| Groups | Blog | Home |
dotnet security : How Should Clients trust Strong Named Assemblies?
I've been banging my head against a wall on this one for the last few weeks..... Basically we have an exe and about 12 dlls on the web server. We want to run them using ClickOnce smart client technology. I created a code group, (whose parent is 'Internet') at the machine policy level which gives full trust to assemblies which are signed with our private key. I then created a deployment package and rolled it out to all our clients. Once I deploy the msi to client machines the Internet zone now has full trust, as does Local Intranet and Trusted Sites zones. Couple of questions; 1) Should this new rolled out security policy now allow any user of that machine to run those strong named assemblies. We have found that the user needs to have local admin OR Domain Admin rights before the assembly will download and run?? Does it totally depend on what the assembly is doing - e.g if we are writing to the event log does granting the assembly full trust facilitate this or does the user ALSO need admin rights to write to the event log. 2) We have a 3rd party dll signed with a different strong name and yet it still runs (once the user is an admin). I'm not convinced that our new code group is getting evaluated at all - I think that the Internet zone (parent) which now has full trust is allowing anything from the the Internet zone to run. What I want to happen is for CAS to evaluate my Assembly and allow it to run IF a) its coming from the internet zone AND b) it has been signed with our private key. At the moment I only think a) is being evaluated. Any help greatly appreciated.....
Hello molloyr@nortel.com,
ClickOnce does not use CAS policy. CO Applications get the permissions you specify in the manifest. The local CAS policy only comes into play to determine if the user should be presented a permission elevation dialog. You can configure CO to only elevate privileges for application coming from trusted source...this has nothing to do with admin/userprivileges I have an upcoming article on CO security for MSDN - some more info: http://www.leastprivilege.com/PermaLink.aspx?guid=f5c4e107-585b-4294-9545-663ef8afb0ff http://www.leastprivilege.com/PermaLink.aspx?guid=11287db7-51f9-4b8f-a061-1e2ecba75867 http://www.leastprivilege.com/PermaLink.aspx?guid=ab436584-e133-4433-940d-e43639c1859c --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com [quoted text, click to view] > Hi > I've been banging my head against a wall on this one for the last few > weeks..... > Basically we have an exe and about 12 dlls on the web server. We want > to run them using ClickOnce smart client technology. > > I created a code group, (whose parent is 'Internet') at the machine > policy level which gives full trust to assemblies which are signed > with our private key. > > I then created a deployment package and rolled it out to all our > clients. > > Once I deploy the msi to client machines the Internet zone now has > full trust, as does Local Intranet and Trusted Sites zones. > > Couple of questions; > > 1) Should this new rolled out security policy now allow any user of > that machine to run those strong named assemblies. We have found that > the user needs to have local admin OR Domain Admin rights before the > assembly will download and run?? > Does it totally depend on what the assembly is doing - e.g if we are > writing to the event log does granting the assembly full trust > facilitate this or does the user ALSO need admin rights to write to > the > event log. > 2) We have a 3rd party dll signed with a different strong name and yet > it still runs (once the user is an admin). > I'm not convinced that our new code group is getting evaluated at all > - > I think that the Internet zone (parent) which now has full trust is > allowing anything from the the Internet zone to run. > What I want to happen is for CAS to evaluate my Assembly and allow it > to run IF a) its coming from the internet zone AND b) it has been > signed with our private key. > At the moment I only think a) is being evaluated. > Any help greatly appreciated..... >
Hi Dominick
Sorry, when I say ClickOnce I mean no-touch deployment in .Net 1.1 (overuse of buzz words..) I create a new child code group under Internet_Zone with membership condition 'Strong name'. I then created a deployment package using .Net configuration tool and roll that out to clients using Group policy. Do my 2 questions make sense in that context ? thanks Ronan (former guerilla asp.net attendee)
[quoted text, click to view]
<molloyr@nortel.com> wrote in message news:1120664388.080113.102920@g47g2000cwa.googlegroups.com... <snip> > Once I deploy the msi to client machines the Internet zone now has full > trust, as does Local Intranet and Trusted Sites zones. Umm... That's not so good. You might want to consider distributing a new MSI that reverts these zone groups to their default permission sets (or whatever permission sets your company uses). [quoted text, click to view] > Couple of questions; > > 1) Should this new rolled out security policy now allow any user of > that machine to run those strong named assemblies. We have found that > the user needs to have local admin OR Domain Admin rights before the > assembly will download and run?? In general, admin rights should not be necessary. How does this failure to download and run for non-admins manifest? If you're seeing an exception, could you please provide the full exception details? If you're not seeing an exception, might non-admins have different IE security settings than admins? (Check the run options for ".NET Framework-reliant components" under the security settings for the appropriate zone in the IE options.) [quoted text, click to view] > Does it totally depend on what the assembly is doing - e.g if we are > writing to the event log does granting the assembly full trust > facilitate this or does the user ALSO need admin rights to write to the > event log. In order to execute an action that is protected by both CAS and the the operating system, the code must have the appropriate CAS permissions, and the user must have the appropriate OS permissions. However, writing to the event log usually doesn't require admin rights (although it can for heavily protected logs). [quoted text, click to view] > 2) We have a 3rd party dll signed with a different strong name and yet > it still runs (once the user is an admin). > I'm not convinced that our new code group is getting evaluated at all - > I think that the Internet zone (parent) which now has full trust is > allowing anything from the the Internet zone to run. Your new code group is getting evaluated. It is, however, redundant as long as the assembly is getting a full trust grant based on the internet zone group. If the full trust grant for the internet zone were removed (which it really ought to be), your new group would presumably start having an effect. [quoted text, click to view] > What I want to happen is for CAS to evaluate my Assembly and allow it > to run IF a) its coming from the internet zone AND b) it has been > signed with our private key. Then you should create a new group with the appropriate strong name membership condition under the All_Code\Internet_Zone code group. [quoted text, click to view] > At the moment I only think a) is being evaluated. They're both being evaluated but, since a full trust grant is attained via one of the two, the second one is redundant. [quoted text, click to view] > > > Any help greatly appreciated..... >
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
| home · blog · groups | Questions? Comments? Contact the dn |