caspol & local intranet security

[adam]

Hi

We have built an aspnet application which uses a windows
user control embedded in an object tag. The app is to be
deployed on a large client intranet. The object requires
full trust security to work properly.

What is the easiest way to configure the client's
corporate network. They would quite like to do it only
for users in one particular NT Group.

They run a logon script for each user, from which command
line stuff can be run. Is it possible to use caspol to
set the security for the intranet zone to full trust.
They would prefer this option than setting this for a
particular assembly. If so what would be the syntax? We
did have a look at the documentation but couldnt work out
how to change the settings for the whole zone?

We also tried using mscorcfg.msc to alter the enterprise
settings for this zone. Although this appeared to change
the client machines, (all of them) the assemblies wouldnt
run. This was the despite the fact that using mscorcfg to
check the permissions for the appropriate assemblies
showed they had full trust at enterprise, machine and
user levels. They wouldnt run until we changed it at the
individual machine level on the approrpirate pcs.

Adam

 

[MSFT]

Hi Adam,

Thank you for using MSDN Newsgroup. I am Luke and I am review this issue
currently. As I understand, you want to find some way which can change the
Zone Security setting for intranet. Regarding the problem, I think
Caspol.exe should be a good solution: It can create/modify code group's
attributes in the code access security setting:

Changing Code Groups
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/htm
l/cpconchangingcodegroup.asp

In your situation, you need follow command:

Caspol -machine -chggroup LocalIntranet_Zone Fulltrust

or

Caspol -machine -chggroup 1.2 Fulltrust

This will grant full trust to local intranet code group.

For more information on caspol, you may refer to:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/htm
l/cpconusingcodeaccesssecuritypolicytoolcaspolexe.asp

Hope this help,

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Joe Kaplan \(MVP - ADSI\)]

It seems like you could also maybe use group policy to push down a
deployment package that you create with the .NET configuration tools.

In general, granting Full Trust to the intranet zone is not recommended. It
would be much better to use a strong name membership condition for Full
Trust and sign all of your assemblies with the appropriate key. However,
you would also need to remember to use Assert carefully in your code and set
the AllowPartiallyTrustedCallers attribute on your assemblies as the
AppDomain that IE loads the code in would not be Full Trust, even though
your assemblies would be.

The other way to go might be with a URL membership condition. This is
slightly better than granting the whole intranet zone Full Trust.

My $0.02,

Joe K.

 

[adam]

Thanks luke

I tried this, but both the options you suggest fail with the message

Unknown permission set "Fulltrust"

Adam

----- MSFT wrote: -----

Hi Adam,

Thank you for using MSDN Newsgroup. I am Luke and I am review this issue
currently. As I understand, you want to find some way which can change the
Zone Security setting for intranet. Regarding the problem, I think
Caspol.exe should be a good solution: It can create/modify code group's
attributes in the code access security setting:

Changing Code Groups
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/htm
l/cpconchangingcodegroup.asp

In your situation, you need follow command:

Caspol -machine -chggroup LocalIntranet_Zone Fulltrust

or

Caspol -machine -chggroup 1.2 Fulltrust

This will grant full trust to local intranet code group.

For more information on caspol, you may refer to:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/htm
l/cpconusingcodeaccesssecuritypolicytoolcaspolexe.asp

Hope this help,

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[MSFT]

Hi Adam,

Sorry for confuse. You may try "FullTrust" instead. Another useful Caspol
command is:

Caspol -machine -listgroups

You can chekc current policy setting with this command.

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)