mode. So in case any website tries to store a file in any system folder or tries to make any change to the system settings by installing any program (which requires enhanced privileges) the user is prompted for his permission. If the user did not intend to make this change, he can easily deny his permission and the program exits. This finally eliminates a lot of attack surface for the attacker!