> Hey,
>
> I'm not sure if this can be done, but here's what I require:
>
> I have a windows application that needs to be secured in a code group
> with limited permissions to write to a log folder, and to download
> certain files before startup. Issue is that this happens to be running
> on a restricted user login. And also, i need to prevent malicious
> files from accessing this application.
>
> The solution for the first issue is the cacls exe that I've managed to
> use and put together certain code that does the trick for me. Is there
> any other/better way to do it? I basically need write permission on a
> folder in the Program Files application directory to write some logs,
> and write permission on another folder to download some files through
> the application.
>
> The second issue needs to be addressed using CAS. I know we can use
> the configuration manager of the framework in administrative tools to
> create the desired permission set and code group and then import the
> application assemblies/components into it to sign it.
>
> My queries:
>
> 1. How can I do the same that I manage to achieve with the config
> manager through some framework classes? I would be required to do this
> as a custom action while installation of the application through a
> setup project that I have.
>
> 2. Which would be the best condition on the basis of which I should
> create my code group? There are 7 of them, and I do intend to strong
> name the app anyway. Would the strong name be a sufficient enought
> condition for the code group? Or would some other condition serve the
> purpose better and more smartly?
>
> Any pointers are gladly appreciated.
> Cheers!
> Nick

"Dominick Baier [DevelopMentor]" wrote:

> hi,
>
> this is part of an msi installer project - and should get you started...don't
> forget the uninstall action :)
>
>     // this code will run when the MSI file is installed
>     public override void Install(IDictionary stateSaver) {
>        
>         // first need to find the machine policy,
>         // which is where we'll make our changes
>         PolicyLevel machinePolicy = _findPolicyLevel("Machine");
>
>         if (null == machinePolicy) {
>             // sanity check - this should never happen
>             throw new ApplicationException("Failed to find the machine policy
> in the PolicyHierarchy");
>         }
>
>         // we need to add a named permission set
>         // that includes whatever permissions we're granting
>         NamedPermissionSet nps = new NamedPermissionSet(permissionSetName,
> PermissionState.None);
>         nps.Description = permissionSetDesc;
>
>         // TODO: add the permissions AcmeExpense needs
>         nps.AddPermission(new FileIOPermission(FileIOPermissionAccess.Read,
> @"c:\acme\expenses"));
>         nps.AddPermission(new EnvironmentPermission(EnvironmentPermissionAccess.Read,
> "EXPENSE"));
>         nps.AddPermission(new SqlClientPermission(PermissionState.Unrestricted));
>         nps.AddPermission(new DataProtectionPermission(PermissionState.Unrestricted));
>
>         // add our named permission set to the machine policy level
>         // note that nothing is saved yet (we'll save at the end)
>         try {
>             machinePolicy.AddNamedPermissionSet(nps);
>         }
>         catch {
>             // duplicate name - update the existing one with the same name
>             machinePolicy.ChangeNamedPermissionSet(nps.Name, nps);
>         }
>
>         // now we need to create a code group that matches all assemblies
>         // that we ship with AcmeExpense - one way of doing this is to
>         // match the strong name we assign to that application (although
>         // depending on how you manage strong names, this might cover
>         // a wider set of assemblies)
>         CodeGroup cg = new UnionCodeGroup(
>             new StrongNameMembershipCondition(
>                 new StrongNamePublicKeyBlob(acmePublicKey),
>                 null,   // match regardless of assembly's simple name
>                 null),  // match regardless of assembly's version
>             new PolicyStatement(nps,
>                 PolicyStatementAttribute.Nothing) // no LevelFinal or Exclusive
> attribute on this code group
>             );
>         cg.Name = codeGroupName;
>         cg.Description = codeGroupDesc;
>
>         // code groups with duplicate names are legal, but messy and confusing,
>         // so we make sure to first remove any existing code groups with
> our name
>         _removeCodeGroupsByName(machinePolicy.RootCodeGroup, cg.Name);
>        
>         // add our new code group (note we've not saved yet).
>         machinePolicy.RootCodeGroup.AddChild(cg);
>
>         // finally, save all changes atomically.
