Re: assign permission set

From: Michel Gallant (neutron_at_istar.ca)
Date: 09/18/03 

Date: Thu, 18 Sep 2003 12:40:48 -0400

Isn't there a requirement on what version of Microsoft Installer itself is
available on the client?
 - Mitch Gallant

"Shel Blauman [MSFT]" <sheldonb@online.microsoft.com> wrote in message
news:ORn6gDgfDHA.2328@TK2MSFTNGP09.phx.gbl...
> We discourage directly modifying the config files. Although it can modify
> policy it does so at some risk. If an msi install will work for you, the
> link I pointed you to as our recommended means of distributing policy
> provides a simple scenario for creating and deploying using msi files:
>
> How do I distribute the policy deployment package across my enterprise?
> The .NET Framework Configuration tool generates a Microsoft installer
> package file (.msi) that contains the installation directions and the
> content of a policy level. See question two for information on creating an
> .msi file. The .msi file is self-contained, and can be invoked in many
> different ways. This leaves you with many deployment options; however, the
> easiest way to get an .msi file installed across your enterprise is by using
> Group Policy.
>
> Follow these steps to distribute the deployment package:
>
> 1.. Start the Group Policy Editor.
> a) From the Start menu, choose Run.
>
> b) In the Open box, type "MMC.EXE" and click Enter.
>
> c) On the File menu, select the Add/Remove Snap-in option.
>
> d) Click Add.
>
> e) Select the Group Policy option, and click Add.
>
> f) Click Close, and in the Add/Remove Snap-in window, click OK.
>
> 2.. Select the Group Policy object containing the machines you wish the
> policy file to propagate to.
> 3.. Drag-and-drop the .msi file onto the network node that represents the
> deployment scope for the policy change.
>
> --
> This posting is provided "AS IS" with no warranties, and confers no rights.
> Use of included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
>
>
> "Leon Jollans" <Leon.JollansREMOVE__THIS@xaman.com> wrote in message
> news:uJJnMPefDHA.556@TK2MSFTNGP11.phx.gbl...
> > I did this last night and it seems to work, if a bit heavy handed...
> >
> > public static void SetTrust()
> > {
> > if(MessageBox.Show(
> > "open up intranet zone security?",
> > ".NET Network security",
> > MessageBoxButtons.YesNo,
> > MessageBoxIcon.Question,
> > MessageBoxDefaultButton.Button2
> > ) == DialogResult.Yes){
> > XmlDocument d = new XmlDocument();
> > d.Load( FileName );
> > XmlNodeList list = d.GetElementsByTagName("CodeGroup");
> > bool updated = false;
> > foreach(XmlNode node in list){
> > if(node.Attributes["Name"].Value.Equals("LocalIntranet_Zone")){
> > node.Attributes["PermissionSetName"].Value = "FullTrust";
> > updated=true;
> > }
> > }
> > if(updated){
> > d.Save( FileName );
> > MessageBox.Show("Policy update success","Intranet Installer");
> > }else{
> > MessageBox.Show("Policy update failure - contact support","Xaman
> > Intranet Installer");
> > }
> > }
> >
> > where FileName is Environment.GetEnvironmentVariable("windir") +
> > "/Microsoft.NET/...etc.../security.config"
> >
> > I think, though I might not be correct, that this bypasses the need for
> the
> > user to be an administrator to execute, FileIOPermission should be all
> that
> > is required, no?
> >
> > I have been trying to get this to run in an installer, but to no avail
> yet.
> > I will look at setting up a custom CodeGroup for version 2, however this
> is
> > all new to me and I have a deadline! Thanks for this anyway.
> >
> > Also, Robert may, in another thread suggested I lok at this:
> >
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnforms/htm
> > l/winforms11122002.asp which seems to explain running the code in an MSI
> >
> > Thanks for your responses guys.
> >
> > Leon
> >
> >
> > "Shel Blauman [MSFT]" <sheldonb@online.microsoft.com> wrote in message
> > news:eo1PbOXfDHA.3248@tk2msftngp13.phx.gbl...
> > > You can, but that isn't the recommended way to distribute policy. Take
> a
> > > look at
