Re: how to programatically give assembly loaded from network the same trust as those loaded from local host?
From: Ivan Medvedev [MS] (ivanmed_at_online.microsoft.com)
Date: 06/26/03
- Next message: Michael Giagnocavo [MVP]: "Re: Best practices for storing/retrieving login credentials"
- Previous message: Niels Ladegaard Beck: "Re: How do I avoid Assert()?"
- In reply to: JS: "Re: how to programatically give assembly loaded from network the same trust as those loaded from local host?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 26 Jun 2003 13:59:53 -0700
JS -
look at System.Security.SecurityManager class. It provides APIs for changing
security policy programmatically, and in fact that is what the admin tools
use.
--Ivan
"JS" <someone@somewhere.com> wrote in message
news:OicbqbfODHA.304@tk2msftngp13.phx.gbl...
> I would like to programmatically configure policy.
>
> In the server process, I would like to programatically give assembly
loaded
> from network the same trust as those loaded from local host? I know that
> this is possible by using .NET admin tools or deploy *.msi files. I would
> like to know other alternatives. Thanks.
>
>
> "Stephen McCloskey [MSFT]" <stemccl@online.microsoft.com> wrote in message
> news:#7h9lYdODHA.1072@TK2MSFTNGP10.phx.gbl...
> > Hello,
> >
> >
> >
> > Would you like to programmatically configure policy on your machine(s)
or
> > programmatically allow an assembly to raise it's own permissions?
> >
> >
> >
> > You can't programmatically allow an assembly to elevate its own
permission
> > grant. If this were possible, it would constitute a serious security
> > weakness, allowing any malicious code the ability to own your machine.
> >
> >
> >
> > You can programmatically configure policy by scripting the caspol.exe
> tool,
> > or by creating a managed application that manipulates policy. These
> options
> > require a high degree of trust. Let me know if you need more details on
> > this.
> >
> >
> >
> > You should never give full trust to the local intranet zone when you
want
> to
> > run a single assembly. Instead, do the following:
> >
> >
> >
> > 1) Sign the assembly with a strong name.
> >
> > 2) Create a custom code group that has that strong name as a membership
> > condition.
> >
> > 3) Assign the code group a permission set that has only the permissions
> that
> > the assembly needs to run and no more.
> >
> >
> >
> > This will allow the assembly to run in any zone without sacrificing the
> > overall security of your box.
> >
> >
> >
> > I hope this helps.
> >
> >
> >
> > Stephen
> >
> > "JS" <someone@somewhere.com> wrote in message
> > news:#Yy50hbODHA.304@tk2msftngp13.phx.gbl...
> > > I have a .net assembly accesing COM service, the .net assembly resides
> on
> > > network drive. When the assembly is run, I got 'securitypermission'
> > > exception. If in '.net wizard->adjust .net security->adjust the
> security
> > > level for each zone', I gave 'local intranet' zone 'full trust'; the
> same
> > as
> > > for 'my computer' zone, then there is no such exception.
> > >
> > > How do I programatically do so? When I load the assembly (and run the
> > > assmbly) in a program, I would like to give this assemnly full trust
in
> > this
> > > program so that it can access COM service.
> > >
> > > If this assembly is not using COM service, I think that there won't be
> > such
> > > a problem.
> > >
> > > Thanks.
> > >
> > >
> > >
> >
> >
>
>
- Next message: Michael Giagnocavo [MVP]: "Re: Best practices for storing/retrieving login credentials"
- Previous message: Niels Ladegaard Beck: "Re: How do I avoid Assert()?"
- In reply to: JS: "Re: how to programatically give assembly loaded from network the same trust as those loaded from local host?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