>         SecurityManager.SavePolicyLevel(machinePolicy);
>     }
>
>
>    PolicyLevel _findPolicyLevel(string labelWeWant) {
>         IEnumerator policyLevelEnumerator = SecurityManager.PolicyHierarchy();
>         PolicyLevel found = null;
>         while (policyLevelEnumerator.MoveNext()) {
>             PolicyLevel lvl = (PolicyLevel)policyLevelEnumerator.Current;
>             if (labelWeWant == lvl.Label) {
>                 found = lvl;
>             }
>         }
>         return found;
>     }
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> > Hey,
> >
> > I'm not sure if this can be done, but here's what I require:
> >
> > I have a windows application that needs to be secured in a code group
> > with limited permissions to write to a log folder, and to download
> > certain files before startup. Issue is that this happens to be running
> > on a restricted user login. And also, i need to prevent malicious
> > files from accessing this application.
> >
> > The solution for the first issue is the cacls exe that I've managed to
> > use and put together certain code that does the trick for me. Is there
> > any other/better way to do it? I basically need write permission on a
> > folder in the Program Files application directory to write some logs,
> > and write permission on another folder to download some files through
> > the application.
> >
> > The second issue needs to be addressed using CAS. I know we can use
> > the configuration manager of the framework in administrative tools to
> > create the desired permission set and code group and then import the
> > application assemblies/components into it to sign it.
> >
> > My queries:
> >
> > 1. How can I do the same that I manage to achieve with the config
> > manager through some framework classes? I would be required to do this
> > as a custom action while installation of the application through a
> > setup project that I have.
> >
> > 2. Which would be the best condition on the basis of which I should
> > create my code group? There are 7 of them, and I do intend to strong
> > name the app anyway. Would the strong name be a sufficient enought
> > condition for the code group? Or would some other condition serve the
> > purpose better and more smartly?
> >
> > Any pointers are gladly appreciated.
> > Cheers!
> > Nick
>
>
>

> Hey Dominick,
>
> I did indeed get this code running and was able to create the desired
> code
> groups and perm sets. Thanks a ton!
> However, I couldn't quite figure out exactly where to get this Install
> method that is overridden. All that I have worked with Setup projects,
> I have
> purely done with the GUI. I'm not sure where I can fit this code in
> the
> project. I believe I'll have to create an exe for this and put it in
> as a
> custom action during install, and put the code for removing it in a
> similar
> action during uninstall. Am I correct in this assumption?
> "Dominick Baier [DevelopMentor]" wrote:
>
>> hi,
>>
>> this is part of an msi installer project - and should get you
>> started...don't forget the uninstall action :)
>>
>> // this code will run when the MSI file is installed public override
>> void Install(IDictionary stateSaver) {
>>
>> // first need to find the machine policy,
>> // which is where we'll make our changes
>> PolicyLevel machinePolicy = _findPolicyLevel("Machine");
>> if (null == machinePolicy) {
>> // sanity check - this should never happen
>> throw new ApplicationException("Failed to find the machine policy
>> in the PolicyHierarchy");
>> }
>> // we need to add a named permission set
>> // that includes whatever permissions we're granting
>> NamedPermissionSet nps = new NamedPermissionSet(permissionSetName,
>> PermissionState.None);
>> nps.Description = permissionSetDesc;
>> // TODO: add the permissions AcmeExpense needs
>> nps.AddPermission(new FileIOPermission(FileIOPermissionAccess.Read,
>> @"c:\acme\expenses"));
>> nps.AddPermission(new
>> EnvironmentPermission(EnvironmentPermissionAccess.Read,
>> "EXPENSE"));
>> nps.AddPermission(new
>> SqlClientPermission(PermissionState.Unrestricted));
>> nps.AddPermission(new
>> DataProtectionPermission(PermissionState.Unrestricted));
>> // add our named permission set to the machine policy level
>> // note that nothing is saved yet (we'll save at the end)
>> try {
>> machinePolicy.AddNamedPermissionSet(nps);
>> }
>> catch {
>> // duplicate name - update the existing one with the same name
>> machinePolicy.ChangeNamedPermissionSet(nps.Name, nps);
>> }
>> // now we need to create a code group that matches all assemblies
>> // that we ship with AcmeExpense - one way of doing this is to
>> // match the strong name we assign to that application (although
>> // depending on how you manage strong names, this might cover
>> // a wider set of assemblies)
>> CodeGroup cg = new UnionCodeGroup(
>> new StrongNameMembershipCondition(
>> new StrongNamePublicKeyBlob(acmePublicKey),
>> null,   // match regardless of assembly's simple name
>> null),  // match regardless of assembly's version
>> new PolicyStatement(nps,
>> PolicyStatementAttribute.Nothing) // no LevelFinal or Exclusive
>> attribute on this code group
>> );
>> cg.Name = codeGroupName;
>> cg.Description = codeGroupDesc;
>> // code groups with duplicate names are legal, but messy and
>> confusing,
>> // so we make sure to first remove any existing code groups with
>> our name
>> _removeCodeGroupsByName(machinePolicy.RootCodeGroup, cg.Name);
>> // add our new code group (note we've not saved yet).
