Re: Certificate store access permissions

From: Michel Gallant (neutron_at_istar.ca)
Date: 06/03/03

• Next message: J-P Meunier: "Re: Certificate store access permissions"
• Previous message: J-P Meunier: "Certificate store access permissions"
• In reply to: J-P Meunier: "Certificate store access permissions"
• Next in thread: J-P Meunier: "Re: Certificate store access permissions"
• Reply: J-P Meunier: "Re: Certificate store access permissions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Tue, 3 Jun 2003 12:11:23 -0400

Not possible without:
 - having the ActiveX Assembly Assert permissions required to
   access the registry (which prevents a stack walk past the untrusted
   IE host)
 - configuring every clients' CAS (possibly via deployment project)
   with, say a custom child code-group

I think what you are after is deployment capability like what signed .cab files
with Java applets can do, e.g. this "Run Once" registry key scanner:
   http://pages.istar.ca/~neutron/RunKeyValues/

 - Michel Gallant
    MVP Security

"J-P Meunier" <fuimens@yahoo.fr> wrote in message news:%23kg2nccKDHA.360@TK2MSFTNGP12.phx.gbl...
> Hi,
>
> I have an ActiveX Assembly that needs to open the client certificate store
> (the client is using IE). With default permissions given to
> intranet/internet zones, the ActiveX throws a security error exception.
>
> Is there any solution to give the Assembly the right permissions to the
> local registry without changing the security of all the concerned zone ?
>
> In production deployment, clients will use the ActiveX via the internet, and
> they are not Administrators of their computers or they are not supposed to
> know how to change permissions, so I really need give the assembly the
> rights it needs to access the registry.
>
> Thanks
>
> JP Meunier
>
>
>

---

• Next message: J-P Meunier: "Re: Certificate store access permissions"
• Previous message: J-P Meunier: "Certificate store access permissions"
• In reply to: J-P Meunier: "Certificate store access permissions"
• Next in thread: J-P Meunier: "Re: Certificate store access permissions"
• Reply: J-P Meunier: "Re: Certificate store access permissions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages [NT] Exchange 2000 System Attendant Incorrectly Sets Remote Registry Permissions ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Management Console snap in, the System Attendant makes ... changes to the permissions on the Windows Registry to allow Exchange ... There is a flaw in how the System Attendant makes these Registry ... (Securiteam) Re: Granting write access to HKLM ... hive into a registry key under HKEY_USER, ... I want to change the permissions of a registry ... >> permissions for a specific principal, rather we initialize the security ... >> principals, see the MSDN docs, starting with SetSecurityDescriptorDacl ... (microsoft.public.vc.mfc) Re: Registry ACL Modification ... You need to set up the permissions in the installation program, ... it doesn't "hack" around the security. ... > I wrote an app that needs to add a few small strings in the registry. ... > can download. ... (microsoft.public.vb.winapi) Re: Permissions ... >> the server machine I get an error. ... >> permissions to read the registry. ... because frankly M$ has been monkeying around with security over the last ... (microsoft.public.dotnet.languages.csharp) Re: Security problem for control in browser ... This philosophy mandates that such permissions are critical enough that it ... security policy installers .. ... Note however that Java 2 security model started this way. ... changing the clients .java.policy file .. ... (microsoft.public.dotnet.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)