Welcome to MSDN Blogs Sign in | Join | Help

Browse by Tags

All Tags » Policy » CAS   (RSS)
Monday, May 12, 2008 10:49 AM

FullTrust on the LocalIntranet

We released the first beta of .NET 3.5 SP 1 this morning, and it includes a change to the default grant set for applications launched from the LocalIntranet zone. The quick summary is that as of .NET 3.5 SP1, applications run from a network share will
Posted by shawnfa | 0 Comments
Filed under: , , ,
Thursday, January 24, 2008 10:00 AM

Manifested Controls Redux

Last year, I made a series of posts about a new feature available in the betas of .NET 3.5 which enabled you to specify declaratively the set of permissions that IE hosted managed controls should run with. Since the betas there have been a couple of tweaks
Posted by shawnfa | 0 Comments
Filed under: , , ,

Attachment(s): ManifestControl.zip
Tuesday, October 02, 2007 9:24 AM

Avoiding Assembly Level Declarative Security

I've written in the past about the three assembly level declarative security actions : RequestMinimum, RequestOptional, and RequestRefuse. Although the CLR has supported these since v1.0, I tend to stay away from using them as much as I possibly can,
Posted by shawnfa | 0 Comments
Filed under: , , ,
Monday, May 07, 2007 11:25 AM

Bypassing the Authenticode Signature Check on Startup

A while back I wrote about the performance penalty of loading an assembly with an Authenticode signature . The CLR will attempt to verify the signature at load time to generate Publisher evidence for the assembly. However, by default most applications
Posted by shawnfa | 0 Comments
Filed under: , ,
Wednesday, April 18, 2007 9:16 AM

Loading an Assembly as a Byte Array

One of the various ways that you can load an assembly is by supplying the raw bytes of an assembly as a byte array. The security identity of an assembly loaded this way turns out to be different than if you were to load the same assembly by name or by
Posted by shawnfa | 1 Comments
Filed under: , ,
Thursday, March 15, 2007 9:51 AM

Using the MMC Snap-In to Configure 64 Bit CAS Policy

The .NET Framework SDK ships with a MMC Snap-In which enables you to, among other things, avoid using caspol to modify your local security policy. Since each runtime installed on your machine has independent security policy , the MMC Snap-In will only
Posted by shawnfa | 1 Comments
Filed under: , , ,
Wednesday, March 07, 2007 11:25 AM

Specifying Permissions for IE Controls in Orcas

One of my most read blog posts (and one of the reasons I created this blog in the first place -- to answer what was one of the most asked questions on the old .NET Security newsgroup), is my post about granting managed controls hosted in IE extra permissions
Posted by shawnfa | 1 Comments
Filed under: , , , ,
Friday, February 23, 2007 9:15 AM

Enumerating Evidence

The Evidence class supports being enumerated in three different ways: GetAssemblyEnumerator GetHostEnumerator GetEnumerator The first two are pretty self explanatory, enumerating over the evidence that the assembly supplied itself , or over the evidence
Posted by shawnfa | 1 Comments
Filed under: , ,
Tuesday, February 20, 2007 11:14 AM

Assembly Provided Evidence

We all know that the CLR provides many types of evidence to assemblies and AppDomains by default, but one feature of the runtime that's much less known is that assemblies can actually provide evidence of their own. This seems to be one of the best kept
Posted by shawnfa | 6 Comments
Filed under: , ,
Wednesday, December 20, 2006 3:10 PM

Evidence Must Be Serializable

The Evidence object acts as a collection for any sort of object that you want to add as evidence for an assembly or AppDomain. (It can get confusing because there is both an Evidence class and objects used as evidence. I'll capitalize the first one to
Posted by shawnfa | 4 Comments
Filed under: , ,
Tuesday, November 14, 2006 11:33 AM

new NamedPermissionSet

Every once in a while I find some code doing something similar to this: new NamedPermissionSet ( "LocalIntranet" ).Assert(); // ... call some API that requires Intranet permissions here CodeAccessPermission .RevertAssert(); At best this code is confusing
Posted by shawnfa | 0 Comments
Filed under: , ,
Friday, November 03, 2006 8:53 AM

Relative URL Membership Conditions

Caspol will allow you to setup a URL membership condition with a relative URL by using a command such as: caspol -ag 1. -url Foo.dll Internet -exclusive on This command probably doesn't do exactly what you would expect though. Namely, it does not resolve
Posted by shawnfa | 0 Comments
Filed under: ,
Wednesday, July 26, 2006 11:33 AM

What Evidence does Internet Explorer Give an Assembly

One of the reasons I started this blog was to have a permanent record of a question I used to see on the old microsoft.public.dotnet.security newsgroup about providing extra trust for an Internet Explorer hosted assembly . In that post I mentioned that
Posted by shawnfa | 1 Comments
Filed under: , ,
Thursday, July 13, 2006 11:43 AM

Sandboxed Applications Can’t Elevate Their Own Permissions

Every once in a while someone will ask how they can do something similar to these caspol commands from within their application. Generally, they want their application to be deployed from the Internet or a file share and don’t want users to have to deal
Posted by shawnfa | 6 Comments
Filed under: , , ,
Tuesday, July 11, 2006 7:00 AM

Every CLR has Independent CAS Policy

It’s relatively easy to find a set of instructions for using caspol or Admin UI to provide a CAS elevation for some managed code that’s hitting security exceptions. However, using the directions correctly gets complicated when multiple runtimes are on
Posted by shawnfa | 5 Comments
Filed under: , ,
More Posts Next page »
 
Page view tracker