>> machinePolicy.RootCodeGroup.AddChild(cg);
>>
>> // finally, save all changes atomically.
>> SecurityManager.SavePolicyLevel(machinePolicy);
>> }
>> PolicyLevel _findPolicyLevel(string labelWeWant) {
>> IEnumerator policyLevelEnumerator =
>> SecurityManager.PolicyHierarchy();
>> PolicyLevel found = null;
>> while (policyLevelEnumerator.MoveNext()) {
>> PolicyLevel lvl = (PolicyLevel)policyLevelEnumerator.Current;
>> if (labelWeWant == lvl.Label) {
>> found = lvl;
>> }
>> }
>> return found;
>> }
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>> Hey,
>>>
>>> I'm not sure if this can be done, but here's what I require:
>>>
>>> I have a windows application that needs to be secured in a code
>>> group with limited permissions to write to a log folder, and to
>>> download certain files before startup. Issue is that this happens to
>>> be running on a restricted user login. And also, i need to prevent
>>> malicious files from accessing this application.
>>>
>>> The solution for the first issue is the cacls exe that I've managed
>>> to use and put together certain code that does the trick for me. Is
>>> there any other/better way to do it? I basically need write
>>> permission on a folder in the Program Files application directory to
>>> write some logs, and write permission on another folder to download
>>> some files through the application.
>>>
>>> The second issue needs to be addressed using CAS. I know we can use
>>> the configuration manager of the framework in administrative tools
>>> to create the desired permission set and code group and then import
>>> the application assemblies/components into it to sign it.
>>>
>>> My queries:
>>>
>>> 1. How can I do the same that I manage to achieve with the config
>>> manager through some framework classes? I would be required to do
>>> this as a custom action while installation of the application
>>> through a setup project that I have.
>>>
>>> 2. Which would be the best condition on the basis of which I should
>>> create my code group? There are 7 of them, and I do intend to strong
>>> name the app anyway. Would the strong name be a sufficient enought
>>> condition for the code group? Or would some other condition serve
>>> the purpose better and more smartly?
>>>
>>> Any pointers are gladly appreciated.
>>> Cheers!
>>> Nick

"Dominick Baier [DevelopMentor]" wrote:

> hi,
>
> add a class lib to the installer project - and include its primary output
>
> add a class to that project:
>
> [RunInstaller(true)]
> public class MyInstaller : System.Configuration.Install.Installer
>
> and override the install/unistall methods.
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> > Hey Dominick,
> >
> > I did indeed get this code running and was able to create the desired
> > code
> > groups and perm sets. Thanks a ton!
> > However, I couldn't quite figure out exactly where to get this Install
> > method that is overridden. All that I have worked with Setup projects,
> > I have
> > purely done with the GUI. I'm not sure where I can fit this code in
> > the
> > project. I believe I'll have to create an exe for this and put it in
> > as a
> > custom action during install, and put the code for removing it in a
> > similar
> > action during uninstall. Am I correct in this assumption?
