Re: assign permission set
From: Shel Blauman [MSFT] (sheldonb_at_online.microsoft.com)
Date: 09/18/03
- Previous message: Scott Boyer: "IE Multiple Processes and Forms Authentication"
- In reply to: Leon Jollans: "Re: assign permission set"
- Next in thread: Michel Gallant: "Re: assign permission set"
- Reply: Michel Gallant: "Re: assign permission set"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 18 Sep 2003 09:21:10 -0700
We discourage directly modifying the config files. Although it can modify
policy it does so at some risk. If an msi install will work for you, the
link I pointed you to as our recommended means of distributing policy
provides a simple scenario for creating and deploying using msi files:
How do I distribute the policy deployment package across my enterprise?
The .NET Framework Configuration tool generates a Microsoft installer
package file (.msi) that contains the installation directions and the
content of a policy level. See question two for information on creating an
.msi file. The .msi file is self-contained, and can be invoked in many
different ways. This leaves you with many deployment options; however, the
easiest way to get an .msi file installed across your enterprise is by using
Group Policy.
Follow these steps to distribute the deployment package:
1.. Start the Group Policy Editor.
a) From the Start menu, choose Run.
b) In the Open box, type "MMC.EXE" and click Enter.
c) On the File menu, select the Add/Remove Snap-in option.
d) Click Add.
e) Select the Group Policy option, and click Add.
f) Click Close, and in the Add/Remove Snap-in window, click OK.
2.. Select the Group Policy object containing the machines you wish the
policy file to propagate to.
3.. Drag-and-drop the .msi file onto the network node that represents the
deployment scope for the policy change.
-- This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm "Leon Jollans" <Leon.JollansREMOVE__THIS@xaman.com> wrote in message news:uJJnMPefDHA.556@TK2MSFTNGP11.phx.gbl... > I did this last night and it seems to work, if a bit heavy handed... > > public static void SetTrust() > { > if(MessageBox.Show( > "open up intranet zone security?", > ".NET Network security", > MessageBoxButtons.YesNo, > MessageBoxIcon.Question, > MessageBoxDefaultButton.Button2 > ) == DialogResult.Yes){ > XmlDocument d = new XmlDocument(); > d.Load( FileName ); > XmlNodeList list = d.GetElementsByTagName("CodeGroup"); > bool updated = false; > foreach(XmlNode node in list){ > if(node.Attributes["Name"].Value.Equals("LocalIntranet_Zone")){ > node.Attributes["PermissionSetName"].Value = "FullTrust"; > updated=true; > } > } > if(updated){ > d.Save( FileName ); > MessageBox.Show("Policy update success","Intranet Installer"); > }else{ > MessageBox.Show("Policy update failure - contact support","Xaman > Intranet Installer"); > } > } > > where FileName is Environment.GetEnvironmentVariable("windir") + > "/Microsoft.NET/...etc.../security.config" > > I think, though I might not be correct, that this bypasses the need for the > user to be an administrator to execute, FileIOPermission should be all that > is required, no? > > I have been trying to get this to run in an installer, but to no avail yet. > I will look at setting up a custom CodeGroup for version 2, however this is > all new to me and I have a deadline! Thanks for this anyway. > > Also, Robert may, in another thread suggested I lok at this: > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnforms/htm > l/winforms11122002.asp which seems to explain running the code in an MSI > > Thanks for your responses guys. > > Leon > > > "Shel Blauman [MSFT]" <sheldonb@online.microsoft.com> wrote in message > news:eo1PbOXfDHA.3248@tk2msftngp13.phx.gbl... > > You can, but that isn't the recommended way to distribute policy. Take a > > look at > > > http://www.msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetse > c/html/entsecpoladmin.asp > > for advice on .NET Framework Enterprise Security Policy Administration and > > Deployment. > > > > However, if you must change policy progammatically, the following sample > > code shows how to programmatically replace the trusted zone code group. > > You'll need to modify it to use the permission set you wish to grant to > the > > trusted zone. Please note, granting the trusted zone fulltrust can create > > serious security vulnerabilities and is not recommended. It would be a > much > > better idea to create a custom permission set which grants only the > > permissions the trusted applications require. > > > > Shel > > > > > > // This sample demonstrates the setting of code access permissions > > programmatically. > > // This particular version replaces the Trusted_Zone code group with a new > > Trusted_Zone > > // code group that gives Internet permissions to the trusted zone. This > is > > the same permission > > // set the Trusted_Zone would have been originally granted. You can > replace > > the > > // permission set the sample uses with any of the default permission sets > or > > with a custom > > // permission set. Please note, the child code group, > > Trusted_Same_Site_Access Code Group > > // is not carried over in this sample. Retaining the > > Trusted_Same_Site_Access Code Group > > // is left as a user exercise. Hint, add the child code group to your new > > trusted zone > > // code group before adding it to the root code group. > > > > using System; > > using System.Collections; > > using System.Security; > > using System.Security.Policy; > > using System.Security.Permissions; > > > > class SecurityManagerSample > > { > > static void Main() > > { > > // Move through the policy levels looking for the Machine > level. > > // Create three new code groups at that level. > > IEnumerator policyEnumerator = > > SecurityManager.PolicyHierarchy(); > > while(policyEnumerator.MoveNext()) > > { > > // At the Machine level delete already existing copies of the > > custom code groups, > > // then create the new code groups. > > PolicyLevel currentLevel = > > (PolicyLevel)policyEnumerator.Current; > > if (currentLevel.Label == "Machine") > > { > > IEnumerator iEnum = > > currentLevel.RootCodeGroup.Children.GetEnumerator(); > > while(iEnum.MoveNext()) > > { > > Console.WriteLine(((CodeGroup)iEnum.Current).Name); > > if (((CodeGroup)iEnum.Current).Name == "Trusted_Zone") > > { > > CodeGroup oldCodeGroup = (CodeGroup)iEnum.Current; > > NamedPermissionSet newPermSet = new > > NamedPermissionSet("Internet"); > > > > PolicyStatement newPolicy = new > > PolicyStatement(newPermSet,PolicyStatementAttribute.LevelFinal); > > > > // Create new CodeGroups using UnionCodeGroup. > > CodeGroup myTrusted = new UnionCodeGroup(new > > ZoneMembershipCondition(SecurityZone.Trusted), newPolicy); > > myTrusted.Name = "Trusted_Zone"; > > > > > > currentLevel.RootCodeGroup.RemoveChild(oldCodeGroup); > > currentLevel.RootCodeGroup.AddChild(myTrusted); > > SecurityManager.SavePolicy(); > > > > > > } > > } > > } > > } > > > > } > > > > } > > > > > > -- > > This posting is provided "AS IS" with no warranties, and confers no > rights. > > Use of included script samples are subject to the terms specified at > > http://www.microsoft.com/info/cpyright.htm > > > > > > "Leon Jollans" <Leon.JollansREMOVE__THIS@xaman.com> wrote in message > > news:enyVDMSfDHA.908@tk2msftngp13.phx.gbl... > > > Hi, > > > can I configure the Trusted Zone to run with FullTrust for the machine > in > > > code from an application aperating in the local machine context, and > hence > > > with full trust privileges? > > > > > > Cheers, > > > Leon > > > > > > > > > > > > > > >
- Previous message: Scott Boyer: "IE Multiple Processes and Forms Authentication"
- In reply to: Leon Jollans: "Re: assign permission set"
- Next in thread: Michel Gallant: "Re: assign permission set"
- Reply: Michel Gallant: "Re: assign permission set"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
