Appendix B: Icacls and File Integrity Levels

Icacls is a command-line tool that you can use to manage the security settings on files. The Windows Vista version of Icacls supports mandatory labels on files.


icacls.exe is an update to an older program, cacls.exe. Cacls.exe does not recognize mandatory labels.

You can use Icacls to view and set the integrity level for a file. Icacls displays the integrity level SID for a file if the file has an explicit mandatory label ACE. Icacls does not show the integrity level SID for the implicit default integrity level. Icacls will use the NO_WRITE_UP integrity policy only when setting the integrity level of a file.

The following image shows an example of using Icacls to view or set the integrity level of a file.

Figure 11   Icacls and mandatory labels