Using CasPol to Fully Trust a Share

re: Using CasPol to Fully Trust a Share

corbin — Wed, 11 May 2005 16:58:51 GMT

Shawn,

I've added FullTrust to a share where we launch an application and it takes a heck of a long time. Are there factors (other than the network speed / latency) that would slow down a .NET application starting from a network share?

Thanks! BTW very helpful blog entry.

re: Using CasPol to Fully Trust a Share

Uwe — Wed, 27 Jul 2005 07:27:09 GMT

Just tried

CasPol.exe -m -ag 1.2 -url file://ShawnFa-Srv/Tools/* FullTrust

and got the message

Are you sure you want to perform this operation? (yes/no)

which I had to confirm with YES, of course.

I thought I can use CasPol.exe to write a custom setup action to perform this update, but I don't want the user to be displayed this message. Any chance to do the same, WITHOUT the message?

re: Using CasPol to Fully Trust a Share

shawnfa — Wed, 27 Jul 2005 23:34:47 GMT

Hi Uwe -- check out: http://blogs.msdn.com/shawnfa/archive/2005/07/27/443975.aspx :-)

-Shawn

re: Using CasPol to Fully Trust a Share

Nick Webb — Thu, 25 Aug 2005 17:35:27 GMT

Regarding the -url parameter (e.g.)

CasPol.exe -pp off -m -ag 1.2 -url file://ShawnFa-Srv/Tools/* FullTrust

If EXE's are placed in subfolders under the root of the share are they automatically granted FullTrust? (e.g. //ShawnFa-Srv/Tools/subFolder/someprog.exe )

If yes, then I'm doing something wrong because they're not on my system?

re: Using CasPol to Fully Trust a Share

Preben — Fri, 11 Nov 2005 16:52:07 GMT

Very useful, thanks.

Why cant Microsoft be so clear in the doc.

BTW: It can be nice to give the code group a name: add: -name "name" to secpol.exe cmd.line.

we don't allow partially-trusted checkin policies in V1

James Manning's blog — Sat, 11 Feb 2006 02:13:25 GMT

One of the V1 decisions we made was to not allow partially trusted callers in our policy framework.&nbsp;...

re: Using CasPol to Fully Trust a Share for source

Mickeyt Perlstein — Tue, 25 Apr 2006 13:40:33 GMT

I am trying to add a full trust to a share,
so the VS will allow me to run a solution from a share.

the Share is located at
\\storage\Share\Departments\Development\Projects\
and the Solution knows it as
S:\Projects\

what do i do ?
Your solutions didn't work for me.

Mickey

mick@interlect.co.il

re: Using CasPol to Fully Trust a Share

shawnfa — Tue, 25 Apr 2006 19:20:46 GMT

You have to trust the share with the name that the managed code sees, so if it's accessable via S:\Projects your URL would be file://s:\projects

-Shawn

re: Using CasPol to Fully Trust a Share

xmasangel — Thu, 06 Jul 2006 21:30:16 GMT

Folks,
I have tried to turn .Net security off...no dice
I have tried to submit an edited security file with security and execution checking off... no dice still says security is on
I have added a group to the intranet as indicated in the blog above...put FullTrust still no access... the error that I get indicates that the assembly is not trusted.
I don't want to have to register every single executable or is that the only way to solve the problem?:

re: Using CasPol to Fully Trust a Share

shawnfa — Fri, 07 Jul 2006 21:08:01 GMT

Are you sure you're using a matching caspol and runtime? Settings applied to v1.1 don't affect apps running against v2.0. Similarly v2.0 32bit and v2.0 64bit are seperate.

