Re: Altering .NET Security policy across domain

From: Shel Blauman [MSFT] (sheldonb@online.microsoft.com)
Date: 02/06/03 

From: "Shel Blauman [MSFT]" <sheldonb@online.microsoft.com>
Date: Thu, 6 Feb 2003 08:36:11 -0800

The best way is to sign the assembly, I'd recommend strong naming, and
creating a code group for the client machines giving the required
permissions to the strong named assembly. See
http://samples.gotdotnet.com/quickstart/aspplus/default.aspx?url=%2fquicksta
rt%2fhowto%2fdoc%2fsharedname.aspx for information on strong naming
assemblies.

For information on creating code groups see
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/htm
l/cpconaddingcodegrouptocodegrouphierarchy.asp. If you use strong naming to
identify your assembly, you would make the membership condition the strong
name you used to sign your assembly. This article describes the use of
caspol.exe to create a code group, but it can also be done using the .NET
Framework Configuration Tool found in Administrative Tools.

You may also want to add a custom named permission set to limit the
permissions you grant the signed assemblies.

Shel 

--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Trevor Lawrence" <TrevorL@ise.canberra.edu.au> wrote in message
news:edwj0iXzCHA.2832@TK2MSFTNGP09...
> I can follow that up, but can I ask a more general question.
>
> Students in our labs have "My Documents" on a network drive (and of course
> their Home Directory is the same place).  We would them to be able to
build
> and execute programs stored on their network storage.  Out of the Box .NET
> blocks all sorts of things in that environment.  (Even an empty WinForms
app
> prangs when you close it with a security violation.)  The alternative of
> copying to a local location (on which they have write permission),
working,
> then copying back is rather ugly.  We can't contemplate the student's
> roaming profile including My Documents as it would be far too large to
copy
> down and back as a whole on each logon session.  Also, staff regularly
> provide ad hoc sample exes for students to look at, and these sit on a
> network location.
>
> It seems to me that the only reasonable way to operate is to have the
> Intranet zone with the same security settings as the local machine.  If
> there is something else we can do, I'd love to hear it.
>
> Trevor.
> "Sebastian Lange [MS]" <slange@online.microsoft.com> wrote in message
> news:#4Wxd8WzCHA.1620@TK2MSFTNGP11...
> > If you need to run a specific set of managed apps from the Intranet, it
> will
> > be more secure to just introduce code groups based on the strong name or
> > hash of those assemblies, instead of opening up the permissions for your
> > whole intranet.
> >
> > there is an article on msdn that gives some hints as to your issue:
> >
>
http://www.msdn.microsoft.com/library/en-us/dnnetsec/html/entsecpoladmin.asp
> >
> > Generally you want to follow the below steps:
> >
> > 1. Make you policy changes locally on some admin machine
> > 2. Use the "Create Deployment Package" Option in the .Net Configuration
> Tool
> > (found under the administrative tools), you pick the policy level that
> > should be deployed and the tool then creates an MSI out of it
> > 3. Deploy the MSI via any enterprise wide deployment mechanism available
> (GP
> > is easiest, you can just drop the MSI on the GP node representing your
> > intended deployment scope)
> >
> > You may also want to have a look at Ch 18 in
> >
>
http://www.awprofessional.com/catalog/product.asp?product_id={DB5E4F2C-979D-
> > 4749-9573-5974A50DE104}
> >
> > hope this helps
> > -S
> >
> > "Trevor Lawrence" <TrevorL@ise.canberra.edu.au> wrote in message
> > news:On#ydIWzCHA.2668@TK2MSFTNGP12...
> > > I need to lighten up the .NET security settings for the Intranet zone
> > across
> > > all machines in the domain.  Can I do this via group policy?  Or is
> there
> > > some other way?
> > >
> > > Trevor Lawrence
> > > School of Computing
> > > University of Canberra
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: Windows user controls in a web page: Security
    ... I then tried on more machines (I was using 3 real ... Create a windows user control, ... Select the permissions your control will need and then click "Add ... use "URL", for example, to only authorize assemblies coming from one URL. ...
    (microsoft.public.dotnet.security)
  • Re: Is there a script which makes an assembly trusted on the client?
    ... The following applies to a managed executable program that executes ... permissions other than those normally granted to applications running in the ... signing and creating a custom code group are not ... >>> used to sign your assemblies, rather than on the details of the assembly>> itself. ...
    (microsoft.public.dotnet.security)
  • Re: SiteMembershipCondition mysteriously quick working
    ... Below is a short article on setting up security for running assemblies on ... mapped network drive is, by default, in the Local Intranet zone and operates ... permissions other than those normally granted to applications running in the ... signing and creating a custom code group are not ...
    (microsoft.public.dotnet.security)
  • Re: win forms security
    ... > using the URL as a means of assigning permissions within a code group. ... > of our assemblies given strong names and I would rather control the code ... >> How to run a user control assembly hosted on an Internet Information ...
    (microsoft.public.dotnet.security)
  • Re: How to determine what permissions are required for an assembly
    ... On the Web server, open Administrative Tools, and then double-click ... Select Create a new code group. ... > named permission set with only the required permissions to execute all the ... >> I need an application to load signed assemblies from the network share. ...
    (microsoft.public.dotnet.security)