programming4us
programming4us
SECURITY

Programming .NET Security : Using the Code-Access Security Policy Tool (part 2) - Evaluating Security Policy

- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire
8/6/2012 6:00:00 PM

3. Evaluating Security Policy

Caspol.exe also allows you to test an assembly to determine which code groups it is a member of and, consequentially, the runtime would grant to it when loaded. To determine which groups an assembly is a member of, use the -resolvegroup flag and specify the assembly name as follows:

caspol -resolvegroup HelloWorld.exe

Depending on the evidence of the assembly and the configuration of security policy, the output will look similar to this:

Microsoft (R) .NET Framework CasPol 1.0.3705.288
Copyright (C) Microsoft Corporation 1998-2001. All rights reserved.


Level = Enterprise

Code Groups:

1.  All code: FullTrust
   1.1.  Url - file://C:/development/*: FullTrust (Exclusive)
   1.2.  All code: FullTrust
      1.2.1.  All code: Internet


Level = Machine

Code Groups:

1.  All code: Nothing
   1.1.  Zone - MyComputer: FullTrust


Level = User

Code Groups:

1.  All code: Nothing
   1.1.  Zone - MyComputer: FullTrust

Success

To view the permission granted to an assembly, use the -resolveperm flag, as shown here:

caspol -resolveperm HelloWorld.exe

The -resolveperm command will display the XML description of the permission set granted to the assembly, similar to that shown here. Notice that the permission set also lists the identity permissions granted to the assembly based on the evidence it presented, as well as the permissions granted by the security policy:

Microsoft (R) .NET Framework CasPol 1.0.3705.288
Copyright (C) Microsoft Corporation 1998-2001. All rights reserved.

Resolving permissions for level = Enterprise
Resolving permissions for level = Machine
Resolving permissions for level = User

Grant =
<PermissionSet class="System.Security.PermissionSet"
               version="1"
               Unrestricted="true">
   <IPermission class="System.Security.Permissions.UrlIdentityPermission, mscorl
ib, Version=1.0.3300.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
                version="1"
                Url="file://C:/Development/HelloWorld.exe"/>
   <IPermission class="System.Security.Permissions.ZoneIdentityPermission, mscor
lib, Version=1.0.3300.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
                version="1"
                Zone="MyComputer"/>
</PermissionSet>

Success

					  

Both the -resolvegroup and -resolveperm commands allow you to specify a target policy level, in which case the assembly is only evaluated against that policy level. If you do not specify a policy level, the default target -all is used.

4. Forcing Security Changes

Caspol.exe is a managed application that relies on obtaining a high level of trust from the runtime in order to perform management of the security system. When you execute any of the commands we discussed in the previous sections, Caspol.exe will test to see if the changes will result in Caspol.exe being unable to run correctly in the future; Caspol.exe will refuse to make such changes and display the following message:

Microsoft (R) .NET Framework CasPol 1.0.3705.288
Copyright (C) Microsoft Corporation 1998-2001. All rights reserved.

This operation will make some or all caspol functionality cease to work.  If you
 are sure you want to do this operation, use the '-force' option before the opti
on you just executed.  For example:
    caspol -force -machine -remgroup 1.6

Policy save aborted.

					  

If you want to force the change despite this warning, you must use the -force flag. The following command makes the All_Code code group of the machine policy exclusive. In the default security policy, this will stop all code from running:

caspol -force -machine -chggroup All_Code -exclusive on

5. Resetting Security Policy

A feature of Caspol.exe you will find useful during development is the ability to reset the security policy to its default value. When developing software that manipulates security policy directly, it is not difficult to break security policy to a point where your code will not run. To reset policy levels, use the -reset flag and specify the levels you want to reset:

caspol -user -reset
caspol -all -reset

You can also undo the last change you made with Caspol.exe using the -recover flag, as shown here:

caspol -machine -recover
caspol -all -recover
Other  
 
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
REVIEW
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
programming4us programming4us
programming4us
 
 
programming4us