-Shawn

Sandboxed Applications Can’t Elevate Their Own Permissions

.Net Security Blog — Thu, 13 Jul 2006 21:43:40 GMT

Every once in a while someone will ask how they can do something similar to these caspol commands from...

re: Using CasPol to Fully Trust a Share

Jesse Albert — Fri, 14 Jul 2006 23:10:39 GMT

Ok, I've got a script I made to fully trust a share using caspol. The problem is that it will only work on machines that have the SDK installed. I can open the security.config file and I can see the group, but the code will not run. The command line I'm running to get the permissions is:

call %windir%\Microsoft.NET\Framework\v2.0.50727\caspol -q -m -ag 1.2 -url %1\* FullTrust -n %1 -d "FullTrust granted to: %1"

where %1 is the server share (eg \\server01\share)

On a machine where I do have the .NET Framework 2.0 configuration utility, this works like a charm. On similar machine without this, no dice. Any clues that can point me in the right direction?

re: Using CasPol to Fully Trust a Share

Jesse Albert — Tue, 18 Jul 2006 16:58:07 GMT

That link lead me to check some other things out. Since I control the code I was able to check what kind of permissions were being requested.

Turned out that the computer with the SDK installed was running the code from the Intranet group. While the computer without the SDK was running it from the Internet group. Both computers are on the domain with the same login credentials and running the code from a network drive, so I'm a bit perplexed as to what's causing the difference, however this provides a fix since none of the end users for the app will have the SDK. Problem worked around until I test it out a bit more ;) Thanks!

-Jesse

re: Using CasPol to Fully Trust a Share

Mike Taverne — Fri, 21 Jul 2006 23:50:53 GMT

Shawn -

I want to use an ActiveX control written in C# 2.0 in an intranet ASP.NET application.

The control downloads fine on my computer, but only after I used the 2.0 Configuration tool to adjust my LocalIntranet zone security to FullTrust. My IE zone security setting for LocalIntranet is at the default, Medium-Low.

End users have the .NET 2.0 Framework installed, but not the 2.0 Configuration applet. Even if they did, we wouldn't want them to manually change their configuration.

What I'm wondering is how best to deploy security policy? Can we run CasPol on end user PC's to grant FullTrust to our intranet application? I have tried various combinations of parameters to CasPol, with no luck.

Thanks, Mike

re: Using CasPol to Fully Trust a Share

shawnfa — Wed, 26 Jul 2006 22:03:39 GMT

Caspol can be run on the users machine, or you can install the configuration wizard and push an MSI out to each of them. Since you're using ActiveX, ClickOnce won't help you out, but that's generally where I'll point people to shipping v2.0 apps off of a share.

-Shawn

re: Using CasPol to Fully Trust a Share

DaveB — Mon, 06 Nov 2006 05:04:31 GMT

Hi,

I'm having trouble with the caspol command. Our developers are build a new app based around sharepoint and need us to register some components on every workstation. For business reasons our desktop environment is locked down - no power user access etc.

I have 3x commands that i need to run that I have listed below in order:

Command 1:

"C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\caspol" -quiet -m -ag "LocalIntranet_Zone" -url "http://<my serer name>/*" Nothing -n "My App Data Folder"

Command 2:

"C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\caspol" -quiet -m -ag "My App Data Folder" -custom "C:\Program Files\Microsoft Office\OFFICE11\ADDINS\msosec.xml" FullTrust -n "My App Data Documents" -d "Grants full trust"

Command 3:

"C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\caspol" -quiet -m -ag "LocalIntranet_Zone" -url "\\My Server Name\vsto\*" FullTrust -n "My App Development Assembly" -d "Grants full trust"

Now when I run this at the command prompt it seems to be all general goodness, I can access my site and our developers are quite happy, but the problem is command 2. After executing this I get prompted with the following message:

You have added the following assembly to the policy system: msosec 7.0.5000.0

If you do not add this assembly to the full trust list, load errors and other unexpected behavior can occur. However, adding the assembly to the full trust list gives all code in this assembly potentially dangerous abilities. Do you want to add this assembly to the full trust list? (yes/no)

My objective is to run this command on a pile of workstations bundled up in an SMS job. I don't need this prompt becasue when my script executes silently the user can't see or respond to this message.