> > "Dominick Baier [DevelopMentor]" wrote:
> >
> >> hi,
> >>
> >> this is part of an msi installer project - and should get you
> >> started...don't forget the uninstall action :)
> >>
> >> // this code will run when the MSI file is installed public override
> >> void Install(IDictionary stateSaver) {
> >>
> >> // first need to find the machine policy,
> >> // which is where we'll make our changes
> >> PolicyLevel machinePolicy = _findPolicyLevel("Machine");
> >> if (null == machinePolicy) {
> >> // sanity check - this should never happen
> >> throw new ApplicationException("Failed to find the machine policy
> >> in the PolicyHierarchy");
> >> }
> >> // we need to add a named permission set
> >> // that includes whatever permissions we're granting
> >> NamedPermissionSet nps = new NamedPermissionSet(permissionSetName,
> >> PermissionState.None);
> >> nps.Description = permissionSetDesc;
> >> // TODO: add the permissions AcmeExpense needs
> >> nps.AddPermission(new FileIOPermission(FileIOPermissionAccess.Read,
> >> @"c:\acme\expenses"));
> >> nps.AddPermission(new
> >> EnvironmentPermission(EnvironmentPermissionAccess.Read,
> >> "EXPENSE"));
> >> nps.AddPermission(new
> >> SqlClientPermission(PermissionState.Unrestricted));
> >> nps.AddPermission(new
> >> DataProtectionPermission(PermissionState.Unrestricted));
> >> // add our named permission set to the machine policy level
> >> // note that nothing is saved yet (we'll save at the end)
> >> try {
> >> machinePolicy.AddNamedPermissionSet(nps);
> >> }
> >> catch {
> >> // duplicate name - update the existing one with the same name
> >> machinePolicy.ChangeNamedPermissionSet(nps.Name, nps);
> >> }
> >> // now we need to create a code group that matches all assemblies
> >> // that we ship with AcmeExpense - one way of doing this is to
> >> // match the strong name we assign to that application (although
> >> // depending on how you manage strong names, this might cover
> >> // a wider set of assemblies)
> >> CodeGroup cg = new UnionCodeGroup(
> >> new StrongNameMembershipCondition(
> >> new StrongNamePublicKeyBlob(acmePublicKey),
> >> null,   // match regardless of assembly's simple name
> >> null),  // match regardless of assembly's version
> >> new PolicyStatement(nps,
> >> PolicyStatementAttribute.Nothing) // no LevelFinal or Exclusive
> >> attribute on this code group
> >> );
> >> cg.Name = codeGroupName;
> >> cg.Description = codeGroupDesc;
> >> // code groups with duplicate names are legal, but messy and
> >> confusing,
> >> // so we make sure to first remove any existing code groups with
> >> our name
> >> _removeCodeGroupsByName(machinePolicy.RootCodeGroup, cg.Name);
> >> // add our new code group (note we've not saved yet).
> >> machinePolicy.RootCodeGroup.AddChild(cg);
> >>
> >> // finally, save all changes atomically.
> >> SecurityManager.SavePolicyLevel(machinePolicy);
> >> }
> >> PolicyLevel _findPolicyLevel(string labelWeWant) {
> >> IEnumerator policyLevelEnumerator =
> >> SecurityManager.PolicyHierarchy();
> >> PolicyLevel found = null;
> >> while (policyLevelEnumerator.MoveNext()) {
> >> PolicyLevel lvl = (PolicyLevel)policyLevelEnumerator.Current;
> >> if (labelWeWant == lvl.Label) {
> >> found = lvl;
> >> }
> >> }
> >> return found;
> >> }
> >> ---------------------------------------
> >> Dominick Baier - DevelopMentor
> >> http://www.leastprivilege.com
> >>> Hey,
> >>>
> >>> I'm not sure if this can be done, but here's what I require:
> >>>
> >>> I have a windows application that needs to be secured in a code
> >>> group with limited permissions to write to a log folder, and to
> >>> download certain files before startup. Issue is that this happens to
> >>> be running on a restricted user login. And also, i need to prevent
> >>> malicious files from accessing this application.
