Re: .NET Deployment: Minimum Customer Effort

From: Michel Gallant (neutron_at_istar.ca)
Date: 09/11/03


Date: Thu, 11 Sep 2003 12:14:45 -0400


Depending on your target audience, the simplest approach might be
to simply deploy a custom your custom .NET security policy as
msi. This is probably the safest way (from .NET infrastructure point
of view).
Using bat files are prone to hacking etc.. and many enterprises block
them as attachments (but on trusted intranet you have more trust).

Compared to the model for signed Java applet deployment, where the
trust decision was on-the-fly squarely on the users shoulders, the .NET
CAS model relies evidently more on the integrity of a system administrator,
who presumabely can be trusted to deploy CAS updates .. or can they ?? ;-)

 - Michel Gallant
    MVP Security

"Al" <GlenMatlock999@hotmail.com> wrote in message
news:2ac8f793.0309110801.2b8f865d@posting.google.com...
> I'm new to .NET, performing a trial port of J++ applet based code to
> J# Browser Controls. I wonder if anyone can offer this newbie some
> advice...
>
> The application accesses a native DLL to interface with proprietary
> hardware via J/Direct.
>
> It's supplied to customers with two installations - one for the
> server, and one for the client machine. The server has the J# Browser
> Control, the client(s) have a native DLL, SYS and INF files for
> registering and driving the hardware. The server and client may be the
> same machine for 'stand-alone' use.
>
> OK. For hardware communication to be succeed, I understand the
> assembly needs to be granted FullTrust. I have done this during
> development by setting up an appropriate Code Group using the .NET
> Configuration tool and giving the required permission level based on
> the public key of the assembly. Lovely.
>
> ***What I want to do is to deploy my application in such a way as to
> require the absolute minimum amount of effort on behalf of my
> customers when installing.***
>
> With J++ all the user had to do was to click 'Yes' on a trust-based
> security dialog.
>
> With .NET there are a number of possibilities, all of which seem so
> far require a fair amount of computer literacy: e.g. manual
> configuration, installation of .msi file using MMC, etc. This may not
> be a problem for system administrators but could represent difficulty
> for a 'regular' user.
>
> I've started to look at writing a batch file that uses Caspol.exe to
> perform all the required security configuration on behalf of the
> customer. Can anyone tell me if I am going the right way?
>
> e.g. would it be possible to include a batch file as part of the
> client installation that would automatically give my code the
> appropriate permissions? Though presumably someone sometime has to
> agree to the permissions demanded by our code?
>
> All comments and suggestions would be very welcome...
>
> Cheers,
> Al.



Relevant Pages

  • Re: friendly error messages for usernameForCertificateSecurity
    ... message security is valid is it put into the OperationState for the current ... method in my custom assertion's service input filter and then throw an error ... identity = new GenericIdentity(string.Empty); ... // new method a custom token manager must implement ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Interpop between WSS4J and WSE3 using UsernameForCertificateSecurity
    ... us to be leary of custom implementations when we already have interop ... each WSE 3.0 policy can only contain single security ... policy assertion that perform message layer securing. ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Security Implementation
    ... > WSE and using one of the security token types ... Anyway, if you go the WSE route, you can secure ... > all method calls by requiring a UserName token or a SecurityContextToken. ... > yourself using Win32 LogonUser api or custom DB. ...
    (microsoft.public.dotnet.general)
  • Re: Is there dynamic authorization in IE and .NET?
    ... other ways ive seen is to make a .msi that sets up the security ... > permissions dynamically. ... a security exception was only raised. ... But dynamic authorization model is employed by ...
    (microsoft.public.dotnet.security)
  • Re: arrange form data in same order as on form
    ... > that has all the security provisions and knowledge accumulated over ... Custom read and parse routines are easy to write and not only offer ... Those average figures have been exemplified many times over ...
    (comp.lang.perl.misc)