I have tried nearly every option on the caspol -help screen for turning stuff off but have hit a blank - any ideas gratefully accepted

Cheers

DaveB

re: Using CasPol to Fully Trust a Share

shawnfa — Mon, 06 Nov 2006 19:37:16 GMT

Hi Dave,

Normally you would use caspol -pp off to cause caspol to no longer prompt for confirmation. However, it appears that there is a bug where caspol does not respect that setting when adding an assembly to the full trust list.

One workaround is that you could pre-populate the workstation's full trust lists with the msosec.dll assembly, since caspol will not prompt if the assembly is already on the list.

-Shawn

re: Using CasPol to Fully Trust a Share

Jayshree Gohil — Fri, 29 Dec 2006 19:19:12 GMT

Awesome, very straight forward n clear explanation. Kudos to Shawn

re: Using CasPol to Fully Trust a Share

Jeff Hayward — Thu, 04 Jan 2007 23:37:53 GMT

We used caspol.exe on a server functioning as Windows Terminal Services. caspol.exe was run on that server to grant full trust to an application on a second server. This worked fine for a while (and still does for most users). However, when we add new users to the domain and give them access to this machine, they cannot run the application (they get the

"...has encountered a problem and needs..." message indicating that the trust does not exist. We have been unsuccessful getting any new users to be able to run the application. If we remove .Net 2.0, reinstall, no users can run the application. If we then run caspol.exe , the original set of users that could run the application can now run it again, but none of the new users can run it.

Any ideas?

-jeff

re: Using CasPol to Fully Trust a Share

shawnfa — Wed, 10 Jan 2007 21:38:44 GMT

Hi Jeff,

One thought is that some users have modified their user-level security policy, and it is not granting the share full trust. If you check the user level policy in caspol:

caspol -u -lg

It should show that AllCode gets FullTrust and nothing else.

You can also try caspol -all -rsg <path to assembly on server>, which will dump out the groups that the CLR is matching when resolving policy for your server.

-Shawn

re: Using CasPol to Fully Trust a Share

Diederik — Thu, 18 Jan 2007 14:15:56 GMT

How would one create a functioning grouppolicy for active directory use?

We want to run a program from a share on 20 terminalservers, and i like to make just one setting :-)

re: Using CasPol to Fully Trust a Share

shawnfa — Thu, 18 Jan 2007 23:09:06 GMT

Hi Diederik,

You'll need to use the MMC snap-in to export your security policy to an MSI file. (Right click on the security policy and export to MSI should be an option). Then you can deploy this MSI file to your domain. The MSI does not conatin any merge logic however, it will literally overwrite the existing security policy with a copy of the policy from your local machine.

-Shawn

re: Using CasPol to Fully Trust a Share

Idriss — Wed, 28 Feb 2007 00:09:14 GMT

Shawn

just to be sure, so If I want to run a windows app over the network, I need to create a machine policy on that computer and then copy it to everyone pc that needs to access that program.

Thanks

Idriss

re: Using CasPol to Fully Trust a Share

shawnfa — Fri, 09 Mar 2007 21:15:13 GMT

Yep Idriss -- that's correct, you need to deploy that policy to every client machine that will run your application. Alternatively you could look at ClickOnce deployment, which does not rely on machine security policy.

-Shawn

re: Using CasPol to Fully Trust a Share

Sai — Thu, 15 Mar 2007 21:53:30 GMT

Hi Shawn

I am trying to use CasPol to fully trust a share. I have .Net installed on my PC. When I issue the folowing command

C:\>caspol.exe -m -ag 1.2 -url file:\\uhscorp\sustain/Tools/* FullTrust

The output I get is

Microsoft (R) .NET Framework CasPol 1.0.3705.6018

ERROR: Invalid option: -m

Usage: caspol <option> <args> ...

caspol -m[achine]

Modifier that makes additional commands act on the machine level

caspol -u[ser]

Modifier that makes additional commands act on the user level

caspol -en[terprise]

Modifier that makes additional commands act on the enterprise level

Why am I getting this error and how can make the command to work? Any help is greatly appreciated.

