3. Evaluating Security Policy
Caspol.exe also allows you
to test an assembly to determine which
code groups it is a member of and, consequentially, the runtime would
grant to it when loaded. To determine which groups an assembly is a
member of, use the -resolvegroup flag and specify
the assembly name as follows:
caspol -resolvegroup HelloWorld.exe
Depending on the evidence of the assembly and the configuration of
security policy, the output will look similar to this:
Microsoft (R) .NET Framework CasPol 1.0.3705.288
Copyright (C) Microsoft Corporation 1998-2001. All rights reserved.
Level = Enterprise
Code Groups:
1. All code: FullTrust
1.1. Url - file://C:/development/*: FullTrust (Exclusive)
1.2. All code: FullTrust
1.2.1. All code: Internet
Level = Machine
Code Groups:
1. All code: Nothing
1.1. Zone - MyComputer: FullTrust
Level = User
Code Groups:
1. All code: Nothing
1.1. Zone - MyComputer: FullTrust
Success
To view the permission granted to an assembly, use the
-resolveperm flag, as shown here:
caspol -resolveperm HelloWorld.exe
The -resolveperm command will display the XML
description of the permission set granted to the assembly, similar to
that shown here. Notice that the permission set also lists the
identity permissions granted to the assembly based on the evidence it
presented, as well as the permissions granted by the security policy:
Microsoft (R) .NET Framework CasPol 1.0.3705.288
Copyright (C) Microsoft Corporation 1998-2001. All rights reserved.
Resolving permissions for level = Enterprise
Resolving permissions for level = Machine
Resolving permissions for level = User
Grant =
<PermissionSet class="System.Security.PermissionSet"
version="1"
Unrestricted="true">
<IPermission class="System.Security.Permissions.UrlIdentityPermission, mscorl
ib, Version=1.0.3300.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
version="1"
Url="file://C:/Development/HelloWorld.exe"/>
<IPermission class="System.Security.Permissions.ZoneIdentityPermission, mscor
lib, Version=1.0.3300.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
version="1"
Zone="MyComputer"/>
</PermissionSet>
Success
Both the -resolvegroup and
-resolveperm commands allow you to specify a
target policy level, in which case the assembly is only evaluated
against that policy level. If you do not specify a policy level, the
default target -all is used.
4. Forcing Security Changes
Caspol.exe is a managed
application that relies on obtaining a
high level of trust from the runtime in order to perform management
of the security system. When you execute any of the commands we
discussed in the previous sections, Caspol.exe will test to see if the changes
will result in Caspol.exe being
unable to run correctly in the future; Caspol.exe will refuse to make such changes
and display the following message:
Microsoft (R) .NET Framework CasPol 1.0.3705.288
Copyright (C) Microsoft Corporation 1998-2001. All rights reserved.
This operation will make some or all caspol functionality cease to work. If you
are sure you want to do this operation, use the '-force' option before the opti
on you just executed. For example:
caspol -force -machine -remgroup 1.6
Policy save aborted.
If you want to force the change despite this warning, you must use
the -force flag. The following command makes the
All_Code code group of the machine policy
exclusive. In the default security policy, this will stop all code
from running:
caspol -force -machine -chggroup All_Code -exclusive on
5. Resetting Security Policy
A feature of Caspol.exe you
will find useful during development
is the ability to reset the security policy to its default value.
When developing software that manipulates security policy directly,
it is not difficult to break security policy to a point where your
code will not run. To reset policy levels, use the
-reset flag and specify the levels you want to
reset:
caspol -user -reset
caspol -all -reset
You can also undo the last change you made with Caspol.exe using the
-recover flag, as shown here:
caspol -machine -recover
caspol -all -recover
