Automating .Net Security settings

[Paul Steele]

I love programming in C#/.Net, but distributing applications is a real pain.
I never know if the user who might use one of my utilities might have the
proper code permissions to run a network application or access an assembly.
I'm always having to tell new users to go into the .Net Configuration Wizard
and set All_Code to fulltrust, or add a new assembly under Office_Projects.
Is there anyway to eliminate that aspect of .Net? I understand why Microsoft
has incorporated this feature in .Net, but it makes application distribution
a real hassle. Any suggestions on how to get around the problem would be
greatly appreciated.

 

[Richard Blewett [DevelopMentor]]

You tell people to set All Code to FullTrust? at the root of the machine policy? are you mad? You've stopped CAS preventing *any* code from doing things it shouldn't (unless the user has modified other policies - which if they are prepared to follow this advice I'd say was unlikely). The whole point of CAS was to limit what code can do on a machine if its not from a trusted source. You know that message box that IE puts up for .exes about them being dangerous when you click on a link to one, well it doesn't do that for .NET executables because their ability is limited by CAS - but hey, not on the machines of the people you've been advising!

Sorry for going in heavy here but if you're going to advise people what to do with their CAS permissions, please make sure you understand what CAS does, why it does it and how it works. What you should do is create an installer utility or MSI that modifies the machine policy to add a codegroup, say under the root of machine, which grants fulltrust to your strong name or URL or whatever identifies your code in such a way that prevents other less trusted code having the ability to do things it shouldn't - or change your app so it can runn OK with partial trust.

Regards

Richard Blewett - DevelopMentor
http://www.dotnetconsult.co.uk/weblog
http://www.dotnetconsult.co.uk

I love programming in C#/.Net, but distributing applications is a real pain.
I never know if the user who might use one of my utilities might have the
proper code permissions to run a network application or access an assembly.
I'm always having to tell new users to go into the .Net Configuration Wizard
and set All_Code to fulltrust, or add a new assembly under Office_Projects.
Is there anyway to eliminate that aspect of .Net? I understand why Microsoft
has incorporated this feature in .Net, but it makes application distribution
a real hassle. Any suggestions on how to get around the problem would be
greatly appreciated.

 

[Paul Steele]

I certainly understand the implications of setting things to fulltrust, and
I guess it's bad advice. I may have to look into creating an installer
utility to get around the problem. The main issue is that I write a lot of
system utilities that are simple EXE files and dont' really need an
installer. These utilities are placed on the network for access by helpdesk
staff and they need to be able to run them on any system they happen to be
working on. It would be a big nuisance to have to install these little
utilities on each machine. Perhaps I'm overlooking something obvious...

 

[Richard Blewett [DevelopMentor]]

OK, if they are always on the same server, just create a codegroup on all machines with that server given fulltrust via a site based membership condition.

The other alternative is use a file distribution mechanism (like AD Grooup Policy) to set all machine poicy to grant fulltrust to all code and then secure the Enterprise Policy with whatever configuration you require. You can create this on a separate machine and just distribute the enterprisesec.config via a similar file distribution system.

It all depends on how much control you have over the network infrastructure

Regards

Richard Blewett - DevelopMentor
http://www.dotnetconsult.co.uk/weblog
http://www.dotnetconsult.co.uk

nntp://news.microsoft.com/microsoft.public.dotnet.framework/<[email protected]>

I certainly understand the implications of setting things to fulltrust, and
I guess it's bad advice. I may have to look into creating an installer
utility to get around the problem. The main issue is that I write a lot of
system utilities that are simple EXE files and dont' really need an
installer. These utilities are placed on the network for access by helpdesk
staff and they need to be able to run them on any system they happen to be
working on. It would be a big nuisance to have to install these little
utilities on each machine. Perhaps I'm overlooking something obvious...

 

[Richard Blewett [DevelopMentor]]

Just thought, assuming you are happy with the concept, you could get the users to set the Inranet Zone code group to the FullTrust permission set. As long as the machine names they are using don't have a dot (".") in their names then this will also work

Regards

Richard Blewett - DevelopMentor
http://www.dotnetconsult.co.uk/weblog
http://www.dotnetconsult.co.uk

I certainly understand the implications of setting things to fulltrust, and
I guess it's bad advice. I may have to look into creating an installer
utility to get around the problem. The main issue is that I write a lot of
system utilities that are simple EXE files and dont' really need an
installer. These utilities are placed on the network for access by helpdesk
staff and they need to be able to run them on any system they happen to be
working on. It would be a big nuisance to have to install these little
utilities on each machine. Perhaps I'm overlooking something obvious...