> One thing I noticed in first release of .NET is that programs stored
> on My Computer were granted fulltrust regardless its location
> effectivly equivelant to an unmanaged application.  My thought is that
> assemblies in temp directories, my documents, etc, can in general be
> assumed to have come from a some external location and should not
> initially have fulltrust without the user having explicitly granted it
> by installing the application and/or modifying the security policy.
> Saving an assembly to the local disk should not in itself be
> sufficient IMHO to increase an assemblies trust permission.
>
> For example, say the user is requested by a internet site to download
> an application that unknown to the user scans all of their files for
> personal information and transmits it to some internet site.  The
> internet site knows that the application will not have permissions to
> run in the internet zone so they package instruct the user to save as
> (despite the warnings presented if the user can do it he mostlikely
> will) and run from their computer (where it will have fulltrust).
> Once saved the the users computer it effectivly has the same
> permissions as any other unmanaged application thus nullifying CAS.
> At present the advantages of a tighter security policy have somewhat
> limited reach because the internet site could have requested the user
> download an unmanaged application but a managed application is in
> genereal much easier to develop.  However my hope is that in the near
> future we will have the ability to restrict execution of unapproved
> unmanaged applications.  For example administrator approves only
> unmanaged applications located in program files and windows folders
> and the local network share, if we then repeat the above scenario with
> a managed and an unmanaged application the unmanaged application would
> not be able to run but the managed application would have full trust
> and this would be a serious loophole.  Of course the CAS policy can be
> changed to have simalar restrictions which is exactly what I'm
> proposing.
>
> My suggestion is that the default security policy should only grant
> full trust only to assemblies located in the Program Files and
> Windows\... folder (systemX or whatever is needed but not
> windows\temp), all other locations should default to Internet Zone
> permissions rather then FullTrust.  I would much rather have the
> permissions of an assembly reduced when the user copies an assembly
> from a network share for example then increased when downloaded from
> the internet.
>
> Thanks,
>

"Dominick Baier [DevelopMentor]" wrote:

> I am totally with you -
>
> unfortunately this collides with MSFT's goal of making CAS as easy as possible...sad
> but true
>
> also look here: http://www.leastprivilege.com/BewareBeAwareOfClickOnceDefaultSettings.aspx
>
> I think this was a opportunity missed in 1.0 times - now this is so much
> a breaking change that it will most probably never happen -
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> > One thing I noticed in first release of .NET is that programs stored
> > on My Computer were granted fulltrust regardless its location
> > effectivly equivelant to an unmanaged application.  My thought is that
> > assemblies in temp directories, my documents, etc, can in general be
> > assumed to have come from a some external location and should not
> > initially have fulltrust without the user having explicitly granted it
> > by installing the application and/or modifying the security policy.
> > Saving an assembly to the local disk should not in itself be
> > sufficient IMHO to increase an assemblies trust permission.
> >
> > For example, say the user is requested by a internet site to download
> > an application that unknown to the user scans all of their files for
> > personal information and transmits it to some internet site.  The
> > internet site knows that the application will not have permissions to
> > run in the internet zone so they package instruct the user to save as
> > (despite the warnings presented if the user can do it he mostlikely
> > will) and run from their computer (where it will have fulltrust).
> > Once saved the the users computer it effectivly has the same
> > permissions as any other unmanaged application thus nullifying CAS.
> > At present the advantages of a tighter security policy have somewhat
> > limited reach because the internet site could have requested the user
> > download an unmanaged application but a managed application is in
> > genereal much easier to develop.  However my hope is that in the near
> > future we will have the ability to restrict execution of unapproved
> > unmanaged applications.  For example administrator approves only
> > unmanaged applications located in program files and windows folders
> > and the local network share, if we then repeat the above scenario with
> > a managed and an unmanaged application the unmanaged application would
> > not be able to run but the managed application would have full trust
> > and this would be a serious loophole.  Of course the CAS policy can be
> > changed to have simalar restrictions which is exactly what I'm
> > proposing.
> >
> > My suggestion is that the default security policy should only grant
> > full trust only to assemblies located in the Program Files and
> > Windows\... folder (systemX or whatever is needed but not
> > windows\temp), all other locations should default to Internet Zone
> > permissions rather then FullTrust.  I would much rather have the
> > permissions of an assembly reduced when the user copies an assembly
> > from a network share for example then increased when downloaded from
> > the internet.
> >
> > Thanks,
> >
>
>
>

"Nicole Calinoiu" wrote:

