Re: how to programatically give assembly loaded from network the same trust as those loaded from local host?

From: JS (someone_at_somewhere.com)
Date: 06/24/03


Date: Mon, 23 Jun 2003 22:16:19 -0400


I would like to programmatically configure policy.

In the server process, I would like to programatically give assembly loaded
from network the same trust as those loaded from local host? I know that
this is possible by using .NET admin tools or deploy *.msi files. I would
like to know other alternatives. Thanks.

"Stephen McCloskey [MSFT]" <stemccl@online.microsoft.com> wrote in message
news:#7h9lYdODHA.1072@TK2MSFTNGP10.phx.gbl...
> Hello,
>
>
>
> Would you like to programmatically configure policy on your machine(s) or
> programmatically allow an assembly to raise it's own permissions?
>
>
>
> You can't programmatically allow an assembly to elevate its own permission
> grant. If this were possible, it would constitute a serious security
> weakness, allowing any malicious code the ability to own your machine.
>
>
>
> You can programmatically configure policy by scripting the caspol.exe
tool,
> or by creating a managed application that manipulates policy. These
options
> require a high degree of trust. Let me know if you need more details on
> this.
>
>
>
> You should never give full trust to the local intranet zone when you want
to
> run a single assembly. Instead, do the following:
>
>
>
> 1) Sign the assembly with a strong name.
>
> 2) Create a custom code group that has that strong name as a membership
> condition.
>
> 3) Assign the code group a permission set that has only the permissions
that
> the assembly needs to run and no more.
>
>
>
> This will allow the assembly to run in any zone without sacrificing the
> overall security of your box.
>
>
>
> I hope this helps.
>
>
>
> Stephen
>
> "JS" <someone@somewhere.com> wrote in message
> news:#Yy50hbODHA.304@tk2msftngp13.phx.gbl...
> > I have a .net assembly accesing COM service, the .net assembly resides
on
> > network drive. When the assembly is run, I got 'securitypermission'
> > exception. If in '.net wizard->adjust .net security->adjust the
security
> > level for each zone', I gave 'local intranet' zone 'full trust'; the
same
> as
> > for 'my computer' zone, then there is no such exception.
> >
> > How do I programatically do so? When I load the assembly (and run the
> > assmbly) in a program, I would like to give this assemnly full trust in
> this
> > program so that it can access COM service.
> >
> > If this assembly is not using COM service, I think that there won't be
> such
> > a problem.
> >
> > Thanks.
> >
> >
> >
>
>



Relevant Pages

  • Security Policy, Code Groups and Security Tools.
    ... membership conditions specified within each code group. ... When an assembly belongs to multiple code groups, permissions assigned by ... another code group when they are both part of the same Policy level. ...
    (microsoft.public.dotnet.framework)
  • Security Policy, Code Groups and Security Tools.
    ... membership conditions specified within each code group. ... When an assembly belongs to multiple code groups, permissions assigned by ... another code group when they are both part of the same Policy level. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: HOWTO Use CASPOL for Full-Trust
    ... > I tried to use this command with a name ... Code group names must be unique within a policy level, ... machine- or user-level policy grants less permissions to the same code. ...
    (microsoft.public.dotnet.security)
  • Re: CAS & GAC: connection?
    ... Under default policy settings, all locally installed ... >> assemblies will have full trust, and most assemblies in the GAC are ... >> limited permissions under policy. ... >> you want to avoid an implicit link demand for full trust. ...
    (microsoft.public.dotnet.security)
  • Re: how to programatically give assembly loaded from network the same trust as those loaded from loc
    ... programmatically allow an assembly to raise it's own permissions? ... it would constitute a serious security ... require a high degree of trust. ... Create a custom code group that has that strong name as a membership ...
    (microsoft.public.dotnet.security)