Re: Locking down CAS policy
- From: Dominick Baier <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 17 Nov 2006 22:10:59 +0000 (UTC)
well - by re-reading your original post - yes you may be missing some files -
have a look at the \windows\microsoft .net\framework\version\temp asp.net assemblies
there are the assemblies located that get dynamically generated by asp.net
---
Dominick Baier, DevelopMentor
http://www.leastprivilege.com
No, by changing only the machine policy, you think i messed up the
asp.net policy file? Everything on the system is default except for
the Machine Policy.
And the only thing i did to that was remove the code groups other than
the my_computer_zone and changed that code group to nothing instead of
fulltrust. I know i'm new to CAS policy but if it's that touchy
wouldn't more people have this problem?
"Dominick Baier" wrote:
sure.
but the recommended way is the asp.net policy file.
---
Dominick Baier, DevelopMentor
http://www.leastprivilege.com
Just making changes to the machine policy would have affected this?
"Dominick Baier" wrote:
have a look at the default web_mediumtrust.policy file in the
framework configuration folder.
CAS policy has 3 levels - you are right that My_Computer in machine
policy grants full trust - but there is another policy level called
the appdomain level that is applied programmatically. Policy levels
are intersected.
That means the asp.net app gets the permissions specified in the
policy file. You application doesn't even have enough permissions
to read files (including assemblies) outside of the application
directory (besides GACed assemblies)
---
Dominick Baier, DevelopMentor
http://www.leastprivilege.com
I can't find references to these in the default policy. Since the
code is running from the server itself and not through a
webservice or anything doesn't the "My_Computer_Zone" code group
become the applicable group? and the FullTrust that it grants be
the reason why the code runs? The fact that there are two child
groups in there for the Microsoft and ECMA strong names really
means nothing since they would have been granted FullTrust from
the parent. Correct?
So, with that assumption, if unknown malicious code were able to
be put on the server that the app runs from, it wouldn't be
limited by the CAS policy and would be granted unrestricted
rights? I realize that all security is a layered approach and that
the server's own security policy should be in place to prevent
that from happening. So is that the answer? That, by design, all
code that is run from the server is supposed to be assumed to have
FullTrust?
Thanks in advance.
Jason
"Dominick Baier" wrote:
they use the $AppDirUrl$ and $CodeGen$ url membership condition -
if you want to base everything on strong name (which i haven't
tried yet) - you have to strong name all your pages, code behinds
and App_Code files....this can be accomplished by modifying the
<compilation> element to specify a keyfile (or during
pre-compilation)...
I have a whole chapter devoted a whole chapter on partial trust
and policy in my book - maybe it helps to get the bigger
picture...
http://www.microsoft.com/mspress/books/9989.asp
---
Dominick Baier, DevelopMentor
http://www.leastprivilege.com
But how do they do this? Isn't it done through a Zone membership
condition? I can get the app to work if I implement that, but
the idea is to not use Zone or any other "blanket" condition.
They want every assembly accounted for and granted permission
based on where it came from, not where it resides.
"Dominick Baier" wrote:
Hi,
you shouldn't mock with the existing code groups - they grant
the "ASP.Net" permission set to code running in you app dir and
the temp assembly directory.
Without them your app won't be able to run...
thats the error you are seeing.
---
Dominick Baier, DevelopMentor
http://www.leastprivilege.com
I'm trying to lock down our company's CAS policy by using only
Strong Name membership conditions.
I've copied over our intranet to a development server and
removed all code groups except for one. It is all code using
the nothing permission set. I have three child code groups,
the two default (ECMA_Strong_Name and Microsoft_Strong_Name)
and a group for our strong name key. All of the child groups
are set for FullTrust.
I've used the Evaluate Assembly utility to check the
assemblies in the application's bin directory and all report
"unrestricted". However, when i try to run the application i
get "Server Application Unavailable". I check the application
event logs on the server and it reports "Request for the
permission of type 'System.Web.AspNetHostingPermission,
System, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089' failed." suggesting that
there is still an assembly that hasn't been granted FullTrust.
Is there maybe another assembly that is getting generated at
runtime that doesn't fit into one of the three code groups i
have set up? Is there a way to find out which assembly is
failing?
.
- References:
- Re: Locking down CAS policy
- From: Jason Stearns
- Re: Locking down CAS policy
- Prev by Date: Re: Locking down CAS policy
- Next by Date: Re: WindowsPrincipal is incorrect after AD account rename
- Previous by thread: Re: Locking down CAS policy
- Next by thread: RE: WindowsIdentity, Memebrship/Role, or ???
- Index(es):
Relevant Pages
|
|
