HOWTO Use CASPOL for Full-Trust

Please help,

I want to do the following things with CASPOL, and the documentation for
CASPOL does not clearlt state how to do this:

1) Make the following security code group have full trust:

- Runtime Security Policy
- Machine
- Code Groups
- All_Code
- Trusted_Zone

2) Add a new code group that grants full trust to all trusted web sites for
a machine, user, and a enterprise.

3) Change a code group to have full trust for a given code group that is on
a machine, user, and/or enterprise.

Thanks for the relpy,

I tried to use this command with a name

YOURS: caspol -machine -chggroup 1.5. FullTrust
MINE: caspol -machine -chggroup All_Code.Trusted_Zone. FullTrust

Yours worked of course.
Mine returned an error: "ERROR: Invalid label or name".

What is wrong with my command?

Also, in my Question #2, I forgot to mention, that the goal was to let
administrators set up the secuirty for all machines in a domain, so that they
would not have to do it manually for each machine. Put another way, I'd want
the ability for one person at the enterprise level to be able to issue one
command that adds security for all users on all machine to let them run app
from Trusted web sites, without having to go to each machine to do so.

I would envision something like this:

ADD: caspol -enterprise -addgroup 1. -zone Trusted FullTrust -name
"YourGroupName"
CHANGE: caspol -enterprise -chggroup "YourGroupName" FullTrust

Please correct the syntax, if I was close. Otherwise, please give me insight
as what to do.

[quoted text, click to view]

Assuming the machine policy level is still at its original default, the
following should work:

caspol -machine -chggroup 1.5. FullTrust

However, if the policy has been modified, the trusted zone group may no
longer be 1.5. To be safe, you should run caspol -m -lg to list the groups
and determine the correct group label before modifying the group. You could
also use the group name rather than the label, but this is also subject to
change if the policy is modified, so using the name doesn't really avoid the
requirement to verify the current policy before applying the change.

Also, granting full trust to any non-local zone is really quite risky. If
you are doing this in order to facilitate deployment of a fixed set of
applications, I would strongly recommend using far more restrictive group
membership criteria.




[quoted text, click to view]

Under default CAS policy, you shouldn't need to touch either the enterprise
or user policy since they already grant unrestricted permissions to
everything. To add a group like this under the All_Code group of a default
machine policy, use the following (preferably after verifying the code group
index):

caspol -machine -addgroup 1. -zone Trusted FullTrust -name "YourGroupName"


[quoted text, click to view]

Same as for your first question above, but use the appropriate target group
label or name. If you want to target the enterprise or user policy rather
than the machine policy, specify -enterprise or -user instead of -machine as
the first argument on the command line.

Thanks Nicole for the reply,

The more I get into CASPOL, the more I realize its rules are confounding and
confusing. And the MSDN articles stink to help resolve this. I asked simple
questions on this issue, to try and get to the "technical" point of where I
thought I could solve my business needs. But in light of what you said that
the security works as the "intersection" of user vs machine vs enterprise,
now I have a big problem. This information completely changes the question.
As such, I'll end this post, and start another.

[quoted text, click to view]

You should only use the simple name of the target code group, not a name
hierarchy. e.g.:

caspol -machine -chggroup Trusted_Zone FullTrust

Code group names must be unique within a policy level, which is why refering
by simple name works (and probably why the designers didn't bother with
deciphering the compound name format).


[quoted text, click to view]

As far as syntax goes, they're fine. (Are you having some problem executing
them? If so, what error are you seeing?) On the other hand, there are two
potential problems here:

1. Granting full trust to all code run from the trusted zone is still a
terrible idea.
2. Altering only the enterprise-level policy will not work if either the
machine- or user-level policy grants less permissions to the same code.
This is because an assembly is granted the intersection of permissions
granted at each of the three levels, not the union of the level grants.