Re: Limiting exe permissions

From: Rene (nospam_at_nospam.com)
Date: 08/25/05

  • Next message: bkj: "Implementing Kerberos Authentication" 
    Date: Thu, 25 Aug 2005 11:07:02 -0500

    Thanks Nicole but......

    I probably didn't do a good job explaining what I needed but the idea here
    is to make my user feel protected against my exe not to protect myself.

    If I tell my user that I have added code to my exe to make sure its does not
    go out and start deleting their files and that its safe to run it as
    administrator without any fear chances are they are not going to believe me!
    The other thing is that all of the assemblies used by my application are
    mine so I don't have to worry about locking them down.

    I am not sure if I missed something on your reply, I am kind of new to this
    permission thing. So here goes the question again: If *you*were to download
    my exe and you didn't trust me but the exe is a program that is
    reeeeeeeeealy cool. What would you do to be able to use my program (exe) and
    at the same time feel safe that it won't go and spy on you?

    I appreciate your help, thanks.

    "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message
    news:eE1nVoWqFHA.3524@tk2msftngp13.phx.gbl...
    > Rene,
    >
    > There's no need to alter CAS policy if you want to restrict your
    > assemblies'
    > permissions. Instead, you can simply use assembly-level permission
    > attributes to reject the permissions that you would prefer the assembly
    > not
    > be granted. There are two basic approaches to this:
    >
    > 1. Refuse specific permissions that you don't want (blacklisting), or
    > 2. Reject all permissions except the ones you do want (whitelisting).
    >
    > For #1, simply add RequestRefuse attributes like the following, which
    > rejects all file IO permissions:
    >
    > [assembly: FileIOPermission(SecurityAction.RequestRefuse, Unrestricted =
    > true)]
    >
    > If you would prefer to declaratively request only the permissions your
    > assembly actually needs, you should start with a RequestOptional attribute
    > like the following, which rejects all permissions except
    > SecurityPermission\Execution and the identity permissions corresponding to
    > the assembly's evidence:
    >
    > [assembly: PermissionSet(SecurityAction.RequestOptional, Unrestricted =
    > false)]
    >
    > Once you've added a RequestOptional attribute, you'll need to add a
    > RequestMinimum or RequestOptional for every permission your application
    > does
    > need. For example, if your application should not even load unless it is
    > granted read permission on a dedicated registry key added at installation,
    > you might add an attribute like the following:
    >
    > [assembly: RegistryPermission(SecurityAction.RequestMinimum,
    > Read = @"HKEY_LOCAL_MACHINE\SOFTWARE\YourCompany\YourApplication")]
    >
    > HTH,
    > Nicole
    >
    >
    >
    >
    > "Rene" <nospam@nospam.com> wrote in message
    > news:eC%23m4oPqFHA.2696@TK2MSFTNGP11.phx.gbl...
    >>I recently finished a C# program that is based on the .Net 1.1 framework
    >>and I am planning to make this program available as a download from the
    >>Internet.
    >>
    >> Since the program is something you can download from the Internet and
    >> since most people are afraid of running application from companies they
    >> don't know anything about, I would like to tell my user how to protect
    >> them selves from my own application in case they are concern that my
    >> program may have a virus or some sort of spy ware (it does not but I
    >> can't
    >> ask them to blindly trust me).
    >>
    >> To achive this, I tried running the "Trust and Assembly" utility from the
    >> ".Net Wizard" section and set the permission for my application to
    >> "None".
    >> After doing that, I was expecting not to be able to run the program but I
    >> was still able to run it.
    >>
    >> My question is: What do I need to do to assign a permission to my
    >> application so that it is not be able to browse other directories in my
    >> computer, access the registry, make screenshots etc.
    >>
    >> Thanks.
    >>
    >
    >
    >

  • Next message: bkj: "Implementing Kerberos Authentication"

    Relevant Pages

    • Re: IE handling of exe files
      ... Explorer would then download the EXE. ... runtime tried to download all of your other assemblies, ... allowing these remote EXEs to execute and with more permissions than 1.0. ...
      (microsoft.public.dotnet.general)
    • Re: Browsers special handling of EXE files
      ... Explorer would then download the EXE. ... runtime tried to download all of your other assemblies, ... allowing these remote EXEs to execute and with more permissions than 1.0. ...
      (microsoft.public.dotnet.vjsharp)
    • Re: Limiting exe permissions
      ... Hello Nicole Calinoiu" calinoiu REMOVETHIS AT gmail DOT com, ... > assemblies' permissions. ... > permission attributes to reject the permissions that you would prefer ...
      (microsoft.public.dotnet.security)
    • Re: Limiting exe permissions
      ... There's no need to alter CAS policy if you want to restrict your assemblies' ... attributes to reject the permissions that you would prefer the assembly not ... For #1, simply add RequestRefuse attributes like the following, which ... >and I am planning to make this program available as a download from the ...
      (microsoft.public.dotnet.security)
    • Re: Limiting exe permissions
      ... I just caught that "safe to run it as administrator" bit. ... application doesn't need "dangerous" CAS permissions, ... > is to make my user feel protected against my exe not to protect myself. ...
      (microsoft.public.dotnet.security)