> >>>
> >>> The solution for the first issue is the cacls exe that I've managed
> >>> to use and put together certain code that does the trick for me. Is
> >>> there any other/better way to do it? I basically need write
> >>> permission on a folder in the Program Files application directory to
> >>> write some logs, and write permission on another folder to download
> >>> some files through the application.
> >>>
> >>> The second issue needs to be addressed using CAS. I know we can use
> >>> the configuration manager of the framework in administrative tools
> >>> to create the desired permission set and code group and then import
> >>> the application assemblies/components into it to sign it.
> >>>
> >>> My queries:
> >>>
> >>> 1. How can I do the same that I manage to achieve with the config
> >>> manager through some framework classes? I would be required to do
> >>> this as a custom action while installation of the application
> >>> through a setup project that I have.
> >>>
> >>> 2. Which would be the best condition on the basis of which I should
> >>> create my code group? There are 7 of them, and I do intend to strong
> >>> name the app anyway. Would the strong name be a sufficient enought
> >>> condition for the code group? Or would some other condition serve
> >>> the purpose better and more smartly?
> >>>
> >>> Any pointers are gladly appreciated.
> >>> Cheers!
> >>> Nick
>
>
>

> Thanks a ton Dominick!
> I finally got the entire bit working.
> However, was just wondering if you do not mind sharing the code for
> the _removeCodeGroupsByName method too! Guess you missed it in the
> initial response.
>
> Cheers!
> Nick
> "Dominick Baier [DevelopMentor]" wrote:
>
>> hi,
>>
>> add a class lib to the installer project - and include its primary
>> output
>>
>> add a class to that project:
>>
>> [RunInstaller(true)]
>> public class MyInstaller : System.Configuration.Install.Installer
>> and override the install/unistall methods.
>>
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>> Hey Dominick,
>>>
>>> I did indeed get this code running and was able to create the
>>> desired
>>> code
>>> groups and perm sets. Thanks a ton!
>>> However, I couldn't quite figure out exactly where to get this
>>> Install
>>> method that is overridden. All that I have worked with Setup
>>> projects,
>>> I have
>>> purely done with the GUI. I'm not sure where I can fit this code in
>>> the
>>> project. I believe I'll have to create an exe for this and put it in
>>> as a
>>> custom action during install, and put the code for removing it in a
>>> similar
>>> action during uninstall. Am I correct in this assumption?
>>> "Dominick Baier [DevelopMentor]" wrote:
>>>> hi,
>>>>
>>>> this is part of an msi installer project - and should get you
>>>> started...don't forget the uninstall action :)
>>>>
>>>> // this code will run when the MSI file is installed public
>>>> override void Install(IDictionary stateSaver) {
>>>>
>>>> // first need to find the machine policy,
>>>> // which is where we'll make our changes
>>>> PolicyLevel machinePolicy = _findPolicyLevel("Machine");
>>>> if (null == machinePolicy) {
>>>> // sanity check - this should never happen
>>>> throw new ApplicationException("Failed to find the machine policy
>>>> in the PolicyHierarchy");
>>>> }
>>>> // we need to add a named permission set
>>>> // that includes whatever permissions we're granting
>>>> NamedPermissionSet nps = new NamedPermissionSet(permissionSetName,
>>>> PermissionState.None);
>>>> nps.Description = permissionSetDesc;
>>>> // TODO: add the permissions AcmeExpense needs
>>>> nps.AddPermission(new FileIOPermission(FileIOPermissionAccess.Read,
>>>> @"c:\acme\expenses"));
>>>> nps.AddPermission(new
>>>> EnvironmentPermission(EnvironmentPermissionAccess.Read,
>>>> "EXPENSE"));
>>>> nps.AddPermission(new
>>>> SqlClientPermission(PermissionState.Unrestricted));
>>>> nps.AddPermission(new
