v3.5 SP1 issue with previous versions

T

Techno_Dex

SP1 now plays with new trust rules when using assemblies across a network
share. By default these assemblies are now granted full trust where in
previous versions the Microsoft .NET Framework 2.0 Configuration utility was
used in order to increase security trust from partial to full on signed
assemblies. The problem with this new change is since .NET 3.x+ versions
are basically service packs of the 2.0 framework anyone with a VS2005
application built against the v2.0 framework can kiss this security goodby
as once the 3.5 SP1 is installed the v2.0 application now operates in full
trust mode across a network share by default even though it wasn't compiled
against the v3.5 framework. I agree that this was a good improvement to
make, but this is also going to create a QA nightmare as applications which
shouldn't require the v3.5 framework will now operate in a different fashion
if it is installed.
 
A

Alvin Bruney [ASP.NET MVP]

Correcto. I had my issues with this which I raised all the way to the top
brass and them some. As it turns out, you can revert the behavior to
'legacy' mode by tweaking a registry key. But that is not the default
behavior and depending on your environment and you would have to plan
appropriately to implement it across your enterprise. It may require at
least a QA regression as well.

The change was made to 'unify' the behavior across the windows operating
platform with regard to managed v. unmanaged execution. The reason for the
change was customer driven.

--

Regards,
Alvin Bruney [MVP ASP.NET]

[Shameless Author plug]
Download OWC Black Book, 2nd Edition
Exclusively on www.lulu.com/owc $15.00
Need a free copy of VSTS 2008 w/ MSDN Premium?
http://msmvps.com/blogs/alvin/Default.aspx
 
T

Techno_Dex

I would be interested to find out more about this if you have more details.
Since v3.0+ uses the .NET Framework 2.0 Configuration utility for security
levels what kind of interactions to this Full Trust change have in the Code
Acces Security Policy section, mainly the Local Intranet zone? I would have
expected the Local Intranet zone to be raised to Full Trust but its not. Is
the Local Intranet zone completely ignored once SP1 is installed? Do you
happen to know what the Registry key is in the event that we need to support
the "legacy" mode? My fear at this point is that a client with a 2.0 app
already installed will have SP1 pushed out via Windows Update and not know
any different until things start behaving differently.

TIA

Alvin Bruney said:
Correcto. I had my issues with this which I raised all the way to the top
brass and them some. As it turns out, you can revert the behavior to
'legacy' mode by tweaking a registry key. But that is not the default
behavior and depending on your environment and you would have to plan
appropriately to implement it across your enterprise. It may require at
least a QA regression as well.

The change was made to 'unify' the behavior across the windows operating
platform with regard to managed v. unmanaged execution. The reason for the
change was customer driven.

--

Regards,
Alvin Bruney [MVP ASP.NET]

[Shameless Author plug]
Download OWC Black Book, 2nd Edition
Exclusively on www.lulu.com/owc $15.00
Need a free copy of VSTS 2008 w/ MSDN Premium?
http://msmvps.com/blogs/alvin/Default.aspx
-------------------------------------------------------


Techno_Dex said:
SP1 now plays with new trust rules when using assemblies across a network
share. By default these assemblies are now granted full trust where in
previous versions the Microsoft .NET Framework 2.0 Configuration utility
was used in order to increase security trust from partial to full on
signed assemblies. The problem with this new change is since .NET 3.x+
versions are basically service packs of the 2.0 framework anyone with a
VS2005 application built against the v2.0 framework can kiss this
security goodby as once the 3.5 SP1 is installed the v2.0 application now
operates in full trust mode across a network share by default even though
it wasn't compiled against the v3.5 framework. I agree that this was a
good improvement to make, but this is also going to create a QA nightmare
as applications which shouldn't require the v3.5 framework will now
operate in a different fashion if it is installed.
Click to expand...
Click to expand...
 
A

Alvin Bruney [ASP.NET MVP]

Read more here:
http://msdn.microsoft.com/en-us/library/cc713717.aspx

--

Regards,
Alvin Bruney [MVP ASP.NET]

[Shameless Author plug]
Download OWC Black Book, 2nd Edition
Exclusively on www.lulu.com/owc $15.00
Need a free copy of VSTS 2008 w/ MSDN Premium?
http://msmvps.com/blogs/alvin/Default.aspx
-------------------------------------------------------


Techno_Dex said:
I would be interested to find out more about this if you have more
details. Since v3.0+ uses the .NET Framework 2.0 Configuration utility for
security levels what kind of interactions to this Full Trust change have
in the Code Acces Security Policy section, mainly the Local Intranet zone?
I would have expected the Local Intranet zone to be raised to Full Trust
but its not. Is the Local Intranet zone completely ignored once SP1 is
installed? Do you happen to know what the Registry key is in the event
that we need to support the "legacy" mode? My fear at this point is that
a client with a 2.0 app already installed will have SP1 pushed out via
Windows Update and not know any different until things start behaving
differently.

TIA

Alvin Bruney said:
Correcto. I had my issues with this which I raised all the way to the top
brass and them some. As it turns out, you can revert the behavior to
'legacy' mode by tweaking a registry key. But that is not the default
behavior and depending on your environment and you would have to plan
appropriately to implement it across your enterprise. It may require at
least a QA regression as well.

The change was made to 'unify' the behavior across the windows operating
platform with regard to managed v. unmanaged execution. The reason for
the change was customer driven.

--

Regards,
Alvin Bruney [MVP ASP.NET]

[Shameless Author plug]
Download OWC Black Book, 2nd Edition
Exclusively on www.lulu.com/owc $15.00
Need a free copy of VSTS 2008 w/ MSDN Premium?
http://msmvps.com/blogs/alvin/Default.aspx
-------------------------------------------------------


Techno_Dex said:
SP1 now plays with new trust rules when using assemblies across a
network share. By default these assemblies are now granted full trust
where in previous versions the Microsoft .NET Framework 2.0
Configuration utility was used in order to increase security trust from
partial to full on signed assemblies. The problem with this new change
is since .NET 3.x+ versions are basically service packs of the 2.0
framework anyone with a VS2005 application built against the v2.0
framework can kiss this security goodby as once the 3.5 SP1 is installed
the v2.0 application now operates in full trust mode across a network
share by default even though it wasn't compiled against the v3.5
framework. I agree that this was a good improvement to make, but this
is also going to create a QA nightmare as applications which shouldn't
require the v3.5 framework will now operate in a different fashion if it
is installed.
Click to expand...
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Specifying host CLR version using app.config 1
MS .NET Framework 3.5 sp1 shows up in programs list with no "size"shown and won't let me reinstall 0
Security Issue: run app from network drive (v3.5 + v1.1) 1
Code Access Security issue 6
Why does .NET v3.5-SP1 fail? v3.0 required? MSI return code 1603 3
.net framework versions diffs 2
.NET v2 SP1 breaks some code 5
What happens with GAC when you uninstall .NET Framework completely? 9

Top