Deploying .NET security configuration through group policy

Discussion in 'ASP .Net Security' started by Stefan Falk, Jan 3, 2006.

  1. Stefan Falk

    Stefan Falk Guest

    Hello everybody,

    I just tried the following in order to have .NET applications in a given
    network folder enough permissions to run:

    On the domain controller, in .NET 1.1 framework configuration, created a
    code group for the Organization under the All_Code group giving the URL
    file://P:/Apps/* full trust (P: is a network drive mapped to the file
    server). Then I created an MSI file for the organization and deployed this
    MSI file via Group Policy to a test workstation.

    The workstation (running XP SP2) successfully got the MSI file (as I can see
    in the local .NET framework configuration). However, the changes have no
    effect: Apps from P:\Apps still get security exceptions.

    On a developer machine, that approach worked with minor changes: There,
    there was a machine-wide code group under Local_Intranet giving
    file://P:/SomeFolder/* full trust. Therefore I thought it would be that easy
    to just have P:\Apps configured organization-wide.

    What must I do? Use UNC (but why did P: work in the local machine
    configuration then)? Have the new code group be nested under a
    Local_Intranet code group as is in the machine configuration?

    Any enlightment on this is well appreciated.

    Greetings,
    Stefan Falk
     
    Stefan Falk, Jan 3, 2006
    #1
    1. Advertising

  2. A few things to check for:

    1. Are you sure the applications are being run from exactly the P:\Apps\
    path (as opposed to some other path that happens to point to the same
    directory)?

    2. Might the problem machine have more than one version of the .NET
    Framework installed? If so, is the application running under the version to
    which your policy modification was applied?

    3. Have you verified that there are no restrictions in the CAS policy that
    might prevent your code group from having the expected effect?

    For #3, you would mostly be looking for exclusive or level-final code
    groups, as well as potential restrictions at other policy levels. If you
    would like help in evaluating the policy to determine if there are any such
    effects, could you please post the full CAS code group and permission set
    listings for the problem machine, as returned by "caspol -a -lg" and
    "caspol -a -lp"?



    "Stefan Falk" <> wrote in message
    news:...
    > Hello everybody,
    >
    > I just tried the following in order to have .NET applications in a given
    > network folder enough permissions to run:
    >
    > On the domain controller, in .NET 1.1 framework configuration, created a
    > code group for the Organization under the All_Code group giving the URL
    > file://P:/Apps/* full trust (P: is a network drive mapped to the file
    > server). Then I created an MSI file for the organization and deployed this
    > MSI file via Group Policy to a test workstation.
    >
    > The workstation (running XP SP2) successfully got the MSI file (as I can
    > see in the local .NET framework configuration). However, the changes have
    > no effect: Apps from P:\Apps still get security exceptions.
    >
    > On a developer machine, that approach worked with minor changes: There,
    > there was a machine-wide code group under Local_Intranet giving
    > file://P:/SomeFolder/* full trust. Therefore I thought it would be that
    > easy to just have P:\Apps configured organization-wide.
    >
    > What must I do? Use UNC (but why did P: work in the local machine
    > configuration then)? Have the new code group be nested under a
    > Local_Intranet code group as is in the machine configuration?
    >
    > Any enlightment on this is well appreciated.
    >
    > Greetings,
    > Stefan Falk
    >
     
    Nicole Calinoiu, Jan 6, 2006
    #2
    1. Advertising

  3. "Stefan Falk" <> wrote in message
    news:%...
    <snip>
    > 3. I am not quite sure how to check. I thought that the organization
    > config has precedence over the machine config, which has precedence over
    > the user config, but may be I have not correctly and fully understood
    > that.


    It looks like that is probably your problem. An assembly will receive a
    permission grant that represents the intersection of permissions granted at
    the enterprise, machine, and user policy levels. The precedence aspect of
    which you may have read mainly represents a hierarchy with respect to
    restrictions, not of additional grants. For example, nothing can be done at
    the user policy level to grant a permission that has been denied at the
    enterprise level.

    There is more than one possible approach to adding your new code group.
    However, it looks like there are already a couple of similar groups under
    the the intranet group of the machine policy level ("1.2.3. Url -
    file://K:/Stefan/*: FullTrust" and "1.2.4. Url -
    file://P:/Bibliothek.NET/*: FullTrust"), so adding yours as a new group
    under the same node would probably be the simplest approach, at least from a
    consistency perspective.
     
    Nicole Calinoiu, Jan 9, 2006
    #3
  4. Stefan Falk

    Stefan Falk Guest

    Hello Nicole,

    Thank you again. Your clarification makes perfect sense in that a user
    cannot grant more than the admins have grantet for the machine.

    But then what is the preferred method of deploying CAS policies throughout
    an enterprise? What is the organization configuration used for if we still
    have to deploy the machine config? Am I right that I will have to deploy the
    machine configuration instead of or in addition to the organization config
    in order to have several client machines accept P:\SF?

    Best Regards,
    Stefan Falk
     
    Stefan Falk, Jan 9, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?VG9tIE4=?=

    deploying and re-deploying ASP.Net applications

    =?Utf-8?B?VG9tIE4=?=, Feb 4, 2004, in forum: ASP .Net
    Replies:
    2
    Views:
    411
    =?Utf-8?B?VG9tIE4=?=
    Feb 4, 2004
  2. Replies:
    0
    Views:
    572
  3. Nate - COB

    Deploying VPModule using Group Policy Manager

    Nate - COB, Oct 29, 2004, in forum: ASP .Net Security
    Replies:
    0
    Views:
    141
    Nate - COB
    Oct 29, 2004
  4. Olav Tollefsen

    .NET Framework Configuration and Group Policy?

    Olav Tollefsen, May 4, 2005, in forum: ASP .Net Security
    Replies:
    1
    Views:
    184
    Dominick Baier [DevelopMentor]
    May 5, 2005
  5. MOHR
    Replies:
    0
    Views:
    227
Loading...

Share This Page