Re: Appl. Security Problems

From: Nicole Calinoiu (calinoiu)
Date: 05/20/05 

Date: Fri, 20 May 2005 13:50:32 -0400

"Steve B." <SteveB@discussions.microsoft.com> wrote in message
news:C86F5BC6-CB25-4DE9-965E-7FE50E8D986A@microsoft.com...
> Local C# network application developed using VS .Net
>
> 1. While do some local network users able to Trust The Assembly via the
> Control Panel .Net Framework wizard while others can not because of
> "security
> policy". Why?

Probably because some of them are administrators and are adjusting the
assembly permissions at the machine level, whereas others are non-admins and
are only allowed to attempt to adjust the permissions at the user level.
The "trust an assembly" wizard will usually give the "due to your existing
security policy..." result you mentioned when run at the user level. (I'm
unaware of any conditions under which a user-level run of the wizard would
succeed.)

BTW, it is possible for non-admins to restrict assembly permissions via
other tools that modify the user-level CAS policy. However, under normal
circumstances, low-privilege users cannot grant increase assembly
permissions beyond those granted at the enterprise and machine levels.

> 2. Why do I receive the following error message when I try to open my
> ADONet dll from the network within my local .Net application?
>
> "The application attempted to perform an operation not allowed by the
> security policy. The operation required the Security Exception. To grant
> theis application the required permission please contact your system
> administrator.."
>
> What do I or, my IT person, need to do to change security policy?

See http://blogs.msdn.com/shawnfa/archive/2003/06/20/57023.aspx for
instructions on how to modify the CAS policy for this scenario. See
http://msdn.microsoft.com/library/en-us/cpguide/html/cpcondeployingsecuritypolicy.asp
for some deployment options.

Relevant Pages

  • Re: EventID 1054 from Userenv for startup script
    ... If you use GPMC and mark the OU where the machines are located check in the right window "Group policy Inheritance tab", are all GPO's listed that you expect and in which order are they listed? ... Those two contain the requirement to "Wait for network before logging ... Another odd thing I saw were permissions on the GPOs for the script ... has an ACE entry containing only List Objects. ...
    (microsoft.public.windows.group_policy)
  • Re: Adding Computers to the Domain (AD)
    ... Solution can be a bit pricy since network switch must support ... computer to domain (this is where security policy can help out -- if users ... >> domain this doesn't give them any more permissions on domain that they ... > definition of your use of the word "trust", giving a user a domain account ...
    (microsoft.public.windows.server.active_directory)
  • Re: Adding Computers to the Domain (AD)
    ... Solution can be a bit pricy since network switch must support ... computer to domain (this is where security policy can help out -- if users ... >> domain this doesn't give them any more permissions on domain that they ... > definition of your use of the word "trust", giving a user a domain account ...
    (microsoft.public.windows.server.setup)
  • Re: Adding Computers to the Domain (AD)
    ... Solution can be a bit pricy since network switch must support ... computer to domain (this is where security policy can help out -- if users ... >> domain this doesn't give them any more permissions on domain that they ... > definition of your use of the word "trust", giving a user a domain account ...
    (microsoft.public.windows.server.security)
  • Re: Adding Computers to the Domain (AD)
    ... Solution can be a bit pricy since network switch must support ... computer to domain (this is where security policy can help out -- if users ... >> domain this doesn't give them any more permissions on domain that they ... > definition of your use of the word "trust", giving a user a domain account ...
    (microsoft.public.windows.server.general)