> > >
> >
> http://www.msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetse
> > c/html/entsecpoladmin.asp
> > > for advice on .NET Framework Enterprise Security Policy Administration
> and
> > > Deployment.
> > >
> > > However, if you must change policy progammatically, the following sample
> > > code shows how to programmatically replace the trusted zone code group.
> > > You'll need to modify it to use the permission set you wish to grant to
> > the
> > > trusted zone. Please note, granting the trusted zone fulltrust can
> create
> > > serious security vulnerabilities and is not recommended. It would be a
> > much
> > > better idea to create a custom permission set which grants only the
> > > permissions the trusted applications require.
> > >
> > > Shel
> > >
> > >
> > > // This sample demonstrates the setting of code access permissions
> > > programmatically.
> > > // This particular version replaces the Trusted_Zone code group with a
> new
> > > Trusted_Zone
> > > // code group that gives Internet permissions to the trusted zone. This
> > is
> > > the same permission
> > > // set the Trusted_Zone would have been originally granted. You can
> > replace
> > > the
> > > // permission set the sample uses with any of the default permission
> sets
> > or
> > > with a custom
> > > // permission set. Please note, the child code group,
> > > Trusted_Same_Site_Access Code Group
> > > // is not carried over in this sample. Retaining the
> > > Trusted_Same_Site_Access Code Group
> > > // is left as a user exercise. Hint, add the child code group to your
> new
> > > trusted zone
> > > // code group before adding it to the root code group.
> > >
> > > using System;
> > > using System.Collections;
> > > using System.Security;
> > > using System.Security.Policy;
> > > using System.Security.Permissions;
> > >
> > > class SecurityManagerSample
> > > {
> > > static void Main()
> > > {
> > > // Move through the policy levels looking for the Machine
> > level.
> > > // Create three new code groups at that level.
> > > IEnumerator policyEnumerator =
> > > SecurityManager.PolicyHierarchy();
> > > while(policyEnumerator.MoveNext())
> > > {
> > > // At the Machine level delete already existing copies of
> the
> > > custom code groups,
> > > // then create the new code groups.
> > > PolicyLevel currentLevel =
> > > (PolicyLevel)policyEnumerator.Current;
> > > if (currentLevel.Label == "Machine")
> > > {
> > > IEnumerator iEnum =
> > > currentLevel.RootCodeGroup.Children.GetEnumerator();
> > > while(iEnum.MoveNext())
> > > {
> > > Console.WriteLine(((CodeGroup)iEnum.Current).Name);
> > > if (((CodeGroup)iEnum.Current).Name ==
> "Trusted_Zone")
> > > {
> > > CodeGroup oldCodeGroup =
> (CodeGroup)iEnum.Current;
> > > NamedPermissionSet newPermSet = new
> > > NamedPermissionSet("Internet");
> > >
> > > PolicyStatement newPolicy = new
> > > PolicyStatement(newPermSet,PolicyStatementAttribute.LevelFinal);
> > >
> > > // Create new CodeGroups using UnionCodeGroup.
> > > CodeGroup myTrusted = new UnionCodeGroup(new
> > > ZoneMembershipCondition(SecurityZone.Trusted), newPolicy);
> > > myTrusted.Name = "Trusted_Zone";
> > >
> > >
> > > currentLevel.RootCodeGroup.RemoveChild(oldCodeGroup);
> > > currentLevel.RootCodeGroup.AddChild(myTrusted);
> > > SecurityManager.SavePolicy();
> > >
> > >
> > > }
> > > }
> > > }
> > > }
> > >
> > > }
> > >
> > > }
> > >
> > >
> > > --
> > > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> > > Use of included script samples are subject to the terms specified at
> > > http://www.microsoft.com/info/cpyright.htm
> > >
> > >
> > > "Leon Jollans" <Leon.JollansREMOVE__THIS@xaman.com> wrote in message
> > > news:enyVDMSfDHA.908@tk2msftngp13.phx.gbl...
> > > > Hi,
> > > > can I configure the Trusted Zone to run with FullTrust for the machine
> > in
> > > > code from an application aperating in the local machine context, and
> > hence
> > > > with full trust privileges?
> > > >
> > > > Cheers,
> > > > Leon
> > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>