Re: assign permission set

From: Shel Blauman [MSFT] (sheldonb_at_online.microsoft.com)
Date: 09/18/03 

Date: Thu, 18 Sep 2003 10:37:38 -0700

Sorry, the installer is a bit outside my area. Here's a listing of the
installer versions:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/msi/setup/instmsi_exe.asp

My guess would be it is upwards compatible, but that's purely a guess. The
overview of the installer is at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/msi/setup/windows_installer_start_page.asp

>From there you can jump off into the documentation, which is prolific. Looks
like it's pretty easy to upgrade the installer, so hopefully compatibility
isn't an issue.

Shel 

-- 
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Michel Gallant" <neutron@istar.ca> wrote in message
news:%23CHonOgfDHA.2248@TK2MSFTNGP09.phx.gbl...
> Isn't there a requirement on what version of Microsoft Installer itself is
> available on the client?
>  - Mitch Gallant
>
> "Shel Blauman [MSFT]" <sheldonb@online.microsoft.com> wrote in message
> news:ORn6gDgfDHA.2328@TK2MSFTNGP09.phx.gbl...
> > We discourage directly modifying the config files. Although it can
modify
> > policy it does so at some risk.  If an msi install will work for you,
the
> > link I pointed you to as our recommended means of distributing policy
> > provides a simple scenario for creating and deploying using msi files:
> >
> > How do I distribute the policy deployment package across my enterprise?
> > The .NET Framework Configuration tool generates a Microsoft installer
> > package file (.msi) that contains the installation directions and the
> > content of a policy level. See question two for information on creating
an
> > .msi file. The .msi file is self-contained, and can be invoked in many
> > different ways. This leaves you with many deployment options; however,
the
> > easiest way to get an .msi file installed across your enterprise is by
using
> > Group Policy.
> >
> > Follow these steps to distribute the deployment package:
> >
> >   1.. Start the Group Policy Editor.
> >   a) From the Start menu, choose Run.
> >
> >   b) In the Open box, type "MMC.EXE" and click Enter.
> >
> >   c) On the File menu, select the Add/Remove Snap-in option.
> >
> >   d) Click Add.
> >
> >   e) Select the Group Policy option, and click Add.
> >
> >   f) Click Close, and in the Add/Remove Snap-in window, click OK.
> >
> >   2.. Select the Group Policy object containing the machines you wish
the
> > policy file to propagate to.
> >   3.. Drag-and-drop the .msi file onto the network node that represents
the
> > deployment scope for the policy change.
> >
> > -- 
> > This posting is provided "AS IS" with no warranties, and confers no
rights.
> > Use of included script samples are subject to the terms specified at
> > http://www.microsoft.com/info/cpyright.htm
> >
> >
> > "Leon Jollans" <Leon.JollansREMOVE__THIS@xaman.com> wrote in message
> > news:uJJnMPefDHA.556@TK2MSFTNGP11.phx.gbl...
> > > I did this last night and it seems to work, if a bit heavy handed...
> > >
> > > public static void SetTrust()
> > > {
> > >     if(MessageBox.Show(
> > >         "open up intranet zone security?",
> > >         ".NET Network security",
> > >         MessageBoxButtons.YesNo,
> > >         MessageBoxIcon.Question,
> > >         MessageBoxDefaultButton.Button2
> > >         ) == DialogResult.Yes){
> > >     XmlDocument d = new XmlDocument();
> > >     d.Load( FileName );
> > >     XmlNodeList list = d.GetElementsByTagName("CodeGroup");
> > >     bool updated = false;
> > >     foreach(XmlNode node in list){
> > >
if(node.Attributes["Name"].Value.Equals("LocalIntranet_Zone")){
> > >             node.Attributes["PermissionSetName"].Value = "FullTrust";
> > >             updated=true;
> > >         }
> > >     }
> > >     if(updated){
> > >         d.Save( FileName );
> > >         MessageBox.Show("Policy update success","Intranet Installer");
> > >     }else{
> > >         MessageBox.Show("Policy update failure - contact
support","Xaman
> > > Intranet Installer");
> > >     }
> > > }
> > >
> > > where FileName is Environment.GetEnvironmentVariable("windir") +
> > > "/Microsoft.NET/...etc.../security.config"
> > >
> > > I think, though I might not be correct, that this bypasses the need
for
> > the
> > > user to be an administrator to execute, FileIOPermission should be all
> > that
> > > is required, no?
> > >
> > > I have been trying to get this to run in an installer, but to no avail
> > yet.
> > > I will look at setting up a custom CodeGroup for version 2, however
this
> > is
> > > all new to me and I have a deadline! Thanks for this anyway.
> > >
> > > Also, Robert may, in another thread suggested I lok at this:
> > >
> >
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnforms/htm
> > > l/winforms11122002.asp which seems to explain running the code in an
MSI
> > >
> > > Thanks for your responses guys.
> > >
> > > Leon
> > >
> > >
