.NET Security Blog

Shawn,

I've added FullTrust to a share where we launch an application and it takes a heck of a long time. Are there factors (other than the network speed / latency) that would slow down a .NET application starting from a network share?

Thanks! BTW very helpful blog entry.

Just tried

CasPol.exe -m -ag 1.2 -url file://ShawnFa-Srv/Tools/* FullTrust

and got the message

Are you sure you want to perform this operation? (yes/no)

which I had to confirm with YES, of course.

I thought I can use CasPol.exe to write a custom setup action to perform this update, but I don't want the user to be displayed this message. Any chance to do the same, WITHOUT the message?

Regarding the -url parameter (e.g.)

CasPol.exe -pp off -m -ag 1.2 -url file://ShawnFa-Srv/Tools/* FullTrust

If EXE's are placed in subfolders under the root of the share are they automatically granted FullTrust? (e.g. //ShawnFa-Srv/Tools/subFolder/someprog.exe )

If yes, then I'm doing something wrong because they're not on my system?

Very useful, thanks.

Why cant Microsoft be so clear in the doc.

BTW: It can be nice to give the code group a name: add: -name "name" to secpol.exe cmd.line.

One of the V1 decisions we made was to not allow partially trusted callers in our policy framework. ...

I am trying to add a full trust to a share,
so the VS will allow me to run a solution from a share.

the Share is located at
\\storage\Share\Departments\Development\Projects\
and the Solution knows it as
S:\Projects\

what do i do ?
Your solutions didn't work for me.

Mickey

mick@interlect.co.il

Folks,
I have tried to turn .Net security off...no dice
I have tried to submit an edited security file with security and execution checking off... no dice still says security is on
I have added a group to the intranet as indicated in the blog above...put FullTrust still no access... the error that I get indicates that the assembly is not trusted.
I don't want to have to register every single executable or is that the only way to solve the problem?:

Every once in a while someone will ask how they can do something similar to these caspol commands from...

Ok, I've got a script I made to fully trust a share using caspol.  The problem is that it will only work on machines that have the SDK installed.  I can open the security.config file and I can see the group, but the code will not run.  The command line I'm running to get the permissions is:

call %windir%\Microsoft.NET\Framework\v2.0.50727\caspol -q -m -ag 1.2 -url %1\* FullTrust -n %1 -d "FullTrust granted to:  %1"

where %1 is the server share (eg \\server01\share)



On a machine where I do have the .NET Framework 2.0 configuration utility, this works like a charm.  On similar machine without this, no dice.  Any clues that can point me in the right direction?

That link lead me to check some other things out.  Since I control the code I was able to check what kind of permissions were being requested.

Turned out that the computer with the SDK installed was running the code from the Intranet group.  While the computer without the SDK was running it from the Internet group.  Both computers are on the domain with the same login credentials and running the code from a network drive, so I'm a bit perplexed as to what's causing the difference, however this provides a fix since none of the end users for the app will have the SDK.  Problem worked around until I test it out a bit more ;)  Thanks!

-Jesse

Shawn -

I want to use an ActiveX control written in C# 2.0 in an intranet ASP.NET application.

The control downloads fine on my computer, but only after I used the 2.0 Configuration tool to adjust my LocalIntranet zone security to FullTrust. My IE zone security setting for LocalIntranet is at the default, Medium-Low.

End users have the .NET 2.0 Framework installed, but not the 2.0 Configuration applet. Even if they did, we wouldn't want them to manually change their configuration.

What I'm wondering is how best to deploy security policy? Can we run CasPol on end user PC's to grant FullTrust to our intranet application? I have tried various combinations of parameters to CasPol, with no luck.

Thanks, Mike

Hi,

I'm having trouble with the caspol command.  Our developers are build a new app based around sharepoint and need us to register some components on every workstation. For business reasons our desktop environment is locked down - no power user access etc.

I have 3x commands that i need to run that I have listed below in order:

Command 1:

"C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\caspol" -quiet -m -ag "LocalIntranet_Zone" -url "http://<my serer name>/*" Nothing -n "My App Data Folder"

Command 2:

"C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\caspol" -quiet -m -ag "My App Data Folder" -custom "C:\Program Files\Microsoft Office\OFFICE11\ADDINS\msosec.xml" FullTrust -n "My App Data Documents" -d "Grants full trust"

Command 3:

"C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\caspol" -quiet -m -ag "LocalIntranet_Zone" -url "\\My Server Name\vsto\*" FullTrust -n "My App Development Assembly" -d "Grants full trust"

Now when I run this at the command prompt it seems to be all general goodness, I can access my site and our developers are quite happy, but the problem is command 2. After executing this I get prompted with the following message:

You have added the following assembly to the policy system: msosec 7.0.5000.0

If you do not add this assembly to the full trust list, load errors and other unexpected behavior can occur.  However, adding the assembly to the full trust list gives all code in this assembly potentially dangerous abilities.  Do you want to add this assembly to the full trust list? (yes/no)

My objective is to run this command on a pile of workstations bundled up in an SMS job. I don't need this prompt becasue when my script executes silently the user can't see or respond to this message.