Thanks

Sai

re: Using CasPol to Fully Trust a Share

shawnfa — Fri, 16 Mar 2007 01:36:04 GMT

Hi Sai,

I see this most often if the caspol command line has been copied and pasted from a program such as Word or Outlook which replaces a - with a fancier character that looks similar to -, but is not the same. I recommend typing the command line by hand to see if that solves your problem.

-Shawn

re: Using CasPol to Fully Trust a Share

Sai — Fri, 16 Mar 2007 16:35:53 GMT

Hi Shawn

You solved my problem. Now I understand that copy and paste does not work sometimes in cmd. Learnt a lesson here. You are the man.

Thanks

Sai

re: Using CasPol to Fully Trust a Share

james — Tue, 27 Mar 2007 18:15:43 GMT

Several people have commented about getting the (yes/no) prompt when using caspol. Have we all forgotten the command line? Simply echo y|caspol and the problem is solved

re: Using CasPol to Fully Trust a Share

shawnfa — Thu, 29 Mar 2007 20:24:01 GMT

Hi James,

That will work, however caspol also has built-in functionality for that. If you do:

caspol -pp off

It will suppress the prompt as well.

-Shawn

re: Using CasPol to Fully Trust a Share

johnf — Mon, 02 Apr 2007 17:21:51 GMT

Hello

I need to run a VB.NET 2005 app as a logon script.

Would it still be appropriate to grant "FullTrust" to the "\\server\netlogon" share? OR is there a better way?

Regards

John

re: Using CasPol to Fully Trust a Share

shawnfa — Mon, 09 Apr 2007 19:34:10 GMT

Hi John,

You could certainly do that if you trust your internal network. Another option would be to sign your scripts and trust the signature.

-Shawn

re: Using CasPol to Fully Trust a Share

David — Mon, 16 Apr 2007 16:53:50 GMT

I am trying to do my first .net install. The program is to be used via a citrix environment. I have run the caspol settings on the .exe's computer however I get the security message still. How can I check to see where the security is being pulled from and can I check/run caspol when my program starts to set the appropriate security?

Thanks!

re: Using CasPol to Fully Trust a Share

shawnfa — Wed, 18 Apr 2007 19:20:31 GMT

Hi David,

Security policy must be updated on the machines that run the application, not the machine that hosts the application. Otherwise malware would just say "trust me, Evil.exe is trusted!".

For the same reason, partial trust code cannot say "Hey, I'm trusted -- let me just elevate my permissions." Your best bet is to use ClickOnce to deploy your application.

-Shawn

re: Using CasPol to Fully Trust a Share

Ingo — Fri, 20 Apr 2007 21:39:39 GMT

Hi,

we use Windows Vista 32bit EE or BE and tried caspool for our (web-)development shares. Even though the command itself works fine and the share is correctly in the list of trusted locations, whysoever VS2005 is still believing that the share isn't trusted?!

Do you have an idea what else we can try?

Thanks in advance,

Ingo

PS:

We thought that somehow the domain policies might interfere and tried the same thing with a machine outside the domain but with proper access rights to the share - the result is the same.

Sandboxed Applications Can’t Elevate Their Own Permissions

Guy kolbis — Sun, 22 Apr 2007 14:06:07 GMT

Recently I visited Toronto for Beta release of software I designed. As always with Beta versions, we

re: Using CasPol to Fully Trust a Share

Hugo Dias — Mon, 30 Apr 2007 19:08:49 GMT

Shawn, plz help me out

im driving crazy..!!

i've made a Console Application and copied the EXE to a shared folder in the network.

The Console Application will be called from a JOB in SQL SERVER... and everytime the JOB calls the APP i getting an error:

Request for the permission of type 'System.Data.SqlClient.SqlClientPermission, System.Data, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.

also

Request for the permission of type 'System.Security.Permissions.FileIOPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.