> "Kurt" <K***@discussions.microsoft.com> wrote in message
> news:7AA0C923-10EA-4B3E-84A7-40EAB046E8D0@microsoft.com...
> <snip>
> > however if the user is a limited user account and doesn't have
> > permissions to write to install applications and write to program files
> > folder then ClickOnce would fail with or without CAS just due to standard
> > ACLs.
>
> Sorry but, while that's a reasonable assumption, it's unfortunately
> completely incorrect.  ClickOnce applications are installed to
> user-specific, user-writeable locations, not the Program Files folder.
> ClickOnce is designed specifically to allow non-admins to install and
> elevate the CAS privilege of network-deployed applications.  If you want to
> prevent non-admins from elevating the CAS permissions of ClickOnce
> applications, you will need to adjust the relevant TrustManager settings
> manually.  See
> http://msdn.microsoft.com/library/en-us/dv_vstechart/html/ClickOnceSec.asp
> for an introduction and
> http://www.leastprivilege.com/PermaLink.aspx?guid=dd4eda16-f930-44e0-9f4e-56cfa0cda3f4
> for some additional RTM details.
>
>

> Hi Kurt
>
> For those of us working in security it's hard to contemplate the idea
> of insecure defaults, and so I agree with what you say. However,
> there's also the tradeoff regarding useability.
>
> For ASP.Net applications, there are different levels of trust for
> applications (FullTrust, High, Medium etc.). This gives me some food
> for thought.
>
> How about different defaults for different types of servers? For
> instance, the current defaults would be the 'Low' setting, whereas the
> ones that you suggest would be the 'Medium' setting, with a 'High' set
> of defaults for application servers.
>
> Just a thought, but I'd really appreciate your opinions here.
>
> Many large-scale applications don't seem to use CAS at all. Perhaps
> offering a choice of defaults would give an incentive to developers to
> incorporate it without having to disrupt useability for ordinary
> desktop users?
>
> Cheers
>
> Chris Seary
>
> http://blog.searyblog.com/
>

> Hi Dominick
>
> Not quite the same thing - MyComputer, LocalIntranet etc. relate to
> where the code was obtained from. I was suggesting different defaults
> for the computer actually running the components. I think it's fair
> that different types of server would need different defaults, the same
> as different web apps have different levels of trust.
>
> However, I agree that giving all code on the local computer FullTrust
> via the Machine policy is not at all useful. This is where different
> defaults might be useful - I can't see that one could provide a
> particular definition for this particular code group that would cover
> all uses.
>
> It may be that developers just don't get CAS, as you said. Everyone's
> mindset is still tuned to users and groups. Changing this is more to
> do with education and community initiatives.
>
> Many developers really haven't invested time in CAS. A good example is
> the slew of new books on ASP.Net 2.0. Not a mention of CAS in most of
> them, and conveniently all mention of the <trust /> element has been
> left out of most sections on Configuration.
>
> I brought CAS up as an example at the Connect Event in Nice a couple
> of weeks ago:
> http://blog.searyblog.com/blog/_archives/2006/3/24/1838950.html. I
> specifically raised the issues regarding the current defaults for CAS
> (ie. more or less turned off), and most people in the room agreed that
> this was not a good thing. So hopefull this may bring about changes?
>
> Another way to push this forward to this might be to develop more
> design patterns. I've worked as a security architect on projects where
> competent use of CAS has reduced the work necessary to develop an
> application, and made deployment issues easier. This sort of stuff
> needs to be disseminated further in the community.
>
> Finally, I don't remember answering a single question on CAS to get my
> MCSD. Putting this stuff into a compulsory part of the exam would be
> useful.
>
> Cheers
>
> Chris Seary
>
> http://blog.searyblog.com/
>

"oldbear" wrote:

> Hi Kurt
>
> For those of us working in security it's hard to contemplate the idea of
> insecure defaults, and so I agree with what you say. However, there's also
> the tradeoff regarding useability.
>
> For ASP.Net applications, there are different levels of trust for
> applications (FullTrust, High, Medium etc.). This gives me some food for
> thought.
>
> How about different defaults for different types of servers? For instance,
> the current defaults would be the 'Low' setting, whereas the ones that you
> suggest would be the 'Medium' setting, with a 'High' set of defaults for
> application servers.
>
> Just a thought, but I'd really appreciate your opinions here.
>
> Many large-scale applications don't seem to use CAS at all. Perhaps offering
> a choice of defaults would give an incentive to developers to incorporate it
> without having to disrupt useability for ordinary desktop users?
>
> Cheers
>
> Chris Seary
>
> http://blog.searyblog.com/
>
>

