Re: Can an Assert issued following a Deny override it?

From: Shawn Farkas (shawnfa_at_online.microsoft.com)
Date: 08/30/04 

Date: Mon, 30 Aug 2004 20:46:39 GMT

Probably the easiest way to edit existing permission sets is to use the .NET Configuration Wizards from your control panel. If you expand Runtime
Security Policy \ Machine you'll be able to edit the code groups and permission sets using a GUI instead of trying to figure out that confusing
caspol command line :-)

-Shawn
http://blogs.msdn.com/shawnfa 

-- 
This posting is provided "AS IS" with no warranties, and confers no rights.
Note:  For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they 
originated.  
--------------------
>Thread-Topic: Can an Assert issued following a Deny override it?
>thread-index: AcSLilyFPF10dtu/QjW+A2GZA4cWXg==
>X-WBNR-Posting-Host: 216.90.243.3
>From: =?Utf-8?B?Tm92aWNl?= <6tc1ATqlinkDOTqueensuDOTca>
>References:  <5BC8EC3A-26DF-41F0-A9B0-085D3ED2A3EA@microsoft.com> <A5D876B3-5AF5-4B84-943B-A6BF67C6E54E@microsoft.com> 
<OhblzwgiEHA.596@TK2MSFTNGP11.phx.gbl> <5D859B29-AA57-4194-AC85-9B3779617C87@microsoft.com> <#mc$qP3iEHA.3564
@TK2MSFTNGP10.phx.gbl>
>Subject: Re: Can an Assert issued following a Deny override it?
>Date: Thu, 26 Aug 2004 09:33:04 -0700
>Lines: 108
>Message-ID: <BE88213A-9BCA-40DA-AF30-24380511A718@microsoft.com>
>MIME-Version: 1.0
>Content-Type: text/plain;
>	charset="Utf-8"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Newsgroups: microsoft.public.dotnet.security
>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
>Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
>Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.security:7247
>X-Tomcat-NG: microsoft.public.dotnet.security
>
>Well... I was able to translate his instructions as far as:
>caspol -ag myStronglyNamedAssembly
>
>But I don't know how to tell caspol that all assemblies with a particular 
>strong name belong to a code group.
>
>On a related note - how do I add unrestricted file access to my intranet or 
>internet permission sets or do I have to do this to the code groups?
>
>I have tried manually editing the security config files - but the behavior 
>of trying to run .net applications in my brower didn't change.
>
>Thanks,
>Novice
>
>"Nicole Calinoiu" wrote:
>
>> Is Shawn's description detailed enough, or do you need step-by-step 
>> instructions?
>> 
>> 
>> "Novice" <6tc1ATqlinkDOTqueensuDOTca> wrote in message 
>> news:5D859B29-AA57-4194-AC85-9B3779617C87@microsoft.com...
>> > Actually I know of those tools:
>> > caspol and
>> > mscorcfg.msc
>> >
>> > But what I would like to know is how to specifically restrict an 
>> > assembly's
>> > ability to use the Assert method.
>> >
>> > I have used the above tools to do some basic security configuration 
>> > things -
>> > but I don't know how to specifically restrict an assembly's ability to use
>> > the Assert method.
>> >
>> > Thanks,
>> > Novice
>> >
>> > "Nicole Calinoiu" wrote:
>> >
>> >> Permission to assert is granted via the Assertion flag on
>> >> SecurityPermission.  It can be denied via policy as you would any other
>> >> permission/sub-permission (e.g.: caspol.exe, .NET Framework Configuration
>> >> manager, policy deployment package).
>> >>
>> >> HTH,
>> >> Nicole
>> >>
>> >>
>> >> "Novice" <6tc1ATqlinkDOTqueensuDOTca> wrote in message
>> >> news:A5D876B3-5AF5-4B84-943B-A6BF67C6E54E@microsoft.com...
>> >> >I have tried this and it is the case, that a fully trusted assembly can 
>> >> >use
>> >> > an assert after a fully trusted assembly (higher up in the call stack) 
>> >> > has
>> >> > issued a Deny on a particular permission (like FileIO for example).
>> >> >
>> >> > However, I still don't know how to configure my security policy such 
>> >> > that
>> >> > I
>> >> > restrict the ability of an assembly to use the Assert method.
>> >> >
>> >> > Any suggestions???
>> >> >
>> >> > Thanks,
>> >> > Novice
>> >> >
>> >> > "Novice" wrote:
>> >> >
>> >> >> Another poster wrote:
>> >> >> ------------------
>> >> >> Additionally, assuming I have FullTrust, and I write the .dll that
>> >> >> doesn't
>> >> >> have correct public key (so you try to block me from the file), all I
>> >> >> have to
>> >> >> do is do an Assert on that permission, and the Assert will be found in
>> >> >> the
>> >> >> callstack before your deny, allowing me access to the directory.
>> >> >> ------------------
>> >> >> Is it the case that you can override an existing Deny that my 
>> >> >> application
>> >> >> has
>> >> >> already specified?
>> >> >>
>> >> >> I.E.  if I write an application and the first line of code I put is a
>> >> >> "Deny"
>> >> >> on File IO to the C drive and then I invoke code (exp a method) in 
>> >> >> your
>> >> >> assembly - you can subsequently write an Assert that will override the
>> >> >> Deny
>> >> >> that has already been processed (and yes this assumes your assembly 
>> >> >> has
>> >> >> full
>> >> >> trust)?
>> >> >>
>> >> >> Thanks,
>> >> >> Novice
>> >> >>
>> >> >> PS If the above is true - what permission in .Net would stop someone 
>> >> >> from
>> >> >> being able to override a previously issued Deny?
>> >>
>> >>
>> >> 
>> 
>> 
>> 
>

Relevant Pages

  • Re: Problem loading a windows form. Please help.
    ... you can set up security related things. ... permission sets. ... I think the clue is to create a permission set with the required ... Another option could be use the Assert() method of the required permission. ...
    (microsoft.public.dotnet.framework.windowsforms)
  • Re: DMZ NT4 TO Internal 2000 AD One-Way Trust via Firewall
    ... leverage an effectivity security policy to ensure that password complexities ... > currently a mess of local and domain users, no security policy, etc. ... DMZ, not publicly accessible) that aren't going away within the stated ... to non-DC web servers in the DMZ on 80 and 443 - none of which are directed ...
    (microsoft.public.windows.server.active_directory)
  • RE: [fw-wiz] PIX vs Checkpoint vs Sonicwall vs Netscreen - comme nts?
    ... > Checkpoint propaganda stuff. ... > spent most of my security consulting career trying to stomp out bloated ... >>All NetScreen appliances rely on custom-designed ASICs (Application ... >>Specific Integrated Circuits) for security policy enforcement. ...
    (Firewall-Wizards)
  • Re: Okay.. what is going on here .. Security error?
    ... CAS assigns trust not based upon user credentials, ... against the security policy, and a permission grant is generated. ... you'll need to modify your security ...
    (microsoft.public.dotnet.security)
  • RE: Security Policy-Please help
    ... your Masters in Systems & Network Security, ... Before you begin writing policies, you deffinetly want to make sure you've ... SANS Security Policy Project at http://www.sans.org/resources/policies/. ... L0phtcrack is one of the better tools for testing password ...
    (Security-Basics)