|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Configuration Tool missingSo after doing development/testing of our application on several different
development machines, we went to start testing it on a "cleaner" system. No Visual Studio, only the .NET 2.0 runtime. It was here that we noticed the configuration tool (normally present in Administrative Tools) is missing. I need to change the default trust level for applications in the "Trusted Sites" internet zone. Without the configuration tool, how can this be set on a client's machine? -- Adam Clauss you can do that programmatically or using caspol.exe
--- Dominick Baier, DevelopMentor http://www.leastprivilege.com Show quoteHide quote > So after doing development/testing of our application on several > different development machines, we went to start testing it on a > "cleaner" system. No Visual Studio, only the .NET 2.0 runtime. > > It was here that we noticed the configuration tool (normally present > in Administrative Tools) is missing. I need to change the default > trust level for applications in the "Trusted Sites" internet zone. > Without the configuration tool, how can this be set on a client's > machine? > How so programmatically?
I just ran caspool on two different machines, and it looks like the group numbers are not constant. How can I possibly create a batch file for our customer to run if the numbers do not stay the same? -- Show quoteHide quoteAdam Clauss "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote in message news:4580be631376d8c8abefe60c4c58@news.microsoft.com... > you can do that programmatically or using caspol.exe > > --- > Dominick Baier, DevelopMentor > http://www.leastprivilege.com > >> So after doing development/testing of our application on several >> different development machines, we went to start testing it on a >> "cleaner" system. No Visual Studio, only the .NET 2.0 runtime. >> >> It was here that we noticed the configuration tool (normally present >> in Administrative Tools) is missing. I need to change the default >> trust level for applications in the "Trusted Sites" internet zone. >> Without the configuration tool, how can this be set on a client's >> machine? >> > > The System.Security.Policy namespace contains all relevant classes to access
policy. Have a look at the namespace and feel free to post back with any questions. --- Dominick Baier, DevelopMentor http://www.leastprivilege.com Show quoteHide quote > How so programmatically? > > I just ran caspool on two different machines, and it looks like the > group numbers are not constant. How can I possibly create a batch > file for our customer to run if the numbers do not stay the same? > > "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote > in message news:4580be631376d8c8abefe60c4c58@news.microsoft.com... > >> you can do that programmatically or using caspol.exe >> >> --- >> Dominick Baier, DevelopMentor >> http://www.leastprivilege.com >>> So after doing development/testing of our application on several >>> different development machines, we went to start testing it on a >>> "cleaner" system. No Visual Studio, only the .NET 2.0 runtime. >>> >>> It was here that we noticed the configuration tool (normally present >>> in Administrative Tools) is missing. I need to change the default >>> trust level for applications in the "Trusted Sites" internet zone. >>> Without the configuration tool, how can this be set on a client's >>> machine? >>> Caspol also allows one to reference code groups by name (even if all the
examples show use of the numeric IDs instead). Personally, I wouldn't rely on that either, but ymmv... Also, since permissions are additive over code groups to which an assembly belongs, you might want to consider simply adding your own code group for the trusted sites zone that adds whatever additional permissions you require. BTW, if you are creating these changes to support one software supplier's permissions requirements, you might want to seriously consider using something a bit more granular than just trusted sites zone membership. Publisher evidence would be an excellent choice in many cases but, failing that, you might want to consider using at least the publishing URL code group and/or strong name evidence code group nested under a trusted sites zone group. Show quoteHide quote "Adam Clauss" <cabadam@no.spam.gmail.com> wrote in message news:edKIXPd3GHA.1252@TK2MSFTNGP04.phx.gbl... > How so programmatically? > > I just ran caspool on two different machines, and it looks like the group > numbers are not constant. How can I possibly create a batch file for our > customer to run if the numbers do not stay the same? > > -- > Adam Clauss > > "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote in > message news:4580be631376d8c8abefe60c4c58@news.microsoft.com... >> you can do that programmatically or using caspol.exe >> >> --- >> Dominick Baier, DevelopMentor >> http://www.leastprivilege.com >> >>> So after doing development/testing of our application on several >>> different development machines, we went to start testing it on a >>> "cleaner" system. No Visual Studio, only the .NET 2.0 runtime. >>> >>> It was here that we noticed the configuration tool (normally present >>> in Administrative Tools) is missing. I need to change the default >>> trust level for applications in the "Trusted Sites" internet zone. >>> Without the configuration tool, how can this be set on a client's >>> machine? >>> >> >> > > OK, I have gotten a bit more familiar with using caspol. I also agree -
using something other than trusted sites zone membership is much better (btw - we ARE the software supplier). I first tried a URL condition (http://hostname/*). This worked fine for us, with the downside being that we are deploying this to multiple locations, so we would need to be aware of the URL for each (which will not be known until actual deployment to our client takes place). I think a better solution would be to using the strong name condition. I have signed the assembly and added a code group with the Public Key with Full Trust. However, it seems like the assembly is not actually being recognized as part of the code group, as I almost immediately get errors about permission requests failing. I was first doing this through the command line and assumed I was making a mistake. So on a development machine I used the actual .NET Framework 2.0 Configuration tool. I selected "Import" when asked to specify the public key to make sure I had the correct key. Again, no effect. If I change it to be a URL condition, suddenly everything works. Any thoughts? -- Show quoteHide quoteAdam Clauss "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message news:7AA27772-A977-44D0-9BA0-6D8C1F9E508D@microsoft.com... > Caspol also allows one to reference code groups by name (even if all the > examples show use of the numeric IDs instead). Personally, I wouldn't > rely on that either, but ymmv... Also, since permissions are additive > over code groups to which an assembly belongs, you might want to consider > simply adding your own code group for the trusted sites zone that adds > whatever additional permissions you require. > > BTW, if you are creating these changes to support one software supplier's > permissions requirements, you might want to seriously consider using > something a bit more granular than just trusted sites zone membership. > Publisher evidence would be an excellent choice in many cases but, failing > that, you might want to consider using at least the publishing URL code > group and/or strong name evidence code group nested under a trusted sites > zone group. > > > "Adam Clauss" <cabadam@no.spam.gmail.com> wrote in message > news:edKIXPd3GHA.1252@TK2MSFTNGP04.phx.gbl... >> How so programmatically? >> >> I just ran caspool on two different machines, and it looks like the group >> numbers are not constant. How can I possibly create a batch file for our >> customer to run if the numbers do not stay the same? >> >> -- >> Adam Clauss >> >> "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote in >> message news:4580be631376d8c8abefe60c4c58@news.microsoft.com... >>> you can do that programmatically or using caspol.exe >>> >>> --- >>> Dominick Baier, DevelopMentor >>> http://www.leastprivilege.com >>> >>>> So after doing development/testing of our application on several >>>> different development machines, we went to start testing it on a >>>> "cleaner" system. No Visual Studio, only the .NET 2.0 runtime. >>>> >>>> It was here that we noticed the configuration tool (normally present >>>> in Administrative Tools) is missing. I need to change the default >>>> trust level for applications in the "Trusted Sites" internet zone. >>>> Without the configuration tool, how can this be set on a client's >>>> machine? >>>> >>> >>> >> >> > 
Other interesting topics
Using remoting features inside a .NET applet loaded in a tag object
GET the real content of a .p7m file with CAPICOM Registry Permission Attributes .NET 2.0: SetAccessControl wipe out inherited ACEs deserialize and "medium trust" EnvironmentPermission ASN1 unexpected end of data Runtime Security Policy Question Events over remoting and security problem, related/not related, I don't know Windows Service Created Sub-process? |
|||||||||||||||||||||||
