Re: .NET Deployment: Minimum Customer Effort

From: Michel Gallant (
Date: 09/11/03

Date: Thu, 11 Sep 2003 12:14:45 -0400

Depending on your target audience, the simplest approach might be
to simply deploy a custom your custom .NET security policy as
msi. This is probably the safest way (from .NET infrastructure point
of view).
Using bat files are prone to hacking etc.. and many enterprises block
them as attachments (but on trusted intranet you have more trust).

Compared to the model for signed Java applet deployment, where the
trust decision was on-the-fly squarely on the users shoulders, the .NET
CAS model relies evidently more on the integrity of a system administrator,
who presumabely can be trusted to deploy CAS updates .. or can they ?? ;-)

 - Michel Gallant
    MVP Security

"Al" <> wrote in message
> I'm new to .NET, performing a trial port of J++ applet based code to
> J# Browser Controls. I wonder if anyone can offer this newbie some
> advice...
> The application accesses a native DLL to interface with proprietary
> hardware via J/Direct.
> It's supplied to customers with two installations - one for the
> server, and one for the client machine. The server has the J# Browser
> Control, the client(s) have a native DLL, SYS and INF files for
> registering and driving the hardware. The server and client may be the
> same machine for 'stand-alone' use.
> OK. For hardware communication to be succeed, I understand the
> assembly needs to be granted FullTrust. I have done this during
> development by setting up an appropriate Code Group using the .NET
> Configuration tool and giving the required permission level based on
> the public key of the assembly. Lovely.
> ***What I want to do is to deploy my application in such a way as to
> require the absolute minimum amount of effort on behalf of my
> customers when installing.***
> With J++ all the user had to do was to click 'Yes' on a trust-based
> security dialog.
> With .NET there are a number of possibilities, all of which seem so
> far require a fair amount of computer literacy: e.g. manual
> configuration, installation of .msi file using MMC, etc. This may not
> be a problem for system administrators but could represent difficulty
> for a 'regular' user.
> I've started to look at writing a batch file that uses Caspol.exe to
> perform all the required security configuration on behalf of the
> customer. Can anyone tell me if I am going the right way?
> e.g. would it be possible to include a batch file as part of the
> client installation that would automatically give my code the
> appropriate permissions? Though presumably someone sometime has to
> agree to the permissions demanded by our code?
> All comments and suggestions would be very welcome...
> Cheers,
> Al.