caspol & local intranet security

Discussion in 'ASP .Net Security' started by adam, Jan 15, 2004.

  1. adam

    adam Guest

    Hi

    We have built an aspnet application which uses a windows
    user control embedded in an object tag. The app is to be
    deployed on a large client intranet. The object requires
    full trust security to work properly.

    What is the easiest way to configure the client's
    corporate network. They would quite like to do it only
    for users in one particular NT Group.

    They run a logon script for each user, from which command
    line stuff can be run. Is it possible to use caspol to
    set the security for the intranet zone to full trust.
    They would prefer this option than setting this for a
    particular assembly. If so what would be the syntax? We
    did have a look at the documentation but couldnt work out
    how to change the settings for the whole zone?

    We also tried using mscorcfg.msc to alter the enterprise
    settings for this zone. Although this appeared to change
    the client machines, (all of them) the assemblies wouldnt
    run. This was the despite the fact that using mscorcfg to
    check the permissions for the appropriate assemblies
    showed they had full trust at enterprise, machine and
    user levels. They wouldnt run until we changed it at the
    individual machine level on the approrpirate pcs.

    Adam
    adam, Jan 15, 2004
    #1
    1. Advertising

  2. adam

    MSFT Guest

    Hi Adam,

    Thank you for using MSDN Newsgroup. I am Luke and I am review this issue
    currently. As I understand, you want to find some way which can change the
    Zone Security setting for intranet. Regarding the problem, I think
    Caspol.exe should be a good solution: It can create/modify code group's
    attributes in the code access security setting:

    Changing Code Groups
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/htm
    l/cpconchangingcodegroup.asp

    In your situation, you need follow command:

    Caspol -machine -chggroup LocalIntranet_Zone Fulltrust

    or

    Caspol -machine -chggroup 1.2 Fulltrust

    This will grant full trust to local intranet code group.

    For more information on caspol, you may refer to:

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/htm
    l/cpconusingcodeaccesssecuritypolicytoolcaspolexe.asp

    Hope this help,

    Luke
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
    MSFT, Jan 16, 2004
    #2
    1. Advertising

  3. It seems like you could also maybe use group policy to push down a
    deployment package that you create with the .NET configuration tools.

    In general, granting Full Trust to the intranet zone is not recommended. It
    would be much better to use a strong name membership condition for Full
    Trust and sign all of your assemblies with the appropriate key. However,
    you would also need to remember to use Assert carefully in your code and set
    the AllowPartiallyTrustedCallers attribute on your assemblies as the
    AppDomain that IE loads the code in would not be Full Trust, even though
    your assemblies would be.

    The other way to go might be with a URL membership condition. This is
    slightly better than granting the whole intranet zone Full Trust.

    My $0.02,

    Joe K.

    "MSFT" <> wrote in message
    news:...
    > Hi Adam,
    >
    > Thank you for using MSDN Newsgroup. I am Luke and I am review this issue
    > currently. As I understand, you want to find some way which can change the
    > Zone Security setting for intranet. Regarding the problem, I think
    > Caspol.exe should be a good solution: It can create/modify code group's
    > attributes in the code access security setting:
    >
    > Changing Code Groups
    >

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/htm
    > l/cpconchangingcodegroup.asp
    >
    > In your situation, you need follow command:
    >
    > Caspol -machine -chggroup LocalIntranet_Zone Fulltrust
    >
    > or
    >
    > Caspol -machine -chggroup 1.2 Fulltrust
    >
    > This will grant full trust to local intranet code group.
    >
    > For more information on caspol, you may refer to:
    >
    >

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/htm
    > l/cpconusingcodeaccesssecuritypolicytoolcaspolexe.asp
    >
    > Hope this help,
    >
    > Luke
    > Microsoft Online Support
    >
    > Get Secure! www.microsoft.com/security
    > (This posting is provided "AS IS", with no warranties, and confers no
    > rights.)
    >
    >
    >
    Joe Kaplan \(MVP - ADSI\), Jan 16, 2004
    #3
  4. adam

    adam Guest

    Thanks luke

    I tried this, but both the options you suggest fail with the message

    Unknown permission set "Fulltrust"

    Adam

    ----- MSFT wrote: -----

    Hi Adam,

    Thank you for using MSDN Newsgroup. I am Luke and I am review this issue
    currently. As I understand, you want to find some way which can change the
    Zone Security setting for intranet. Regarding the problem, I think
    Caspol.exe should be a good solution: It can create/modify code group's
    attributes in the code access security setting:

    Changing Code Groups
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/htm
    l/cpconchangingcodegroup.asp

    In your situation, you need follow command:

    Caspol -machine -chggroup LocalIntranet_Zone Fulltrust

    or

    Caspol -machine -chggroup 1.2 Fulltrust

    This will grant full trust to local intranet code group.

    For more information on caspol, you may refer to:

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/htm
    l/cpconusingcodeaccesssecuritypolicytoolcaspolexe.asp

    Hope this help,

    Luke
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
    adam, Jan 16, 2004
    #4
  5. adam

    MSFT Guest

    Hi Adam,

    Sorry for confuse. You may try "FullTrust" instead. Another useful Caspol
    command is:

    Caspol -machine -listgroups

    You can chekc current policy setting with this command.

    Luke
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
    MSFT, Jan 19, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Brian Gideon

    caspol -resolveperm

    Brian Gideon, Aug 21, 2008, in forum: ASP .Net
    Replies:
    6
    Views:
    1,318
    Brian Gideon
    Aug 23, 2008
  2. JJJ

    caspol execution with cmd file error

    JJJ, Mar 5, 2004, in forum: ASP .Net Security
    Replies:
    0
    Views:
    122
  3. Mark A. Richman

    EventLogPermission via caspol.exe

    Mark A. Richman, Apr 26, 2005, in forum: ASP .Net Security
    Replies:
    6
    Views:
    172
    Nicole Calinoiu
    May 2, 2005
  4. MOHR
    Replies:
    0
    Views:
    203
  5. Replies:
    0
    Views:
    722
Loading...

Share This Page