> > > "Shel Blauman [MSFT]" <sheldonb@online.microsoft.com> wrote in message
> > > news:eo1PbOXfDHA.3248@tk2msftngp13.phx.gbl...
> > > > You can, but that isn't the recommended way to distribute policy.
Take
> > a
> > > > look at
> > > >
> > >
> >
http://www.msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetse
> > > c/html/entsecpoladmin.asp
> > > > for advice on .NET Framework Enterprise Security Policy
Administration
> > and
> > > > Deployment.
> > > >
> > > > However, if you must change policy progammatically, the following
sample
> > > > code shows how to programmatically replace the trusted zone code
group.
> > > > You'll need to modify it to use the permission set you wish to grant
to
> > > the
> > > > trusted zone.  Please note, granting the trusted zone fulltrust can
> > create
> > > > serious security vulnerabilities and is not recommended.  It would
be a
> > > much
> > > > better idea to create a custom permission set which grants only the
> > > > permissions the trusted applications require.
> > > >
> > > > Shel
> > > >
> > > >
> > > > // This sample demonstrates the setting of code access permissions
> > > > programmatically.
> > > > // This particular version replaces the Trusted_Zone code group with
a
> > new
> > > > Trusted_Zone
> > > > // code group that gives Internet permissions to the trusted zone.
This
> > > is
> > > > the same permission
> > > > // set the Trusted_Zone would have been originally granted.  You can
> > > replace
> > > > the
> > > > // permission set the sample uses with any of the default permission
> > sets
> > > or
> > > > with a custom
> > > > // permission set.  Please note, the child code group,
> > > > Trusted_Same_Site_Access Code Group
> > > > // is not carried over in this sample.  Retaining the
> > > > Trusted_Same_Site_Access Code Group
> > > > // is left as a user exercise.  Hint, add the child code group to
your
> > new
> > > > trusted zone
> > > > // code group before adding it to the root code group.
> > > >
> > > > using System;
> > > > using System.Collections;
> > > > using System.Security;
> > > > using System.Security.Policy;
> > > > using System.Security.Permissions;
> > > >
> > > > class SecurityManagerSample
> > > > {
> > > >     static void Main()
> > > >     {
> > > >             // Move through the policy levels looking for the
Machine
> > > level.
> > > >             // Create three new code groups at that level.
> > > >             IEnumerator policyEnumerator =
> > > > SecurityManager.PolicyHierarchy();
> > > >         while(policyEnumerator.MoveNext())
> > > >         {
> > > >             // At the Machine level delete already existing copies
of
> > the
> > > > custom code groups,
> > > >             // then create the new code groups.
> > > >             PolicyLevel currentLevel =
> > > > (PolicyLevel)policyEnumerator.Current;
> > > >             if (currentLevel.Label == "Machine")
> > > >             {
> > > >                 IEnumerator iEnum =
> > > > currentLevel.RootCodeGroup.Children.GetEnumerator();
> > > >                 while(iEnum.MoveNext())
> > > >                 {
> > > >
Console.WriteLine(((CodeGroup)iEnum.Current).Name);
> > > >                     if (((CodeGroup)iEnum.Current).Name ==
> > "Trusted_Zone")
> > > >                     {
> > > >                         CodeGroup oldCodeGroup =
> > (CodeGroup)iEnum.Current;
> > > >                         NamedPermissionSet newPermSet = new
> > > > NamedPermissionSet("Internet");
> > > >
> > > >                         PolicyStatement newPolicy = new
> > > > PolicyStatement(newPermSet,PolicyStatementAttribute.LevelFinal);
> > > >
> > > >                         // Create new CodeGroups using
UnionCodeGroup.
> > > >                         CodeGroup myTrusted = new UnionCodeGroup(new
> > > > ZoneMembershipCondition(SecurityZone.Trusted), newPolicy);
> > > >                         myTrusted.Name = "Trusted_Zone";
> > > >
> > > >
> > > > currentLevel.RootCodeGroup.RemoveChild(oldCodeGroup);
> > > >
currentLevel.RootCodeGroup.AddChild(myTrusted);
> > > >                         SecurityManager.SavePolicy();
> > > >
> > > >
> > > >                     }
> > > >                 }
> > > >             }
> > > >         }
> > > >
> > > >      }
> > > >
> > > > }
> > > >
> > > >
> > > > --
> > > > This posting is provided "AS IS" with no warranties, and confers no
> > > rights.
> > > > Use of included script samples are subject to the terms specified at
> > > > http://www.microsoft.com/info/cpyright.htm
> > > >
> > > >
> > > > "Leon Jollans" <Leon.JollansREMOVE__THIS@xaman.com> wrote in message
> > > > news:enyVDMSfDHA.908@tk2msftngp13.phx.gbl...
> > > > > Hi,
> > > > > can I configure the Trusted Zone to run with FullTrust for the
machine
> > > in
> > > > > code from an application aperating in the local machine context,
and
> > > hence
> > > > > with full trust privileges?
> > > > >
> > > > > Cheers,
> > > > > Leon
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>