Re: .Net Security Policies

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 04/14/05 

Date: Wed, 13 Apr 2005 22:59:21 -0700

I have had (a rather one-sided and) a long-running dialog with
MS on just this: that the CAS policy model for .Net is obscure
to the "normal", and non-programming, admin. Hence, I think
I may see something of where you are coming from.

In a nutshell, assemblies (sets of managed code objects, that is
executables) from .Net may be grouped together as a code group.
Once can define a policy that controls the circumstances under
which that code group can execute. This is not just saying that
it can be run by Windows groups X, Y, and Z. This is also able
to say that it can be executed if this is attempted by specific
other running executables under specific criteria (hence CAS
Code Access Security) - note that this does not necessarily
depend on the account in use whatsoever. Rather, if somewhere
back there the account was able to start something, and that
something running in the right context was sufficient evidence
for some other application (code group) to be used, then it
would happen, etc. on down the chain, without the initial user
credentials necessarily having to directly come into the run
or no run decision.

There is a fairly large amount of info on the MS website about
CAS, but IMO it is a little too opaque to the admin that does
not have a programmer background. However, it is not that
tough, nor inaccessible, with a little effort. Most of the docs
are to be found, of course, under an msdn.microsoft.com URL
or in a TechNet article aimed more at a dev than an admin. 

-- 
Roger Abell
Microsoft MVP (Windows  Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Philip Finn" <PhilipFinn@discussions.microsoft.com> wrote in message
news:C68EC397-C080-4379-AC13-FDC1973656C3@microsoft.com...
> Thanks for the reply the Reason why I asked is because I have been tasked
by
> my boss to learn .Net Security.  He wants me to be able to provide useful
> information when our developers are working with venodrs or working on
> internal devlopment projects.  I had found an article
> http://www.gotdotnet.com/team/clr/SecurityPolicyBestPractices.htm
> one of the sections I was have a little trouble visualizing was the
section
> 1.4 Mapping Code Groups to Permission Sets I was trying to get a
explanation
> of what that means.
>
> Let me give you a little background on me so you understand where I am
> coming from.  I have been a Sys Admin for about 8 years mostly working
with
> exchange I recently lat moved in my company to the security department.  I
> have found the new job a little difficult because I have had to expand my
> realm of knowledge into areas like this were i have no expertise.  In
> addition to answering my question do you know any good sites to learn .Net
> Security from the ground up?
>
>
> "Roger Abell" wrote:
>
> > Although written for Asp.Net you may find the following useful
> > as a starting point since your have not stated for what you need
> > to define this and as Asp.Net has more than just CAS involved.
> > http://msdn.microsoft.com/library/en-us/secmod/html/secmod116.asp
> >
> > CAS policy configuration in W2k3 is still done with the tools that
> > were used before W2k3: CasPol.exe and/or mscorcfg.msc
> > You might find the msc UI version better for starters.
> >
> > -- 
> > Roger Abell
> > Microsoft MVP (Windows  Security)
> > MCSE (W2k3,W2k,Nt4)  MCDBA
> > "Philip Finn" <PhilipFinn@discussions.microsoft.com> wrote in message
> > news:08BF2265-1375-4400-8EE9-36B8ABCD7BF4@microsoft.com...
> > > Can some one explain to me how to map code groups to permission sets
in
> > 2003
> > > .Net.  Additionally can you explain what tools you use to create a
> > Security
> > > Policy in Windows 2003?
> >
> >
> >

Relevant Pages