Re: HOWTO Install security with CASPOL for UserControls
- From: "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com>
- Date: Fri, 2 Dec 2005 10:56:18 -0500
"ATS" <ATS@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:92FADC2B-8FF3-4558-ACC9-F0E1A02D8E91@xxxxxxxxxxxxxxxx
> Thanks for the reply,
>
> Just for clarification, Strong Names ans keys are out of the question. It
> must be by URL. I stated that new assemblies would be added rapidly over
> time, as well as changed. I forgot to mention that even new assemblies
> from
> new 3rd party vendors will be added over time. This makes it IMPOSSIBLE
> for a
> single administrators to do this effectively other than from a URL.
Unfortunately, using only URL evidence will open your clients to additional
risk from certain classes of attack. If you think that would be acceptable
to them, then go ahead an use only URL evidence. However, that's not a
decision that I would want to be making on someone else's behalf.
> Bottom line, is there ANY means CASPOL or otherwise, to let a single
> administrator over an enterprise/domain/network to FORCE all machines to
> let
> any/all assemblies have GOD privilieges that come from a specific URL.
It is possible to distribute policy modifications over a network by various
means, including scripts that use caspol. It's also possible to assign
additional permissions based on URL evidence only (even though it's not
necessarily a particularly good idea). However, it's not always possible to
grant additional permissions on top of existing custom policy, but folks who
have constructed such a policy will presumably know how to modify your
scripts to grant additional permissions to your assemblies.
> I would find this hard to believe that the answer is NO.
As mentioned above, it's not.
> I do not care if it
> involves some how having a program scan the assemblies from a URL, get
> something from each (so long as it does this rapidly), and then FORCE a
> command/API/Tool to then tell each machine in their
> domain/enterprise/network
> to let them be updated.
Then why not build such a tool to help admins build (and renew as necessary)
the scripts that they will use to update the CAS policy of client machines
on their networks? As long as propagation isn't automatic after content
changes on your site, they'll be better protected than in you're using only
URL evidence.
> There simply has to be a way. Otherwise, the concept
> of "Software as a Service" can not be done without either there being a
> finite number of Vendors that can't change, and/or there being high
> administrator involvement required.
Of course it can. For starters, not all software (probably not even all of
your controls) require unrestricted permissions on client machines. In
addition, there are multiple models for distribution of such applications,
of which you've chosen just one, and it might not necessarily be the best
choice given how the product is actually meant to work. Also, deploying CAS
policy modifications really isn't all that difficult--it probably just seems
that way since it's relatively new to you, and you're trying to learn both
the policy system and the deployment skills at the same time.
.
- References:
- Re: HOWTO Install security with CASPOL for UserControls
- From: Nicole Calinoiu
- Re: HOWTO Install security with CASPOL for UserControls
- Prev by Date: Re: Reflection in XSLT Extension
- Next by Date: Re: security header is not present in the incoming message
- Previous by thread: Re: HOWTO Install security with CASPOL for UserControls
- Next by thread: Re: HOWTO Install security with CASPOL for UserControls
- Index(es):
Relevant Pages
|