> One thing I noticed in first release of .NET is that programs stored on My
> Computer were granted fulltrust regardless its location effectivly equivelant
> to an unmanaged application.  My thought is that assemblies in temp
> directories, my documents, etc, can in general be assumed to have come from a
> some external location and should not initially have fulltrust without the
> user having explicitly granted it by installing the application and/or
> modifying the security policy.  Saving an assembly to the local disk should
> not in itself be sufficient IMHO to increase an assemblies trust permission. 
>
> For example, say the user is requested by a internet site to download an
> application that unknown to the user scans all of their files for personal
> information and transmits it to some internet site.  The internet site knows
> that the application will not have permissions to run in the internet zone so
> they package instruct the user to save as (despite the warnings presented if
> the user can do it he mostlikely will) and run from their computer (where it
> will have fulltrust).  Once saved the the users computer it effectivly has
> the same permissions as any other unmanaged application thus nullifying CAS. 
> At present the advantages of a tighter security policy have somewhat limited
> reach because the internet site could have requested the user download an
> unmanaged application but a managed application is in genereal much easier to
> develop.  However my hope is that in the near future we will have the ability
> to restrict execution of unapproved unmanaged applications.  For example
> administrator approves only unmanaged applications located in program files
> and windows folders and the local network share, if we then repeat the above
> scenario with a managed and an unmanaged application the unmanaged
> application would not be able to run but the managed application would have
> full trust and this would be a serious loophole.  Of course the CAS policy
> can be changed to have simalar restrictions which is exactly what I'm
> proposing.
>
> My suggestion is that the default security policy should only grant full
> trust only to assemblies located in the Program Files and Windows\... folder
> (systemX or whatever is needed but not windows\temp), all other locations
> should default to Internet Zone permissions rather then FullTrust.  I would
> much rather have the permissions of an assembly reduced when the user copies
> an assembly from a network share for example then increased when downloaded
> from the internet. 
>
> Thanks,
>
>

> One thing I noticed in first release of .NET is that programs stored on My
> Computer were granted fulltrust regardless its location effectivly equivelant
> to an unmanaged application.  My thought is that assemblies in temp
> directories, my documents, etc, can in general be assumed to have come from a
> some external location and should not initially have fulltrust without the
> user having explicitly granted it by installing the application and/or
> modifying the security policy.  Saving an assembly to the local disk should
> not in itself be sufficient IMHO to increase an assemblies trust permission. 
>
> For example, say the user is requested by a internet site to download an
> application that unknown to the user scans all of their files for personal
> information and transmits it to some internet site.  The internet site knows
> that the application will not have permissions to run in the internet zone so
> they package instruct the user to save as (despite the warnings presented if
> the user can do it he mostlikely will) and run from their computer (where it
> will have fulltrust).  Once saved the the users computer it effectivly has
> the same permissions as any other unmanaged application thus nullifying CAS. 
> At present the advantages of a tighter security policy have somewhat limited
> reach because the internet site could have requested the user download an
> unmanaged application but a managed application is in genereal much easier to
> develop.  However my hope is that in the near future we will have the ability
> to restrict execution of unapproved unmanaged applications.  For example
> administrator approves only unmanaged applications located in program files
> and windows folders and the local network share, if we then repeat the above
> scenario with a managed and an unmanaged application the unmanaged
> application would not be able to run but the managed application would have
> full trust and this would be a serious loophole.  Of course the CAS policy
> can be changed to have simalar restrictions which is exactly what I'm
> proposing.
>
> My suggestion is that the default security policy should only grant full
> trust only to assemblies located in the Program Files and Windows\... folder
> (systemX or whatever is needed but not windows\temp), all other locations
> should default to Internet Zone permissions rather then FullTrust.  I would
> much rather have the permissions of an assembly reduced when the user copies
> an assembly from a network share for example then increased when downloaded
> from the internet. 
>
> Thanks,
>
>

