|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
How to determine required privileges?When writing applications, how can I determine the minimum required
privileges necessary for an operation to run? For instance, say my application needs rights to write/read to the registry, or I want to block some ports - how do I go about finding out what the minimum privileges required are? Is there a documentation somewhere that says "function X requires privilege leve Y"? Thanks! Hello, SC!
S> When writing applications, how can I determine the minimum required S> privileges necessary for an operation to run? S> For instance, say my application needs rights to write/read to the S> registry, or I want to block some ports - how do I go about finding out S> what the minimum privileges required are? Is there a documentation S> somewhere that says "function X requires privilege leve Y"? Generaly it is documented, what privilidges are sufficient to complete this or that operation. However, most efficient method to detect what priviliedges your app requires - is running your application under user account with least privileges.
Show quote
Hide quote
"Vadym Stetsyak" <vady***@ukr.net> wrote in message I wish it was. I have been looking in the MS docs for stuff like this and news:emhhqzczGHA.3656@TK2MSFTNGP04.phx.gbl... > Hello, SC! > > S> When writing applications, how can I determine the minimum required > S> privileges necessary for an operation to run? > S> For instance, say my application needs rights to write/read to the > S> registry, or I want to block some ports - how do I go about finding out > S> what the minimum privileges required are? Is there a documentation > S> somewhere that says "function X requires privilege leve Y"? > > Generaly it is documented, what privilidges are sufficient to complete > this or that operation. > However, most efficient method to detect what priviliedges your app > requires - is running > your application under user account with least privileges. > have yet to find specifics about it. Building and then running and then patching where needed seems to be a path that is very contrary to structured design IMHO. Security should be part of the design from the start, not tacked on to the end. Testing should be used to validate not design. Hello, Ray!
You wrote on Fri, 1 Sep 2006 11:54:05 -0400: RCH> I wish it was. I have been looking in the MS docs for stuff like this and RCH> have yet to find specifics about it. IMO it depends what are you trying to do. For instance if you want to do disk I/O... File.Open docs have following statement: "FileIOPermission for reading from and writing to the specified file. Associated enumerations: FileIOPermissionAccess.Read, FileIOPermissionAccess.Write" Also you should consider the existance of ACLs File.Open uses CreateFile win32 API, this function has lpSecurityAttributes parametr and MSDN gives comments about it. RCH> Building and then running and then patching where needed seems to be a path RCH> that is very contrary to structured design IMHO. Security should be part of RCH> the design from the start, not tacked on to the end. Yes, I agree with you about that. But OP asked about OS priveleges to accomplish (reading registry) some operations. These privileges must be either documented in docs or if user works under least privileges she will get an error (Access denied). When you design your own system you define YOUR own system priviliges. This privileges are part of the design. I my post I meant to do the development and testing under least privilidged user account, since it will help to detect priviledge related issues from the start. ( http://dotnetjunkies.com/WebLog/anoras/archive/2005/02/14/54376.aspx ) Do you mean CAS permissions or operating system permissions? If the former,
what version of the .NET framework are you targeting? Show quoteHide quote "SC" <shmuli***@yahoo.com> wrote in message news:O8zT7kWzGHA.1536@TK2MSFTNGP02.phx.gbl... > When writing applications, how can I determine the minimum required > privileges necessary for an operation to run? > For instance, say my application needs rights to write/read to the > registry, or I want to block some ports - how do I go about finding out > what the minimum privileges required are? Is there a documentation > somewhere that says "function X requires privilege leve Y"? > > Thanks! > OS permissions
Show quoteHide quote "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message news:CE7B642A-838F-4BE8-89F0-589D2B5B1018@microsoft.com... > Do you mean CAS permissions or operating system permissions? If the > former, what version of the .NET framework are you targeting? > > > "SC" <shmuli***@yahoo.com> wrote in message > news:O8zT7kWzGHA.1536@TK2MSFTNGP02.phx.gbl... >> When writing applications, how can I determine the minimum required >> privileges necessary for an operation to run? >> For instance, say my application needs rights to write/read to the >> registry, or I want to block some ports - how do I go about finding out >> what the minimum privileges required are? Is there a documentation >> somewhere that says "function X requires privilege leve Y"? >> >> Thanks! >> > For ACL-based stuff (files, registry, etc.), you can p/invoke the
AccessCheck or AzAccessCheck API calls, depending on if you have a logon token for the user you want to check against. Unfortunately, there is no built in .NET wrapper for these yet. For network stuff, I'm not sure if there is a well-known API to determine the network requirements of any given call. I think you kind of need to know this stuff in advance. Joe K. -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "SC" <shmuli***@yahoo.com> wrote in message news:O9TVLQg1GHA.1336@TK2MSFTNGP03.phx.gbl... > OS permissions > > "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message > news:CE7B642A-838F-4BE8-89F0-589D2B5B1018@microsoft.com... >> Do you mean CAS permissions or operating system permissions? If the >> former, what version of the .NET framework are you targeting? >> >> >> "SC" <shmuli***@yahoo.com> wrote in message >> news:O8zT7kWzGHA.1536@TK2MSFTNGP02.phx.gbl... >>> When writing applications, how can I determine the minimum required >>> privileges necessary for an operation to run? >>> For instance, say my application needs rights to write/read to the >>> registry, or I want to block some ports - how do I go about finding out >>> what the minimum privileges required are? Is there a documentation >>> somewhere that says "function X requires privilege leve Y"? >>> >>> Thanks! >>> >> > > In .NET 2.0 you can use the Permission Calculator tool (permcalc)
[http://msdn2.microsoft.com/en-us/library/ms165077.aspx] after you have written the app to see what permissions it needs. There is no equivalent in .NET 1.0 or 1.1 unfortunately, but you can run the 2.0 permcalc against a 1.* assembly and still see results. There are some differences in the framework as to what permissions are required however, for example the OdbcConnection in 1.* requires fulltrust whereas in 2.0 it does not. SqlConnection objects just need SqlClientPermission in both. It is an annoying process to add security after the fact, the best reccomendation i've seen is to develop as a least permission user (VS Debugger user etc) or to remove all default permissions with [assembly: PermissionSet(SecurityAction.RequestOptional, Unrestricted=false)] up front. As you add functionality and it throws security exceptions run you can research what permissions each object needs. Hope this is useful Merritt SC wrote: Show quoteHide quote > OS permissions > > "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message > news:CE7B642A-838F-4BE8-89F0-589D2B5B1018@microsoft.com... > > Do you mean CAS permissions or operating system permissions? If the > > former, what version of the .NET framework are you targeting? > > > > > > "SC" <shmuli***@yahoo.com> wrote in message > > news:O8zT7kWzGHA.1536@TK2MSFTNGP02.phx.gbl... > >> When writing applications, how can I determine the minimum required > >> privileges necessary for an operation to run? > >> For instance, say my application needs rights to write/read to the > >> registry, or I want to block some ports - how do I go about finding out > >> what the minimum privileges required are? Is there a documentation > >> somewhere that says "function X requires privilege leve Y"? > >> > >> Thanks! > >> > > 
Other interesting topics
PKI confusion...
How to validate client certificate? VS2005 Throws Security Exception when run from Network!? Windows Authentication in VB.Net Application ASP.NET Cookie Handling Client certificate error with web services SignedXml gives false negatives when using namespaces in signed xm recent security patch prevents desktop.ini CLSID folder-app association and custom icon How to convert string to SecureString? Get role for any given user name ... |
|||||||||||||||||||||||
