NET permissions, user objects and IE

[Guest]

Hi,

I will appreciate any insights to set the right permissions to a Windows
Forms Control that is embedded in an html document. The control will be
downloaded by the html doc to the local system to do its job. It requires
file system and registry access rights (read/write).

One of the problems is that restricted users will open the html document
(using IE) and the control needs to have enough rights to access the file
system and registry as mentioned above.

I have done the following:
1) Signed the control.
2) Created a NET policy to grant the respective rights to the control using
NET configuration snap-in. (even tried full trust and am having problems)

Attempted granting read access to a subkey as below but failed. The specific
code lines are:
try
{
new RegistryPermission(RegistryPermissionAccess.Read, subKey).Assert();

RegistryKey rk;
RegistryKey sk1 = rk.OpenSubKey(subKey);

// Revert assert here
}
catch (SecurityException e)
{
MessageBox.Show(e.ToString());
}

I get an SecurityException at OpenSubKey above.

The file system security settings are given using:
// Set unrestricted permissions to access the filesystem
new FileIOPermission(PermissionState.Unrestricted).Assert();
string[] sts = Directory.GetLogicalDrives();
// Revert assert here

I get an SecurityException at above line. However the below code works
(weird!!)
new FileIOPermission(PermissionState.Unrestricted).Assert();
string directoryPath = "c:\\";
string st[] = Directory.GetDirectories(directoryPath);
// Revert assert here

Questions:
What is the best way to do it?
Should I impersonate the access with elevated rights? How?
Can I avoid creating a msi package to have the administrator installing the
control locally, before using it?

Thank you,

Carlos

 

[John Parrish]

Why must the control be within an HTML page? Within the browser you are
in a sandbox, and unless you write a small stub exe to do some
configuration locally (while running under full trust) and have the end
users decide to execute your stub, you won't be able to accomplish what
you are looking for.

This is a good thing, to protect users from malicious code. You need to
be in a zone where your software is given full trust, and that is not
within the browser.

 

[Guest]

Hello John,

I understand security is a must and welcome all MS efforts. However, this
control will be used in the Intranet where users within the network should be
able to use it on demand regardless of which domain they are.
Distributing the control In a multidomain enterprise may require creating
several different groups depending on what users will use it. This brings
additional tasks to the process as creating specific group policies will be
required.
ie. Using IE to distribute an update of the control will require just
uploading the control to the intranet website and that is all. When they
access it again, the new control will be used instead with no other changes.

Seems like there are no many options to do what I was requested.

Thank you for your comments,

Carlos Lozano

 

[John Parrish]

Carlos,

In your circumstance 2 things may be possible. 1. Register your
application certificate with a trusted CA, like verisign, entrust, etc.
One that is already configured as a trusted CA within IE. That would
grant your application an implicit trust since (correct me if I'm wrong)
code signed with a trusted CA cert has higher privilege. I am saying
that from knowledge from way back, so it might not work out for you with
CLR code access.

2. Take a look at click-once deployment with Windows Forms. Refer to the
following.

http://msdn.microsoft.com/msdnmag/issues/04/05/ClickOnce/

Hope this helps.

Regards.

John Parrish

 

[Guest]

Hello John,

I am attemting using the CA approach, but I am having an issue when
assigning the certificate (a PFX file) to the assembly. I am getting a
compiling error saying "bad version of provider" and fails to build.

By any chance do you know what is it about?

Thank you,

Carlos Lozano