The SQL SERVER and the shared folder are in the same machine...

Now:

the path to shared folder is:

\\beta\Sql_temp

the path to the program is

\\beta\Sql_temp\AppCIDSca.exe

i have done the command:

caspol -addfulltrust \\beta\Sql_temp\AppCIDSca.exe

and also tried the caspol -addgroup -url file:\\beta\Sql_temp/* FullTrust

but i always get that error....

what can i do...?

re: Using CasPol to Fully Trust a Share

Matt — Wed, 02 May 2007 08:33:29 GMT

Hi there,

We have recently installed .NET 2.0 to our web servers (3 in a cluster talking to a Network Share). We previously had to set each web server to have full trust permissions to the share for .NET 1.1 to work. However, it seems this has not helped for .NET 2.0

If i run: CasPol.exe -m -ag 1.2 -url file://ShawnFa-Srv/Tools/* FullTrust

will this resolve the problem for .NET 2.0 or do I need to add more parameters to the CasPol.exe?

What is interesting is that .NET 2.0 applications work if they are created as Web Sites in VS 2005 and not Web Projects (compiling to a BIN).

re: Using CasPol to Fully Trust a Share

srini — Mon, 07 May 2007 17:07:44 GMT

Hi Shawn,

I have a c# 2.0 exe which has some file IO commands where it checks whether a file is there (File.Exists).

When I copy this exe on a network share and run it, I get this error

Request for the permission of type 'System.Security.Permissions.FileIOPermission

, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' f

ailed.

I have given Full Trust like what you have specified and the command works great, why do I get this error message

re: Using CasPol to Fully Trust a Share

shawnfa — Mon, 07 May 2007 21:31:49 GMT

Hi Srini,

You get the error because by default Intranet applications do not have rights to check for files on the local machine. Once you elevate the permissions using caspol, it has permission and the code succeeds.

-Shawn

re: Using CasPol to Fully Trust a Share

shawnfa — Mon, 07 May 2007 21:34:43 GMT

Hi Matt,

You'll of course need to substitute \\shawnfa-srv\tools\* with your own server and share :-) Since each CLR version has its own policy you'll need to make the changes to every version of the CLR (1.1, 2.0 32 bit, 2.0 64 bit) that you intend to run ASP.NET applications against.

-Shawn

re: Using CasPol to Fully Trust a Share

shawnfa — Mon, 07 May 2007 21:55:59 GMT

Hi Hugo,

You don't want the -addfulltrust command, this is for setting up policy assemblies and is obsolete in v2.0 of the framework. One thing to check with your other command line is to make sure that you're matching the caspol version to hte runtime version that your assemblies will be running against. You can also use caspol -rsg <assembly> to see what code groups your asembly is matching.

-Shawn

re: Using CasPol to Fully Trust a Share

shawnfa — Mon, 07 May 2007 22:07:06 GMT

Hi Ingo,

I've noticed that behavior too :-) Unfortunately VS isn't smart enough to do a policy resolution against your assembly (and it really can't since it doesn't know the full set of evidnece for the assembly until it is loaded). Because of that it will give you the warning whenever you load any code from a network share. If you've setup policy properly, it should be safe to ignore.

-Shawn

re: Using CasPol to Fully Trust a Share

A K S — Wed, 09 May 2007 17:38:17 GMT

Hi,

i'm getting error System.Security.SecurityException: Request for the permission of type 'System.Web.AspNetHostingPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.

can anybody help help me out by setting up security trust using caspol, i'm using asp.net 2.0 files resides on UNC network.

Thanks in advance,

A K S

re: Using CasPol to Fully Trust a Share

shawnfa — Wed, 09 May 2007 22:29:01 GMT

ASP.NET grants AspNetHostingPermission within AppDomains that it controls. That error indicates that you're attempting to access an API that is only meant to be accessed from within an ASP.NET application from outside ASP.NET.

