Search
Monday, January 05, 2009 ..:: Blog ::.. Register  Login
 Search_Blog Minimize
 Print   
 Blog_Archive Minimize
 Print   
 .NET and Security Minimize
Location: BlogsDevelopments    
Posted by: TM Central 9/18/2007 8:29 AM
Microsofts .NET Framework is so good for so many things, but its a big "gotcha" for security! .NET is big on security and everything not executed on the local drive is subject to its rules. Network (and internet) executables are what they are trying to protect against - and for good reason; with Microsoft's perceived track record on flaws and security, the more potential malware you can stop at the perimeter (i.e., its execution), the less you have to worry about it exploiting a flaw or running unbeknownst to the end user.

However, the .NET Security Configuration tool is not easiest to work with. First the documentation is TERRIBLE - look for blogs and deeper MSDN articles (http://blogs.msdn.com/shawnfa/archive/2004/12/30/344554.aspx, http://blogs.msdn.com/shawnfa/archive/2005/07/27/443975.aspx, and http://msdn2.microsoft.com/en-us/library/4z8tf9wx(VS.80).aspx are a few) for the real scoop and real-world scenarios. Also, each network area is broken up in it almost exactly like your browser (i.e., My Computer, Intranet, Internet, Trusted Sites, Untrusted Sites, etc.), and your machine (in the CLR) will first figure out where the application falls into these categories. Thus, first you must figure out which one your network application falls into (i.e., where the .NET Runtime will say it belongs). For most network apps, this would be the "Intranet" group. If you put a security policy into the Local Computer node and its a network app, the policy will never be honored. Second you must either authorize the Application itself (and any child apps) or the directory. We like the second one as it is much simpler (though probably not quite as secure since another "malware" app could come into the directory or even insert itself in place of the app - unlikely unless you program for Microsoft or Symantec). Here is a sample bat script (you must run it for each version of .NET since they have separate security setups

@echo off

:V2Check
IF EXIST %windir%\Microsoft.Net\Framework\v2.0.50727 GOTO v2
GOTO v1Check

:v2
c:
cd %windir%\Microsoft.Net\Framework\v2.0.50727
CasPol.exe -pp off -machine -remgroup "X Share"
CasPol.exe -pp off -m -ag 1.2 -url file://x:/* FullTrust -n "X Share"
copy config\security.config config\security.config.default

:v1Check
IF EXIST %windir%\Microsoft.Net\Framework\v1.1.4322 GOTO v1
GOTO Exit

:v1
c:
cd %windir%\Microsoft.Net\Framework\v1.1.4322
CasPol.exe -pp off -machine -remgroup "X Share"
CasPol.exe -pp off -m -ag 1.2 -url file://x:/* FullTrust -n "X Share"
copy config\security.config config\security.config.default

GOTO Exit


:Exit
Permalink |  Trackback
  
Copyright 2005 by TMCentral, LLC   Terms Of Use  Privacy Statement
DotNetNuke® is copyright 2002-2009 by DotNetNuke Corporation