programming4us
programming4us
SECURITY

.NET security : Administering Isolated Storage

- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire
10/13/2010 11:51:18 AM
There are two aspects to the administration of isolated storage:
  • Configuring security policy to control access to isolated storage

  • Managing existing stores

In the following sections, we discuss the administration of isolated storage, beginning with the configuration of security policy.

1. Configuring Security Policy

You can use both the .NET Framework Configuration tool (Mscorcfg.msc) and the Code Access Security Policy tool (Caspol.exe) to administer security policy to grant access to isolated storage. We describe how to use Mscorcfg.exe and Caspol.exe specifically to control access to isolated storage.

1.1. Granting isolated storage permissions with Mscorcfg.msc

To grant code access to isolated storage, you must create a named permission set that grants its members the IsolateStorageFilePermission class, and you must assign this permission set to a code group. To create a permission set containing IsolateStorageFilePermission, you should follow the process we described in Section 1.1. Figure 1 shows the dialog box through which you select the permissions to add to the new permission set. The Isolated Storage File entry (highlighted in the diagram) represents the IsolateStorageFilePermission class.

Figure 1. Selecting IsolatedStorageFilePermission graphically

When you press the Add >> button to include the IsolateStorageFilePermission in your permission set, the dialog box shown in Figure 2 appears and allows you to configure the specific level of isolated storage access to grant.

Figure 2. Configuring IsolatedStorageFilePermission graphically

You can grant unrestricted access to isolated storage by pressing the bottom radio button, or grant a specific level of access by pressing the top radio button and choosing the desired level from the Usage Allowed drop-down list. The configuration maps to the values of the IsolatedStorageContainment enumeration.

1.2. Granting isolated storage permissions with Caspol.exe

To create a named permission set that grants access to isolated storage, you must generate an XML file that contains the description of a System.Security.NamedPermissionSet object containing a configured IsolateStorageFilePermission object. Because of the complexity of the XML description, we recommend that you don't try to create these XML files manually; you should create the permission set programmatically, and then write its XML description to a file, as demonstrated in Example 1:

Example 1. Programmatically creating an XML description of a permission set
# C#

using System;
using System.IO;
using System.Security;
using System.Security.Permissions;

public class WritePermSet {

public static void Main( ) {

// Create an empty NamedPermissionSet
NamedPermissionSet nps =
new NamedPermissionSet("IsoTestSet",PermissionState.None);

// Create an IsolatedStorageFilePermission and add it to the
// NamedPermissionSet
IsolatedStorageFilePermission p =
new IsolatedStorageFilePermission(PermissionState.None);
p.UsageAllowed = IsolatedStorageContainment.DomainIsolationByUser;
p.UserQuota = 2048;
nps.AddPermission(p);

// Write the NamedPermissionSet to a file
StreamWriter sw = new StreamWriter("IsoTestSet.xml");
sw.Write(nps.ToString( ));
sw.Close( );
}
}

# Visual Basic .NET

Imports System
Imports System.IO
Imports System.Security
Imports System.Security.Permissions

Public Class WritePermSet

Public Shared Sub Main( )

' Create an empty NamedPermissionSet
Dim nps As NamedPermissionSet = _
New NamedPermissionSet("IsoTestSet",PermissionState.None)

' Create an IsolatedStorageFilePermission and add it to the
' NamedPermissionSet
Dim p As IsolatedStorageFilePermission = _
New IsolatedStorageFilePermission(PermissionState.None)
p.UsageAllowed = IsolatedStorageContainment.DomainIsolationByUser
p.UserQuota = 2048
nps.AddPermission(p)

' Write the NamedPermissionSet to a file
Dim sw As StreamWriter = new StreamWriter("IsoTestSet.xml")
sw.Write(nps.ToString( ))
sw.Close( )
End Sub
End Class


Running this utility produces a file named IsoTestSet.xml that contains the following XML:


version="1"
Name="IsoTestSet">

version="1"
Allowed="DomainIsolationByUser"
UserQuota="2048"/>



You can use the IsoTestSet.xml file to create a new permission set in the machine policy level using the following command:

caspol -machine -addpset IsoTestSet.xml

2. Managing Isolated Storage Stores

The Isolated Storage tool (Storeadm.exe) is a command-line tool that comes with the .NET Framework SDK and is located in the /bin subdirectory of the SDK installation directory. Storeadm.exe allows you to list or remove the stores of the current user; no tool lets you manage isolated storage for all users, and you must manage the user's roaming and nonroaming stores independently.

To list the nonroaming stores of the current user, use the command storeadm /list. Specifying the /roaming flag lists the roaming stores—for example, storeadm /list /roaming. Either of these commands displays a list of stores but not content, similar to that shown here. We have abbreviated the StrongName.Key and Publisher.X509Certificate elements in the interest of brevity:

Microsoft (R) .NET Framework Store Admin 1.0.3705.0
Copyright (C) Microsoft Corporation 1998-2001. All rights reserved.

Record #1
[Assembly]

Key="002400000480000094000000060200000024000052534131
00040000010001005308669520E62E2E1F08F07B0D5DA0B33C0F82AC093C54E26
852080E8C5B7"
Name=" SomeOtherApp"
Version="1.5.0.0"/>

Size : 0
Record #2
[Domain]

file://C:/Development/projects


[Assembly]

308201713082011BA0030201020210E5D7C7E57FD9B9B347A7EE
AC3221100A39899EB866979DBBB6430F5A52A024FC7FCEE9



Size : 0


The example output contains information about two stores: Record #1 and Record #2 (which we have highlighted in boldface). Record #1 represents a store isolated by user and assembly; the assembly's StrongName evidence identifies the creating code. Record #2 represents a store isolated by user, assembly, and application domain; the application domain's Url evidence and the assembly's Publisher evidence identify the creating code.

Storeadm.exe also allows you to remove stores for the current user. However, you must remove all roaming or nonroaming stores at once; there is no way to remove individual stores. To remove all nonroaming stores, use the command storeadm /remove. To remove all roaming stores, use the command storeadm /roaming /remove.

Storeadm.exe will not prompt you to confirm the removal of stores, and you cannot recover any stores once you remove them.

Other  
 
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
Video Sports
programming4us programming4us
programming4us
 
 
programming4us