> One thing I noticed in first release of .NET is that programs stored on My
> Computer were granted fulltrust regardless its location effectivly equivelant
> to an unmanaged application.  My thought is that assemblies in temp
> directories, my documents, etc, can in general be assumed to have come from a
> some external location and should not initially have fulltrust without the
> user having explicitly granted it by installing the application and/or
> modifying the security policy.  Saving an assembly to the local disk should
> not in itself be sufficient IMHO to increase an assemblies trust permission. 
>
> For example, say the user is requested by a internet site to download an
> application that unknown to the user scans all of their files for personal
> information and transmits it to some internet site.  The internet site knows
> that the application will not have permissions to run in the internet zone so
> they package instruct the user to save as (despite the warnings presented if
> the user can do it he mostlikely will) and run from their computer (where it
> will have fulltrust).  Once saved the the users computer it effectivly has
> the same permissions as any other unmanaged application thus nullifying CAS. 
> At present the advantages of a tighter security policy have somewhat limited
> reach because the internet site could have requested the user download an
> unmanaged application but a managed application is in genereal much easier to
> develop.  However my hope is that in the near future we will have the ability
> to restrict execution of unapproved unmanaged applications.  For example
> administrator approves only unmanaged applications located in program files
> and windows folders and the local network share, if we then repeat the above
> scenario with a managed and an unmanaged application the unmanaged
> application would not be able to run but the managed application would have
> full trust and this would be a serious loophole.  Of course the CAS policy
> can be changed to have simalar restrictions which is exactly what I'm
> proposing.
>
> My suggestion is that the default security policy should only grant full
> trust only to assemblies located in the Program Files and Windows\... folder
> (systemX or whatever is needed but not windows\temp), all other locations
> should default to Internet Zone permissions rather then FullTrust.  I would
> much rather have the permissions of an assembly reduced when the user copies
> an assembly from a network share for example then increased when downloaded
> from the internet. 
>
> Thanks,
>
>

"Dinis Cruz" wrote:

> Kurt, I am also totally with you and have been saying (for more that two
> years now) that Full Trust is a very bad idea, and that we need to move
> into a development environment where it makes business sense to develop
> partially trusted applications.
>
> The main problem is that nobody (apart from the odd ones like us) seem
> to take this problem seriously. The Clients don't ask for it, the
> developers don't want to spend the extra development cost to do it, and
> Microsoft doesn't want to admit the problem:
>
> The first thing that I ask Microsoft to do is to say very clearly that:
>
> "Full Trust applications are insecure and potentially very dangerous for
> the users running them (or for co-hosted websites), so we now need (as
> an industry) to make the effort to develop, deploy and maintain
> applications that can be executed in secure partially trusted
> environments".
>
> But so far Microsoft (and I have meet and emailed with several key
> players in there) still refuses to deal with this issue and prefers to
> put the head in the sand and ignore it.
>
> I have to say that I was really disappointed when 2.0 was released
> without a major push for Partially trusted development. For example I
> was hoping that it would be possible to run by default .Net applications
> executed from your local computer in a secure partially trusted
> environment. But that didn't happened, and I have to say that apart from
> a couple more articles (and good blogs) there isn't much difference
> between 1.1 and 2.0 (yeah there are things like transparency and other
> bits in there too :).
>
> So, until you see guys from Microsoft in discussions like these, nothing
> will begin to change.
>
> But hey, keep making noise, I know that one day (eventually) we will get
> there.
>
> Dinis Cruz
> Owasp .Net Project
> www.owasp.net
>
>
>
>
>
> Kurt wrote:
> > One thing I noticed in first release of .NET is that programs stored on My
> > Computer were granted fulltrust regardless its location effectivly equivelant
> > to an unmanaged application.  My thought is that assemblies in temp
> > directories, my documents, etc, can in general be assumed to have come from a
> > some external location and should not initially have fulltrust without the
> > user having explicitly granted it by installing the application and/or
> > modifying the security policy.  Saving an assembly to the local disk should
> > not in itself be sufficient IMHO to increase an assemblies trust permission. 
> >
> > For example, say the user is requested by a internet site to download an
> > application that unknown to the user scans all of their files for personal
> > information and transmits it to some internet site.  The internet site knows
> > that the application will not have permissions to run in the internet zone so
> > they package instruct the user to save as (despite the warnings presented if
> > the user can do it he mostlikely will) and run from their computer (where it
> > will have fulltrust).  Once saved the the users computer it effectivly has
> > the same permissions as any other unmanaged application thus nullifying CAS. 
> > At present the advantages of a tighter security policy have somewhat limited
> > reach because the internet site could have requested the user download an
> > unmanaged application but a managed application is in genereal much easier to
> > develop.  However my hope is that in the near future we will have the ability
> > to restrict execution of unapproved unmanaged applications.  For example
> > administrator approves only unmanaged applications located in program files
> > and windows folders and the local network share, if we then repeat the above
> > scenario with a managed and an unmanaged application the unmanaged
> > application would not be able to run but the managed application would have
> > full trust and this would be a serious loophole.  Of course the CAS policy
> > can be changed to have simalar restrictions which is exactly what I'm
> > proposing.
> >
> > My suggestion is that the default security policy should only grant full
> > trust only to assemblies located in the Program Files and Windows\... folder
> > (systemX or whatever is needed but not windows\temp), all other locations
> > should default to Internet Zone permissions rather then FullTrust.  I would
> > much rather have the permissions of an assembly reduced when the user copies
> > an assembly from a network share for example then increased when downloaded
> > from the internet. 
> >
> > Thanks,
> >
> >
>