If you are in an ASP.NET application, another possibility is that the ASP.NET trust levels got corrupted and the hosting permission is no longer being granted there -- in that case you'll have to check the ASP.NET forums to find an ASP.NET expert that can help you reset your settings.

-Shawn

sam.mcgeown.co.uk » Blog Archive » Visual Studio Project Location Not Trusted

sam.mcgeown.co.uk » Blog Archive » Visual Studio Project Location Not Trusted — Wed, 06 Jun 2007 13:18:35 GMT

PingBack from http://sam.mcgeown.co.uk/?p=7

Full trust

Chris V V — Thu, 26 Feb 2009 00:28:05 GMT

I had alot of trouble getting this working, but it finally did when I used this command:

caspol -q -machine -addgroup 1 -url file://z:/* FullTrust -name "Z Drive"

caspol.exe is located at C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727 also you need to restart devenv.exe after doing this.

re: Using CasPol to Fully Trust a Share

Aron — Sat, 21 Mar 2009 23:45:34 GMT

Thank you "Full trust"! I've spent several hours on this, being in need of running .net assemblies from my development-server share.

caspol -q -machine -addgroup 1 -url file://z:/* FullTrust -name "Z Drive"

worked like a charm. Thank you again!

re: Using CasPol to Fully Trust a Share

sth_Weird — Tue, 28 Apr 2009 14:21:00 GMT

hmm, what I miss and haven't been able to find anywhere on the net yet is a list of all possible trust levels.

as for me, I'm trying to develop a script that automatically sets the trust level, problem is that I've managed to set it to full trust once and now my program on the net always works. I have not managed to set a smaller level that makes my program crash any more. But I need this to test my script. Can anybody help?

re: Using CasPol to Fully Trust a Share

Srinath — Mon, 11 May 2009 11:59:28 GMT

Thank you very much it really worked i struggled around a day to fix this

re: Using CasPol to Fully Trust a Share

Michael — Thu, 14 May 2009 16:48:52 GMT

Shawn, after using sn.exe I can add my assembly on my local box. But I still get the "...must have a strong name..." error on the server. Tried caspol. It claimed success, but the assembly is not there in the Config manager. Here's the command-line from caspol:

D:\MyDir>C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\caspol.exe /af MyNewDLL.dll

Microsoft (R) .NET Framework CasPol 2.0.50727.3053

Because all GAC assemblies always get full trust, the full trust list is no longer meaningful. You should install any assemblies that are used in security policy in the GAC to ensure they are trusted.

The operation you are performing will alter security policy.

Are you sure you want to perform this operation? (yes/no)

yes

Success

Did I miss a step somewhere?

re: Using CasPol to Fully Trust a Share

shawnfa — Fri, 22 May 2009 00:12:23 GMT

You shouldn't be using the full trust list to do this - as caspol is warning you, that list is no longer used as of v2.0 of the .NET Framework. Instead, you'll want to use one of the other options such as the URL membership condition that I show in the example.

-Shawn

re: Using CasPol to Fully Trust a Share

shawnfa — Fri, 22 May 2009 00:19:11 GMT

There's no such thing as "all the possible trust levels". .NET 3.5 SP1 ships with 6 predefined permission sets - (in decreasing order) FullTrust, Everything, LocalIntranet, Internet, ExecuteOnly, and Nothing.

However, anyone can make their own permission sets with different trust levels. For instance, ASP.NET addded Low, Medium, and High trust. SQL Server has their three trust buckets as well.

Additionally, anyone can define their own custom permissions to further expand the possbible list of permission sets. So, what you end up with, is an infinite theoretical combiation of permsision sets.

-Shawn

re: Using CasPol to Fully Trust a Share

Steve-o — Mon, 01 Jun 2009 07:52:39 GMT

I'm running the Visual Studio 2008 in a VMWARE instance of Vista Ultimate and I have a mapped drive Projects (B:\) that I'm trying to use caspol on to allow fulltrust for all projects I create.