I have tried nearly every option on the caspol -help screen for turning stuff off but have hit a blank - any ideas gratefully accepted

Cheers

DaveB

Awesome, very straight forward n clear explanation. Kudos to Shawn

We used caspol.exe on a server functioning as Windows Terminal Services.  caspol.exe was run on that server to grant full trust to an application on a second server. This worked fine for a while (and still does for most users). However, when we add new users to the domain and give them access to this machine, they cannot run the application (they get the

"...has encountered a problem and needs..." message indicating that the trust does not exist.  We have been unsuccessful getting any new users to be able to run the application.  If we remove .Net 2.0, reinstall, no users can run the application.  If we then run caspol.exe , the original set of users that could run the application can now run it again, but none of the new users can run it.

Any ideas?

-jeff

How would one create a functioning grouppolicy for active directory use?

We want to run a program from a share on 20 terminalservers, and i like to make just one setting :-)

Shawn

just to be sure, so If I want to run a windows app over the network, I need to create a machine policy on that computer and then copy it to everyone pc that needs to access that program.

Thanks

Idriss

Hi Shawn

I am trying to use CasPol to fully trust a share. I have .Net installed on my PC. When I issue the folowing command

C:\>caspol.exe -m -ag 1.2 -url file:\\uhscorp\sustain/Tools/* FullTrust

The output I get is

Microsoft (R) .NET Framework CasPol 1.0.3705.6018

Copyright (C) Microsoft Corporation 1998-2001. All rights reserved.

ERROR: Invalid option: -m

Usage: caspol <option> <args> ...

caspol -m[achine]

   Modifier that makes additional commands act on the machine level

caspol -u[ser]

   Modifier that makes additional commands act on the user level

caspol -en[terprise]

   Modifier that makes additional commands act on the enterprise level

.

.

.

Why am I getting this error and how can make the command to work? Any help is greatly appreciated.

Thanks

Sai

Hi Shawn

You solved my problem. Now I understand that copy and paste does not work sometimes in cmd. Learnt a lesson here. You are the man.

Thanks

Sai

Several people have commented about getting the (yes/no) prompt when using caspol.  Have we all forgotten the command line?  Simply echo y|caspol and the problem is solved

Hello

I need to run a VB.NET 2005 app as a logon script.

Would it still be appropriate to grant "FullTrust" to the "\\server\netlogon" share? OR is there a better way?

Regards

John

I am trying to do my first .net install.  The program is to be used via a citrix environment.  I have run the caspol settings on the .exe's computer however I get the security message still.  How can I check to see where the security is being pulled from and can I check/run caspol when my program starts to set the appropriate security?

Thanks!

Hi,

we use Windows Vista 32bit EE or BE and tried caspool for our (web-)development shares. Even though the command itself works fine and the share is correctly in the list of trusted locations, whysoever VS2005 is still believing that the share isn't trusted?!

Do you have an idea what else we can try?

Thanks in advance,

Ingo

PS:

We thought that somehow the domain policies might interfere and tried the same thing with a machine outside the domain but with proper access rights to the share - the result is the same.

Recently I visited Toronto for Beta release of software I designed. As always with Beta versions, we

Shawn, plz help me out

im driving crazy..!!

i've made a Console Application and copied the EXE to a shared folder in the network.

The Console Application will be called from a JOB in SQL SERVER... and everytime the JOB calls the APP i getting an error:

Request for the permission of type 'System.Data.SqlClient.SqlClientPermission, System.Data, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.

also

Request for the permission of type 'System.Security.Permissions.FileIOPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.

The SQL SERVER and the shared folder are in the same machine...

Now:

the path to shared folder is:

\\beta\Sql_temp

the path to the program is

\\beta\Sql_temp\AppCIDSca.exe

i have done the command:

caspol -addfulltrust \\beta\Sql_temp\AppCIDSca.exe

and also tried the caspol -addgroup -url file:\\beta\Sql_temp/* FullTrust

but i always get that error....

what can i do...?

Hi there,

We have recently installed .NET 2.0 to our web servers (3 in a cluster talking to a Network Share). We previously had to set each web server to have full trust permissions to the share for .NET 1.1 to work. However, it seems this has not helped for .NET 2.0

If i run: CasPol.exe -m -ag 1.2 -url file://ShawnFa-Srv/Tools/* FullTrust

will this resolve the problem for .NET 2.0 or do I need to add more parameters to the CasPol.exe?

What is interesting is that .NET 2.0 applications work if they are created as Web Sites in VS 2005 and not Web Projects (compiling to a BIN).

Hi Shawn,

I have a c# 2.0 exe which has some file IO commands where it checks whether a file is there (File.Exists).

When I copy this exe on a network share and run it, I get this error

Request for the permission of type 'System.Security.Permissions.FileIOPermission

, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' f

ailed.

I have given Full Trust like what you have specified and the command works great, why do I get this error message

Hi,

i'm getting error System.Security.SecurityException: Request for the permission of type 'System.Web.AspNetHostingPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.

can anybody help help me out by setting up security trust using caspol, i'm using asp.net 2.0 files resides on UNC network.

Thanks in advance,

A K S

PingBack from http://sam.mcgeown.co.uk/?p=7