>>>> DataProtectionPermission(PermissionState.Unrestricted));
>>>> // add our named permission set to the machine policy level
>>>> // note that nothing is saved yet (we'll save at the end)
>>>> try {
>>>> machinePolicy.AddNamedPermissionSet(nps);
>>>> }
>>>> catch {
>>>> // duplicate name - update the existing one with the same name
>>>> machinePolicy.ChangeNamedPermissionSet(nps.Name, nps);
>>>> }
>>>> // now we need to create a code group that matches all assemblies
>>>> // that we ship with AcmeExpense - one way of doing this is to
>>>> // match the strong name we assign to that application (although
>>>> // depending on how you manage strong names, this might cover
>>>> // a wider set of assemblies)
>>>> CodeGroup cg = new UnionCodeGroup(
>>>> new StrongNameMembershipCondition(
>>>> new StrongNamePublicKeyBlob(acmePublicKey),
>>>> null,   // match regardless of assembly's simple name
>>>> null),  // match regardless of assembly's version
>>>> new PolicyStatement(nps,
>>>> PolicyStatementAttribute.Nothing) // no LevelFinal or Exclusive
>>>> attribute on this code group
>>>> );
>>>> cg.Name = codeGroupName;
>>>> cg.Description = codeGroupDesc;
>>>> // code groups with duplicate names are legal, but messy and
>>>> confusing,
>>>> // so we make sure to first remove any existing code groups with
>>>> our name
>>>> _removeCodeGroupsByName(machinePolicy.RootCodeGroup, cg.Name);
>>>> // add our new code group (note we've not saved yet).
>>>> machinePolicy.RootCodeGroup.AddChild(cg);
>>>> // finally, save all changes atomically.
>>>> SecurityManager.SavePolicyLevel(machinePolicy);
>>>> }
>>>> PolicyLevel _findPolicyLevel(string labelWeWant) {
>>>> IEnumerator policyLevelEnumerator =
>>>> SecurityManager.PolicyHierarchy();
>>>> PolicyLevel found = null;
>>>> while (policyLevelEnumerator.MoveNext()) {
>>>> PolicyLevel lvl = (PolicyLevel)policyLevelEnumerator.Current;
>>>> if (labelWeWant == lvl.Label) {
>>>> found = lvl;
>>>> }
>>>> }
>>>> return found;
>>>> }
>>>> ---------------------------------------
>>>> Dominick Baier - DevelopMentor
>>>> http://www.leastprivilege.com
>>>>> Hey,
>>>>>
>>>>> I'm not sure if this can be done, but here's what I require:
>>>>>
>>>>> I have a windows application that needs to be secured in a code
>>>>> group with limited permissions to write to a log folder, and to
>>>>> download certain files before startup. Issue is that this happens
>>>>> to be running on a restricted user login. And also, i need to
>>>>> prevent malicious files from accessing this application.
>>>>>
>>>>> The solution for the first issue is the cacls exe that I've
>>>>> managed to use and put together certain code that does the trick
>>>>> for me. Is there any other/better way to do it? I basically need
>>>>> write permission on a folder in the Program Files application
>>>>> directory to write some logs, and write permission on another
>>>>> folder to download some files through the application.
>>>>>
>>>>> The second issue needs to be addressed using CAS. I know we can
>>>>> use the configuration manager of the framework in administrative
>>>>> tools to create the desired permission set and code group and then
>>>>> import the application assemblies/components into it to sign it.
>>>>>
>>>>> My queries:
>>>>>
>>>>> 1. How can I do the same that I manage to achieve with the config
>>>>> manager through some framework classes? I would be required to do
>>>>> this as a custom action while installation of the application
>>>>> through a setup project that I have.
>>>>>
>>>>> 2. Which would be the best condition on the basis of which I
>>>>> should create my code group? There are 7 of them, and I do intend
>>>>> to strong name the app anyway. Would the strong name be a
>>>>> sufficient enought condition for the code group? Or would some
>>>>> other condition serve the purpose better and more smartly?
>>>>>
>>>>> Any pointers are gladly appreciated.
>>>>> Cheers!
>>>>> Nick