I've used:

caspol -m -ag 1.2 -url file://B:\* FullTrust

I get the success and prompted for yes or no. Like normal not in that order. But when I fire up VS2008 again I still get the same issue when I create a new project. I've proceeded to restart the VMWARE instance same issue. I've also tried individually allow applications.

caspol -m -ag 1.2 -url file://B:\WebApplication99\* FullTrust

still same results.....

Could you please advise? Thanks for any help you have.

re: Using CasPol to Fully Trust a Share

shawnfa — Mon, 08 Jun 2009 22:06:39 GMT

I don't believe VS applies CAS policy when showing that dialog box, instead it only looks at the zone.

You should be fine ignoring the box and letting CAS policy take over at runtime for you.

-Shawn

re: Using CasPol to Fully Trust a Share

Les.Kinney — Tue, 16 Jun 2009 19:47:30 GMT

I was wondering if it is possible to use Caspol to enable full trust for a folder for running a Access 2007 runtime app from. What I have done is created a click-once console app to extract an updated version of the access app to a local folder (c:\hcp\rect\) if IsFirstRun is true, otherwise it just uses System.Diagnostics.Process.Start to run the app using the runtime. However, on client machines that don't have full version of Access 2003/2007, i want to be able to set Full Trust via batch file maybe so they don't have to answer the dialog and click Open button. Is this possible? If I am in the wrong place let me know too! Thanks,

re: Using CasPol to Fully Trust a Share

Sebastian — Mon, 29 Jun 2009 11:28:58 GMT

Great blog entry ;)

I miss the information how to remove this Full Trust entries. Is there a way doing that with CasPol? Please both ways (Full Trust to share and file).

Thank you :)

re: Using CasPol to Fully Trust a Share

Cip D — Wed, 08 Jul 2009 00:00:22 GMT

Hi Shawn-

I'm running into an issue with CASPOL where if I run it as a user without administrator permissions it fails. My command is such:

%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\caspol -q -machine -addgroup 1. -url http://SERVERNAME/* FullTrust -name "APPName"

What do I need to do to allow any user to run this command?

Thanks

-Cip

re: Using CasPol to Fully Trust a Share

Ian Ambrosen — Fri, 10 Jul 2009 12:57:57 GMT

Shawn, have an exe running from a network drive v, tried the command

C:\WINDOWS\Microsoft.NET\Framework\v2.0.507

27\CasPol.exe -pp off -m -ag 1.2 -url file://v:\* FullTrust

appeared to go ok but still get the same P9 error security.security

for caspol -m - lg got the following:

1.1.2. StrongName - 00000000000000000400000000000000: FullTrust

1.2. Zone - Intranet: FullTrust

1.2.1. All code: Same site Web

1.2.2. All code: Same directory FileIO - 'Read, PathDiscovery'

1.2.3. Url - W:\*: FullTrust

1.2.4. Url - \\192.168.245.4\*: FullTrust

1.2.5. Url - V:\*: FullTrust

1.2.6. Url - file://v:\*: FullTrust

1.2.7. Url - file://v:\: FullTrust

1.2.8. Url - file://v:\*: FullTrust

1.3. Zone - Internet: Internet

1.3.1. All code: Same site Web

1.4. Zone - Untrusted: Nothing

1.5. Zone - Trusted: Internet

1.5.1. All code: Same site Web

Any ideas what I am doing wrong?

Thanks Ian

re: Using CasPol to Fully Trust a Share

Suyambu — Thu, 16 Jul 2009 13:19:23 GMT

Is there a way to give FullTrust programatically without using CASPOL tool.

So that I don't have to execute the CASPOL command in each client machine.

Can we achieve the same programatically what CASPOL does. Something similar to...

