Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > caspol & local intranet security

Reply
Thread Tools

caspol & local intranet security

 
 
adam
Guest
Posts: n/a
 
      01-15-2004
Hi

We have built an aspnet application which uses a windows
user control embedded in an object tag. The app is to be
deployed on a large client intranet. The object requires
full trust security to work properly.

What is the easiest way to configure the client's
corporate network. They would quite like to do it only
for users in one particular NT Group.

They run a logon script for each user, from which command
line stuff can be run. Is it possible to use caspol to
set the security for the intranet zone to full trust.
They would prefer this option than setting this for a
particular assembly. If so what would be the syntax? We
did have a look at the documentation but couldnt work out
how to change the settings for the whole zone?

We also tried using mscorcfg.msc to alter the enterprise
settings for this zone. Although this appeared to change
the client machines, (all of them) the assemblies wouldnt
run. This was the despite the fact that using mscorcfg to
check the permissions for the appropriate assemblies
showed they had full trust at enterprise, machine and
user levels. They wouldnt run until we changed it at the
individual machine level on the approrpirate pcs.

Adam
 
Reply With Quote
 
 
 
 
MSFT
Guest
Posts: n/a
 
      01-16-2004
Hi Adam,

Thank you for using MSDN Newsgroup. I am Luke and I am review this issue
currently. As I understand, you want to find some way which can change the
Zone Security setting for intranet. Regarding the problem, I think
Caspol.exe should be a good solution: It can create/modify code group's
attributes in the code access security setting:

Changing Code Groups
http://msdn.microsoft.com/library/de...us/cpguide/htm
l/cpconchangingcodegroup.asp

In your situation, you need follow command:

Caspol -machine -chggroup LocalIntranet_Zone Fulltrust

or

Caspol -machine -chggroup 1.2 Fulltrust

This will grant full trust to local intranet code group.

For more information on caspol, you may refer to:

http://msdn.microsoft.com/library/de...us/cpguide/htm
l/cpconusingcodeaccesssecuritypolicytoolcaspolexe.as p

Hope this help,

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)



 
Reply With Quote
 
 
 
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      01-16-2004
It seems like you could also maybe use group policy to push down a
deployment package that you create with the .NET configuration tools.

In general, granting Full Trust to the intranet zone is not recommended. It
would be much better to use a strong name membership condition for Full
Trust and sign all of your assemblies with the appropriate key. However,
you would also need to remember to use Assert carefully in your code and set
the AllowPartiallyTrustedCallers attribute on your assemblies as the
AppDomain that IE loads the code in would not be Full Trust, even though
your assemblies would be.

The other way to go might be with a URL membership condition. This is
slightly better than granting the whole intranet zone Full Trust.

My $0.02,

Joe K.

"MSFT" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi Adam,
>
> Thank you for using MSDN Newsgroup. I am Luke and I am review this issue
> currently. As I understand, you want to find some way which can change the
> Zone Security setting for intranet. Regarding the problem, I think
> Caspol.exe should be a good solution: It can create/modify code group's
> attributes in the code access security setting:
>
> Changing Code Groups
>

http://msdn.microsoft.com/library/de...us/cpguide/htm
> l/cpconchangingcodegroup.asp
>
> In your situation, you need follow command:
>
> Caspol -machine -chggroup LocalIntranet_Zone Fulltrust
>
> or
>
> Caspol -machine -chggroup 1.2 Fulltrust
>
> This will grant full trust to local intranet code group.
>
> For more information on caspol, you may refer to:
>
>

http://msdn.microsoft.com/library/de...us/cpguide/htm
> l/cpconusingcodeaccesssecuritypolicytoolcaspolexe.as p
>
> Hope this help,
>
> Luke
> Microsoft Online Support
>
> Get Secure! www.microsoft.com/security
> (This posting is provided "AS IS", with no warranties, and confers no
> rights.)
>
>
>



 
Reply With Quote
 
adam
Guest
Posts: n/a
 
      01-16-2004
Thanks luke

I tried this, but both the options you suggest fail with the message

Unknown permission set "Fulltrust"

Adam

----- MSFT wrote: -----

Hi Adam,

Thank you for using MSDN Newsgroup. I am Luke and I am review this issue
currently. As I understand, you want to find some way which can change the
Zone Security setting for intranet. Regarding the problem, I think
Caspol.exe should be a good solution: It can create/modify code group's
attributes in the code access security setting:

Changing Code Groups
http://msdn.microsoft.com/library/de...us/cpguide/htm
l/cpconchangingcodegroup.asp

In your situation, you need follow command:

Caspol -machine -chggroup LocalIntranet_Zone Fulltrust

or

Caspol -machine -chggroup 1.2 Fulltrust

This will grant full trust to local intranet code group.

For more information on caspol, you may refer to:

http://msdn.microsoft.com/library/de...us/cpguide/htm
l/cpconusingcodeaccesssecuritypolicytoolcaspolexe.as p

Hope this help,

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)




 
Reply With Quote
 
MSFT
Guest
Posts: n/a
 
      01-19-2004
Hi Adam,

Sorry for confuse. You may try "FullTrust" instead. Another useful Caspol
command is:

Caspol -machine -listgroups

You can chekc current policy setting with this command.

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to run caspol.exe for changing security policy using javascript Gouri.Mahajan7@gmail.com ASP .Net Security 0 10-17-2008 06:20 AM
caspol -resolveperm Brian Gideon ASP .Net 6 08-23-2008 01:30 AM
Deploying .NET Security policy - Setting Local Intranet to Full Trust MOHR ASP .Net Security 0 09-21-2005 08:36 PM
EventLogPermission via caspol.exe Mark A. Richman ASP .Net Security 6 05-02-2005 01:22 PM
caspol execution with cmd file error JJJ ASP .Net Security 0 03-05-2004 05:25 PM



Advertisments