Locking down CAS policy

[Jason]

I'm trying to lock down our company's CAS policy by using only Strong Name
membership conditions.

I've copied over our intranet to a development server and removed all code
groups except for one. It is all code using the nothing permission set. I
have three child code groups, the two default (ECMA_Strong_Name and
Microsoft_Strong_Name) and a group for our strong name key. All of the child
groups are set for FullTrust.

I've used the Evaluate Assembly utility to check the assemblies in the
application's bin directory and all report "unrestricted". However, when i
try to run the application i get "Server Application Unavailable". I check
the application event logs on the server and it reports "Request for the
permission of type 'System.Web.AspNetHostingPermission, System,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed."
suggesting that there is still an assembly that hasn't been granted FullTrust.

Is there maybe another assembly that is getting generated at runtime that
doesn't fit into one of the three code groups i have set up? Is there a way
to find out which assembly is failing?

 

[Luke Zhang [MSFT]]

Hello,

You may first try to turn off Code Access Security using the Caspol.exe
utility:

C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322> caspol -s off

Can this temporarily fix the issue? This can help make sure is a CAS issue.
And then, you may perform following test:

1. Create a new code group based on the URL of your application, and grant
it full permission. Restart IIS, and test if this will help. This help us
make if the permission set is configured for the ASP.NET

2. Create a very simple ASP.NET, don't reference any other assembly.
StrongName it and test again. This help us determine if there is other
assembly affect the issue.

For more inforamtion about ASP.NET CAS, you may refer to:

ASP.NET Code Access Security
http://msdn2.microsoft.com/en-us/library/87x8e4d1.aspx

Sincerely,

Luke Zhang

Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Dominick Baier]

Hi,

you shouldn't mock with the existing code groups - they grant the "ASP.Net"
permission set to code running in you app dir and the temp assembly directory.

Without them your app won't be able to run...

thats the error you are seeing.

 

[Jason Stearns]

Ok, turning off CAS didn't fix the issue. Still got the "Service Unavailable"
message. And using a URL membership condition also didn't fix the issue, but
setting it to All Code and FullTrust did fix it. So one peice makes it look
like it's not a CAS issue and the other does. Correct? Also using
Zone->MyComputer with FullTrust also works.

I created a simple "Hello World" asp.net app and put it as the root site on
that server. We're running v2.0 so the application doesn't generate any
assemblies for the code behind, but i did set a SN Key File in the "MSBuild
Options" on the application properties page. This is the most basic app i can
set up. One aspx file with no code-behind and no web.config. Sent this app to
the Dev server and same issues. "Server Unavailable" again with the same
error event in the Event Logs and setting the root Code Group to All Code ->
FullTrust again fixes it.

It really looks like an unknown assembly, whose SN evidence doesn't fit into
one of the code groups, is being accessed at runtime.

 

[Jason Stearns]

But how do they do this? Isn't it done through a Zone membership condition? I
can get the app to work if I implement that, but the idea is to not use Zone
or any other "blanket" condition. They want every assembly accounted for and
granted permission based on where it came from, not where it resides.

 

[Dominick Baier]

they use the $AppDirUrl$ and $CodeGen$ url membership condition - if you
want to base everything on strong name (which i haven't tried yet) - you
have to strong name all your pages, code behinds and App_Code files....this
can be accomplished by modifying the <compilation> element to specify a keyfile
(or during pre-compilation)...

I have a whole chapter devoted a whole chapter on partial trust and policy
in my book - maybe it helps to get the bigger picture...

http://www.microsoft.com/mspress/books/9989.asp

 

[Jason Stearns]

I can't find references to these in the default policy. Since the code is
running from the server itself and not through a webservice or anything
doesn't the "My_Computer_Zone" code group become the applicable group? and
the FullTrust that it grants be the reason why the code runs? The fact that
there are two child groups in there for the Microsoft and ECMA strong names
really means nothing since they would have been granted FullTrust from the
parent. Correct?

So, with that assumption, if unknown malicious code were able to be put on
the server that the app runs from, it wouldn't be limited by the CAS policy
and would be granted unrestricted rights? I realize that all security is a
layered approach and that the server's own security policy should be in place
to prevent that from happening. So is that the answer? That, by design, all
code that is run from the server is supposed to be assumed to have FullTrust?

Thanks in advance.

Jason

 

[Dominick Baier]

have a look at the default web_mediumtrust.policy file in the framework configuration
folder.

CAS policy has 3 levels - you are right that My_Computer in machine policy
grants full trust - but there is another policy level called the appdomain
level that is applied programmatically. Policy levels are intersected.

That means the asp.net app gets the permissions specified in the policy file.
You application doesn't even have enough permissions to read files (including
assemblies) outside of the application directory (besides GACed assemblies)

 

[Jason Stearns]

Just making changes to the machine policy would have affected this?

 

[Dominick Baier]

sure.

but the recommended way is the asp.net policy file.

 

[Jason Stearns]

No, by changing only the machine policy, you think i messed up the asp.net
policy file? Everything on the system is default except for the Machine
Policy.

And the only thing i did to that was remove the code groups other than the
my_computer_zone and changed that code group to nothing instead of fulltrust.
I know i'm new to CAS policy but if it's that touchy wouldn't more people
have this problem?

 

[Dominick Baier]

well - by re-reading your original post - yes you may be missing some files
-

have a look at the \windows\microsoft .net\framework\version\temp asp.net
assemblies

there are the assemblies located that get dynamically generated by asp.net

 

[Luke Zhang [MSFT]]

Hello,

By default, MyComputer should be with FullTrust. As you discussed with
Dominick, there will some temporary files when running an ASP.NET
application in \windows\microsoft .net\framework\version\temp asp.net.

Sincerely,

Luke Zhang

Microsoft Online Community Support
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Luke Zhang [MSFT]]

Hello,

How is it going now, any progress? If you need more assistance or
information on this issue, please feel free to let us know.

Sincerely,

Luke Zhang

Microsoft Online Community Support
This posting is provided "AS IS" with no warranties, and confers no rights.