Re: Code Group Security policy deployment

From: Shel Blauman [MSFT] (sheldonb_at_online.microsoft.com)
Date: 06/26/03 

Date: Thu, 26 Jun 2003 07:59:54 -0700

Almost all security info is kept in config files. For a list of the files
see
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconsecurityconfigurationfiles.asp

Shel 

-- 
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Michael Pucher" <mpucher@vertex.de> wrote in message
news:O4PpPE7ODHA.1612@TK2MSFTNGP11.phx.gbl...
> hello Shel,
>
> I've been using caspol for testing and development, but want to have a
nicer
> solution than run batch files on every system. Is there any way to figure
> out which registry entries caspol (or the .net framework configuration
> wizard) makes? (other than using some tools from sysinternals.com)?
>
> thank you,
>
> Michael
>
> "Shel Blauman [MSFT]" <sheldonb@online.microsoft.com> schrieb im
Newsbeitrag
> news:OougTkzODHA.452@TK2MSFTNGP11.phx.gbl...
> > Take a look at the article at
> >
>
http://www.msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/entsecpoladmin.asp,
> > it mentions at least one alternative to MSI files,
> >
> > Can I write scripts to change security policy instead of distributing
> > Microsoft Windows Installer package files?
> > Yes. Using the Code Access Security Policy tool (Caspol.exe) you can
write
> > batch file scripts to affect security policy changes. As the first
command
> > in the script, enter caspol -pp off to turn the policy change prompt
off,
> > unless you are certain that has already been done on the current
machine.
> > You should script against code group names rather than their numeric
> labels,
> > since the labels can easily get reordered after a policy change. See the
> > .NET Framework SDK for more information on the Caspol tool.
> >
> >
> > Shel
> >
> > -- 
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> > Use of included script samples are subject to the terms specified at
> > http://www.microsoft.com/info/cpyright.htm
> >
> >
> > "Michael Pucher" <mpucher@vertex.de> wrote in message
> > news:%23S3dqPyODHA.1552@TK2MSFTNGP10.phx.gbl...
> > > hello,
> > >
> > > I'm currently on the task to deploy a strong named assembly. I want to
> > > deploy the security policy either via group policies or by using an
MSI
> > > installation package. The strong named assembly is added as an own
code
> > > group under the Machine->All Code Node in the .net configuration. When
I
> > > right click on Runtime Security Policy and click "Create deployment
> > > package", I only have the option to select complete groups
(Enterprise,
> > > Machine or User). What happens when I select Machine in that case, and
> run
> > > the installer on another system, where settings of existing code
groups
> > have
> > > been changed or deleted? Will the settings be overwritten? Added
again?
> > Will
> > > existing code groups which are not in the msi package be deleted?
> > >
> > > If you know any tools, that let me extract single code groups from the
> > > configuration for deployment, please let me know.
> > >
> > >
> > > thank you,
> > >
> > > Michael Pucher
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: Code Group Security policy deployment
    ... Can I write scripts to change security policy instead of distributing ... You should script against code group names rather than their numeric labels, ... > deploy the security policy either via group policies or by using an MSI ... > the installer on another system, where settings of existing code groups ...
    (microsoft.public.dotnet.security)
  • SUMMARY WAS: OT? Philosophical Question on SA responsibilities
    ... helpful for managers interested in hiring new administrators. ... Would you go thru the 14,600 messages in root and admin ... If I was a new SA I would if encountering a security hole, ... I can see some use for the passwd -s part of the crontab script, ...
    (SunManagers)
  • Re: Clarification-Win2k Netstat sockets interpretation
    ... snip.. ... Before I could manually download every security upate and servicepack from MS.com but now...they send you a bit of Cop-code that fails to run unless ALL defences are down ... Are you sure the script from ntsvcfg is benign in addition to being useful? ... You are absolutely correct there HAL, er ah, Sebastian. ...
    (alt.computer.security)
  • [NT] Flaw in Windows Script Engine Could Allow Code Execution
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The Windows Script Engine provides Windows operating systems with the ... blocked by Outlook Express 6.0 and Outlook 2002 in their default ...
    (Securiteam)
  • Re: BUG with RES/SCRIPT/XP-SP2
    ... I consider JavaScript (known to security people as JavaVirus) as one of the Really Top ... to have a bad script cause damage to my machine. ... This security feature is called the "Local Machine Zone Lockdown". ... Tags, and the CDHtmlDialog class in this forum, and got no response. ...
    (microsoft.public.vc.mfc)