Deploying .NET security configuration through group policy

S

Stefan Falk

Hello everybody,

I just tried the following in order to have .NET applications in a given
network folder enough permissions to run:

On the domain controller, in .NET 1.1 framework configuration, created a
code group for the Organization under the All_Code group giving the URL
file://P:/Apps/* full trust (P: is a network drive mapped to the file
server). Then I created an MSI file for the organization and deployed this
MSI file via Group Policy to a test workstation.

The workstation (running XP SP2) successfully got the MSI file (as I can see
in the local .NET framework configuration). However, the changes have no
effect: Apps from P:\Apps still get security exceptions.

On a developer machine, that approach worked with minor changes: There,
there was a machine-wide code group under Local_Intranet giving
file://P:/SomeFolder/* full trust. Therefore I thought it would be that easy
to just have P:\Apps configured organization-wide.

What must I do? Use UNC (but why did P: work in the local machine
configuration then)? Have the new code group be nested under a
Local_Intranet code group as is in the machine configuration?

Any enlightment on this is well appreciated.

Greetings,
Stefan Falk
 
N

Nicole Calinoiu

A few things to check for:

1. Are you sure the applications are being run from exactly the P:\Apps\
path (as opposed to some other path that happens to point to the same
directory)?

2. Might the problem machine have more than one version of the .NET
Framework installed? If so, is the application running under the version to
which your policy modification was applied?

3. Have you verified that there are no restrictions in the CAS policy that
might prevent your code group from having the expected effect?

For #3, you would mostly be looking for exclusive or level-final code
groups, as well as potential restrictions at other policy levels. If you
would like help in evaluating the policy to determine if there are any such
effects, could you please post the full CAS code group and permission set
listings for the problem machine, as returned by "caspol -a -lg" and
"caspol -a -lp"?
 
N

Nicole Calinoiu

3. I am not quite sure how to check. I thought that the organization
config has precedence over the machine config, which has precedence over
the user config, but may be I have not correctly and fully understood
that.

It looks like that is probably your problem. An assembly will receive a
permission grant that represents the intersection of permissions granted at
the enterprise, machine, and user policy levels. The precedence aspect of
which you may have read mainly represents a hierarchy with respect to
restrictions, not of additional grants. For example, nothing can be done at
the user policy level to grant a permission that has been denied at the
enterprise level.

There is more than one possible approach to adding your new code group.
However, it looks like there are already a couple of similar groups under
the the intranet group of the machine policy level ("1.2.3. Url -
file://K:/Stefan/*: FullTrust" and "1.2.4. Url -
file://P:/Bibliothek.NET/*: FullTrust"), so adding yours as a new group
under the same node would probably be the simplest approach, at least from a
consistency perspective.
 
S

Stefan Falk

Hello Nicole,

Thank you again. Your clarification makes perfect sense in that a user
cannot grant more than the admins have grantet for the machine.

But then what is the preferred method of deploying CAS policies throughout
an enterprise? What is the organization configuration used for if we still
have to deploy the machine config? Am I right that I will have to deploy the
machine configuration instead of or in addition to the organization config
in order to have several client machines accept P:\SF?

Best Regards,
Stefan Falk
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,734
Messages
2,569,441
Members
44,832
Latest member
GlennSmall

Latest Threads

Top