Re: Locking down CAS policy

sure.

but the recommended way is the asp.net policy file.

---
Dominick Baier, DevelopMentor
http://www.leastprivilege.com

Just making changes to the machine policy would have affected this?

"Dominick Baier" wrote:

have a look at the default web_mediumtrust.policy file in the
framework configuration folder.

CAS policy has 3 levels - you are right that My_Computer in machine
policy grants full trust - but there is another policy level called
the appdomain level that is applied programmatically. Policy levels
are intersected.

That means the asp.net app gets the permissions specified in the
policy file. You application doesn't even have enough permissions to
read files (including assemblies) outside of the application
directory (besides GACed assemblies)

---
Dominick Baier, DevelopMentor
http://www.leastprivilege.com
I can't find references to these in the default policy. Since the
code is running from the server itself and not through a webservice
or anything doesn't the "My_Computer_Zone" code group become the
applicable group? and the FullTrust that it grants be the reason why
the code runs? The fact that there are two child groups in there for
the Microsoft and ECMA strong names really means nothing since they
would have been granted FullTrust from the parent. Correct?

So, with that assumption, if unknown malicious code were able to be
put on the server that the app runs from, it wouldn't be limited by
the CAS policy and would be granted unrestricted rights? I realize
that all security is a layered approach and that the server's own
security policy should be in place to prevent that from happening.
So is that the answer? That, by design, all code that is run from
the server is supposed to be assumed to have FullTrust?

Thanks in advance.

Jason

"Dominick Baier" wrote:

they use the $AppDirUrl$ and $CodeGen$ url membership condition -
if you want to base everything on strong name (which i haven't
tried yet) - you have to strong name all your pages, code behinds
and App_Code files....this can be accomplished by modifying the
<compilation> element to specify a keyfile (or during
pre-compilation)...

I have a whole chapter devoted a whole chapter on partial trust and
policy in my book - maybe it helps to get the bigger picture...

http://www.microsoft.com/mspress/books/9989.asp

---
Dominick Baier, DevelopMentor
http://www.leastprivilege.com
But how do they do this? Isn't it done through a Zone membership
condition? I can get the app to work if I implement that, but the
idea is to not use Zone or any other "blanket" condition. They
want every assembly accounted for and granted permission based on
where it came from, not where it resides.

"Dominick Baier" wrote:

Hi,

you shouldn't mock with the existing code groups - they grant the
"ASP.Net" permission set to code running in you app dir and the
temp assembly directory.

Without them your app won't be able to run...

thats the error you are seeing.

---
Dominick Baier, DevelopMentor
http://www.leastprivilege.com
I'm trying to lock down our company's CAS policy by using only
Strong Name membership conditions.

I've copied over our intranet to a development server and
removed all code groups except for one. It is all code using the
nothing permission set. I have three child code groups, the two
default (ECMA_Strong_Name and Microsoft_Strong_Name) and a group
for our strong name key. All of the child groups are set for
FullTrust.

I've used the Evaluate Assembly utility to check the assemblies
in the application's bin directory and all report
"unrestricted". However, when i try to run the application i get
"Server Application Unavailable". I check the application event
logs on the server and it reports "Request for the permission of
type 'System.Web.AspNetHostingPermission, System,
Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089' failed." suggesting that there
is still an assembly that hasn't been granted FullTrust.

Is there maybe another assembly that is getting generated at
runtime that doesn't fit into one of the three code groups i
have set up? Is there a way to find out which assembly is
failing?



.

Relevant Pages

  • Re: Locking down CAS policy
    ... CAS policy has 3 levels - you are right that My_Computer in machine policy ... assemblies) outside of the application directory ... Dominick Baier, DevelopMentor ... you shouldn't mock with the existing code groups - they grant the ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Locking down CAS policy
    ... there are the assemblies located that get dynamically generated by asp.net ... Dominick Baier, DevelopMentor ... the Machine Policy. ... And the only thing i did to that was remove the code groups other than ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Locking down CAS policy
    ... No, by changing only the machine policy, you think i messed up the asp.net ... And the only thing i did to that was remove the code groups other than the ... Dominick Baier, DevelopMentor ... read files (including assemblies) outside of the application ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Understanding FullTrust and CAS
    ... i spent quite a lot of "quality time" with ASP.NET policy files (for a book i am currently writing) ... Dominick Baier - DevelopMentor ... that I didn't find any mention of extra ASP.NET policy in any of the CAS documentation. ...
    (microsoft.public.dotnet.security)
  • Re: Rijndael Class
    ... If you are on 2.0 you can enforce FIPS compliance with a policy in secpol.msc. ... Dominick Baier - DevelopMentor ...
    (microsoft.public.dotnet.security)