Re: how to programatically give assembly loaded from network the same trust as those loaded from local host?

From: Ivan Medvedev [MS] (ivanmed_at_online.microsoft.com)
Date: 06/26/03


Date: Thu, 26 Jun 2003 13:59:53 -0700


JS -
look at System.Security.SecurityManager class. It provides APIs for changing
security policy programmatically, and in fact that is what the admin tools
use.
--Ivan

"JS" <someone@somewhere.com> wrote in message
news:OicbqbfODHA.304@tk2msftngp13.phx.gbl...
> I would like to programmatically configure policy.
>
> In the server process, I would like to programatically give assembly
loaded
> from network the same trust as those loaded from local host? I know that
> this is possible by using .NET admin tools or deploy *.msi files. I would
> like to know other alternatives. Thanks.
>
>
> "Stephen McCloskey [MSFT]" <stemccl@online.microsoft.com> wrote in message
> news:#7h9lYdODHA.1072@TK2MSFTNGP10.phx.gbl...
> > Hello,
> >
> >
> >
> > Would you like to programmatically configure policy on your machine(s)
or
> > programmatically allow an assembly to raise it's own permissions?
> >
> >
> >
> > You can't programmatically allow an assembly to elevate its own
permission
> > grant. If this were possible, it would constitute a serious security
> > weakness, allowing any malicious code the ability to own your machine.
> >
> >
> >
> > You can programmatically configure policy by scripting the caspol.exe
> tool,
> > or by creating a managed application that manipulates policy. These
> options
> > require a high degree of trust. Let me know if you need more details on
> > this.
> >
> >
> >
> > You should never give full trust to the local intranet zone when you
want
> to
> > run a single assembly. Instead, do the following:
> >
> >
> >
> > 1) Sign the assembly with a strong name.
> >
> > 2) Create a custom code group that has that strong name as a membership
> > condition.
> >
> > 3) Assign the code group a permission set that has only the permissions
> that
> > the assembly needs to run and no more.
> >
> >
> >
> > This will allow the assembly to run in any zone without sacrificing the
> > overall security of your box.
> >
> >
> >
> > I hope this helps.
> >
> >
> >
> > Stephen
> >
> > "JS" <someone@somewhere.com> wrote in message
> > news:#Yy50hbODHA.304@tk2msftngp13.phx.gbl...
> > > I have a .net assembly accesing COM service, the .net assembly resides
> on
> > > network drive. When the assembly is run, I got 'securitypermission'
> > > exception. If in '.net wizard->adjust .net security->adjust the
> security
> > > level for each zone', I gave 'local intranet' zone 'full trust'; the
> same
> > as
> > > for 'my computer' zone, then there is no such exception.
> > >
> > > How do I programatically do so? When I load the assembly (and run the
> > > assmbly) in a program, I would like to give this assemnly full trust
in
> > this
> > > program so that it can access COM service.
> > >
> > > If this assembly is not using COM service, I think that there won't be
> > such
> > > a problem.
> > >
> > > Thanks.
> > >
> > >
> > >
> >
> >
>
>



Relevant Pages

  • Fwd: Oh Dear, Where to start?!
    ... It seems to me you need two things: an organizational policy, ... finish college and break into the real world of computer security. ... experience in the field of network security and policy ... updates, driver updates, and recommended updates. ...
    (Security-Basics)
  • RE: [fw-wiz] PIX vs Checkpoint vs Sonicwall vs Netscreen - comme nts?
    ... All NetScreen appliances rely on custom-designed ASICs (Application ... Specific Integrated Circuits) for security policy enforcement. ... supports a finite number of "rules" or "policies". ...
    (Firewall-Wizards)
  • RE: Cant set Local Security policies. They fail to save
    ... predefined Security Template on SBS 2003 to restore security groups ... run "gpupdate.exe /force" under command prompt to force the policy ... reboot the Server to test. ... and then logon to client computer to test if user can save system logs. ...
    (microsoft.public.windows.server.sbs)
  • RE: [fw-wiz] PIX vs Checkpoint vs Sonicwall vs Netscreen - comme nts?
    ... The report you cite is CheckPoint originated and deals with older NetScreen ... All NetScreen appliances rely on custom-designed ASICs (Application ... Specific Integrated Circuits) for security policy enforcement. ...
    (Firewall-Wizards)
  • Re: No Shut Down or Restart for Domain Admins
    ... run rsop.msc from your DC and check which policy is responsible to this. ... I have created a group policy in a development network and imported it ... NT AUTHORITY\Authenticated Users Read (from Security Filtering) No ... Enforce user logon restrictions Enabled ...
    (microsoft.public.windows.server.active_directory)