[assembly: FileIOPermissionAttribute(SecurityAction.RequestMinimum, Unrestricted = true)]

[assembly: PermissionSet(SecurityAction.RequestOptional, Unrestricted = false)]

Just wanted to know whether this is possible or not.

Thanks in Advance.

Suyambu

re: Using CasPol to Fully Trust a Share

Steve — Fri, 14 Aug 2009 06:02:37 GMT

I have a .Net 2.0 app that a vendor has given me to deploy in our organization. They created an app that goes along with it that takes care of the caspol part, however, it needs to be run with admin permissions against a network drive. I've created an installer myself that will map a drive as a local admin, then apply the permissions but it's buggy and doesn't always work. I'd rather just run their application but all of our users have "power user" rights so they can't do it themselves. The command is:

caspol -pp off -m -ag All_Code -url "file:// R:\Programs\imswin\cleardecisions\* " FullTrust -n Network_Apps

We're a novell shop that uses zenworks for deployments. Any help, like possibly using group policy instead, would be greatly appreciated. I'm not a .net programmer so my knowledge is limited.

re: Using CasPol to Fully Trust a Share

Steve — Fri, 14 Aug 2009 06:57:05 GMT

I did find this: http://www.codeproject.com/KB/dotnet/Using_MSI_or_a_strong_nam.aspx

Seems to be what I need, but not sure. If it'll work I can just distribute that as an msi, but not sure since the "admin" account that will run it won't have an R drive mapped.

re: Using CasPol to Fully Trust a Share

dylan — Sat, 05 Sep 2009 00:02:35 GMT

I am trying to solve the trusted location issue when opening visual studio 2008 projects. When using CasPol.exe -m -ag 1.2 -url file://O:/* FullTrust I get the following:

ERROR: Runtime error: Access denied. You might now have administrative credentials to perform this tast. Contact your system administrator for assistance.

This is on a new Windows 7 installation, not sure if that has anything to do with it or not.

re: Using CasPol to Fully Trust a Share

Paul — Fri, 09 Oct 2009 19:29:26 GMT

Hi,

This is doing my head in.

I have a screensaver app that runs 100% when i'm logged in, but it fails when it is invoked as the pre-login screensaver. Fails with a security exception. The winform app has a winforms webbrowser control embedded, when this control is removed no exception occurs and it works. According to MSDN the webbrowser control needs FullTrust. I've signed the app and used CASPOL to grant fulltrust, but still no go.

What am I doing wrong?

Regards!

Paul

re: Using CasPol to Fully Trust a Share

shawnfa — Thu, 05 Nov 2009 18:16:55 GMT

In order to diagnose a security exception, having the full exception text and call stack is useful - this way we can figure out who was demanding what.

-Shawn

re: Using CasPol to Fully Trust a Share

shawnfa — Thu, 05 Nov 2009 18:29:13 GMT

Dylan - CAS sits on top of NT security, so if you are getting an access denied trying to perform an operation, that cannot be fixed with Caspol. Instead, you'll need to ensure that your user account has permission to write to the machine wide CAS settings file.

Make sure you're attempting this operaiton from an elevated command prompt, otherwise it won't succeed.

-Shawn

re: Using CasPol to Fully Trust a Share

shawnfa — Thu, 05 Nov 2009 19:15:19 GMT

Suyambu - Check out ClickOnce deployment for applications. In a ClickOnce application, the application declares what permissions it needs (for instance FullTrust), and will be guaranteed to either run with those permissions or not run at all.

-Shawn

re: Using CasPol to Fully Trust a Share

shawnfa — Thu, 05 Nov 2009 19:18:23 GMT

What error are you getting? P9 security.security doesn't sound like a SecurityException so it may not be caspol related at all.

-Shawn

re: Using CasPol to Fully Trust a Share

shawnfa — Thu, 05 Nov 2009 19:19:28 GMT

Cip - that requires admin privilege because that command modifies the security settings for the entire machine. Modification to machine wide security state is not allowed by unprivileged users.

-Shawn