Re: Can this be done by Group Policy?

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 06/11/04 

Date: Fri, 11 Jun 2004 11:41:43 -0500

For a lab environment, this is probably fine. Generally, I consider this
recommendation in the context of a large organization in a production
setting. In that situation, it is not a good idea.

If you wanted to continue to provide some CAS security to local intranet,
you might be able to do something clever with a URL membership condition
pointing to specific directories to make Full Trust, but that might not be
worth it to try to figure out how.

Anyway, hopefully my original GPO/msi suggestion was helpful.

Joe K.

"Michael A. Covington" <look@www.covingtoninnovations.com.for.address> wrote
in message news:edO9nc4TEHA.1656@TK2MSFTNGP09.phx.gbl...
>
> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
> in message news:uv7ToM2TEHA.2408@tk2msftngp13.phx.gbl...
> > You can use the .NET Configuration MMC to create a deployment package
msi
> > file that you can use to deploy .NET CAS policy setttings. This can be
> > distributed via GPO.
> >
> > However, setting LocalIntranet to Full Trust is a very bad idea and is
not
> > the recommended approach. A better approach would be to sign the
assembly
> > requiring the elevated permissions with a strong name key and create a
> > policy based on that strong name key to distribute to the workstations.
> > That way, you control access to the key and don't give out higher
> > permissions than necessary. It is also a good idea to not use Full
Trust
> > unless you absolutely need to.
> >
> > Giving Full Trust to LocalIntranet will mean that ANY .NET application
> > running from a network share including viruses and other types of
> malicious
> > code will be able to execute with Full Trust, thus defeating an
important
> > security measure.
> >
> > Joe K.
>
> But we are not just talking about one or two pre-existing .NET assemblies.
> We have a student lab with roaming user profiles. Users' My Document
> folders are on the network server. We have found that users cannot create
> and run projects with Visual Studio in their own My Documents folders
unless
> we set Local Intranet to Full Trust. Is there a better way? Medium Trust
> is not sufficient.
>
> By "student lab" I mean a lab open to about 40 carefully selected graduate
> students -- not open to random visitors.
>
>
>

Relevant Pages

  • Re: concerned and confused about adding shadow-set members to system disk
    ... If VMS reboots and expects, ... > Where is this recommendation spelled out? ... >> Simply put, if you trust your hardware then use the first method, if you ...
    (comp.os.vms)
  • Re: Source code security - rogue developers?
    ... Kevin Cline wrote: ... > My recommendation is that you focus on hiring trustworthy people, ... > then trust them. ...
    (comp.security.misc)
  • Re: Source code security - rogue developers?
    ... Kevin Cline wrote: ... > My recommendation is that you focus on hiring trustworthy people, ... > then trust them. ...
    (comp.security.misc)
  • Re: Best book on learning C++?
    ... > recommendation specified right there in the entry. ... reviewer recommends a rating, then usually, the rating is given. ... trust the reviewers on there as they know what they're talking about. ... Schildt does have a very good ...
    (alt.comp.lang.learn.c-cpp)
  • Re: Can this be done by Group Policy?
    ... It is also a good idea to not use Full Trust ... We have a student lab with roaming user profiles. ... folders are on the network server. ... and run projects with Visual Studio in their own My Documents folders unless ...
    (microsoft.public.dotnet.security)
Loading