Re: Locking down CAS policy

have a look at the default web_mediumtrust.policy file in the framework configuration folder.

CAS policy has 3 levels - you are right that My_Computer in machine policy grants full trust - but there is another policy level called the appdomain level that is applied programmatically. Policy levels are intersected.

That means the asp.net app gets the permissions specified in the policy file. You application doesn't even have enough permissions to read files (including assemblies) outside of the application directory (besides GACed assemblies)

---
Dominick Baier, DevelopMentor
http://www.leastprivilege.com

I can't find references to these in the default policy. Since the code
is running from the server itself and not through a webservice or
anything doesn't the "My_Computer_Zone" code group become the
applicable group? and the FullTrust that it grants be the reason why
the code runs? The fact that there are two child groups in there for
the Microsoft and ECMA strong names really means nothing since they
would have been granted FullTrust from the parent. Correct?

So, with that assumption, if unknown malicious code were able to be
put on the server that the app runs from, it wouldn't be limited by
the CAS policy and would be granted unrestricted rights? I realize
that all security is a layered approach and that the server's own
security policy should be in place to prevent that from happening. So
is that the answer? That, by design, all code that is run from the
server is supposed to be assumed to have FullTrust?

Thanks in advance.

Jason

"Dominick Baier" wrote:

they use the $AppDirUrl$ and $CodeGen$ url membership condition - if
you want to base everything on strong name (which i haven't tried
yet) - you have to strong name all your pages, code behinds and
App_Code files....this can be accomplished by modifying the
<compilation> element to specify a keyfile (or during
pre-compilation)...

I have a whole chapter devoted a whole chapter on partial trust and
policy in my book - maybe it helps to get the bigger picture...

http://www.microsoft.com/mspress/books/9989.asp

---
Dominick Baier, DevelopMentor
http://www.leastprivilege.com
But how do they do this? Isn't it done through a Zone membership
condition? I can get the app to work if I implement that, but the
idea is to not use Zone or any other "blanket" condition. They want
every assembly accounted for and granted permission based on where
it came from, not where it resides.

"Dominick Baier" wrote:

Hi,

you shouldn't mock with the existing code groups - they grant the
"ASP.Net" permission set to code running in you app dir and the
temp assembly directory.

Without them your app won't be able to run...

thats the error you are seeing.

---
Dominick Baier, DevelopMentor
http://www.leastprivilege.com
I'm trying to lock down our company's CAS policy by using only
Strong Name membership conditions.

I've copied over our intranet to a development server and removed
all code groups except for one. It is all code using the nothing
permission set. I have three child code groups, the two default
(ECMA_Strong_Name and Microsoft_Strong_Name) and a group for our
strong name key. All of the child groups are set for FullTrust.

I've used the Evaluate Assembly utility to check the assemblies in
the application's bin directory and all report "unrestricted".
However, when i try to run the application i get "Server
Application Unavailable". I check the application event logs on
the server and it reports "Request for the permission of type
'System.Web.AspNetHostingPermission, System, Version=2.0.0.0,
Culture=neutral, PublicKeyToken=b77a5c561934e089' failed."
suggesting that there is still an assembly that hasn't been
granted FullTrust.

Is there maybe another assembly that is getting generated at
runtime that doesn't fit into one of the three code groups i have
set up? Is there a way to find out which assembly is failing?



.

Relevant Pages

  • Re: Locking down CAS policy
    ... I can't find references to these in the default policy. ... the server that the app runs from, it wouldn't be limited by the CAS policy ... you shouldn't mock with the existing code groups - they grant the ... I've used the Evaluate Assembly utility to check the assemblies in ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Locking down CAS policy
    ... No, by changing only the machine policy, you think i messed up the asp.net ... And the only thing i did to that was remove the code groups other than the ... Dominick Baier, DevelopMentor ... read files (including assemblies) outside of the application ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: HOWTO Install security with CASPOL for UserControls
    ... I stated that new assemblies would be added rapidly over ... It is possible to distribute policy modifications over a network by various ... grant additional permissions on top of existing custom policy, ... your controls) require unrestricted permissions on client machines. ...
    (microsoft.public.dotnet.security)
  • Re: Locking down CAS policy
    ... there are the assemblies located that get dynamically generated by asp.net ... Dominick Baier, DevelopMentor ... the Machine Policy. ... And the only thing i did to that was remove the code groups other than ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Locking down CAS policy
    ... Dominick Baier, DevelopMentor ... CAS policy has 3 levels - you are right that My_Computer in machine ... read files (including assemblies) outside of the application ...
    (microsoft.public.dotnet.framework.aspnet.security)