http://blogs.msdn.com/shawnfa/archive/2009/05/21/security-policy-in-the-v4-clr.aspxOne of the first changes that you might see to security in the v4 CLR is that we’ve overhauled the security policy system.&#160; In previous releases of the .NET Framework, CAS policy applied to all assemblies loaded into an application (except for inen-USCommunityServer 2.1 SP1 (Build: 61025.2)http://blogs.msdn.com/shawnfa/archive/2009/05/21/security-policy-in-the-v4-clr.aspx#9634200Thu, 21 May 2009 22:26:15 GMT91d46819-8472-40ad-a661-2c78acb4018c:9634200Security Policy in the v4 CLR | Microsoft Share Point<p>PingBack from <a rel="nofollow" target="_new" href="http://microsoft-sharepoint.simplynetdev.com/security-policy-in-the-v4-clr/">http://microsoft-sharepoint.simplynetdev.com/security-policy-in-the-v4-clr/</a></p> http://blogs.msdn.com/shawnfa/archive/2009/05/21/security-policy-in-the-v4-clr.aspx#9634232Thu, 21 May 2009 22:53:46 GMT91d46819-8472-40ad-a661-2c78acb4018c:9634232Timothy Fries<p>How far does this extend?</p> <p>Can an application still create a sandboxed AppDomain (without needing to opt back in to the full managed policy on the primary AppDomain)?</p> <p>Is the Strong Name signature of a referenced assembly that's not located in the GAC still verified by the loader when loaded into a context where the managed security policy is disabled?</p> <p>And finally, is there an MSDN article that describes the change in more detail?</p>http://blogs.msdn.com/shawnfa/archive/2009/05/21/security-policy-in-the-v4-clr.aspx#9634318Fri, 22 May 2009 00:08:19 GMT91d46819-8472-40ad-a661-2c78acb4018c:9634318shawnfa<p>Hi Timothy,</p> <p>You can absolutely still create a sandboxed domain - in that aspect you're acting as a bit of a host yourself ... you're creating a sandbox to host untrusted code within. &nbsp; Instead of using policy to setup that domain however, you should instead use the simple sandbox APIs to do so.</p> <p>Non-GACed assemblies will not have their strong name signautres verified in the default domain of an unhosted application since they will be fully trusted without the use of their signature (<a rel="nofollow" target="_new" href="http://blogs.msdn.com/shawnfa/archive/2008/05/14/strong-name-bypass.aspx">http://blogs.msdn.com/shawnfa/archive/2008/05/14/strong-name-bypass.aspx</a>)</p> <p><a rel="nofollow" target="_new" href="http://msdn.microsoft.com/en-us/library/dd233103">http://msdn.microsoft.com/en-us/library/dd233103</a>(VS.100).aspx is the best starting point in MSDN for the v4 changes.</p> <p>-Shawn</p> http://blogs.msdn.com/shawnfa/archive/2009/05/21/security-policy-in-the-v4-clr.aspx#9634519Fri, 22 May 2009 03:12:36 GMT91d46819-8472-40ad-a661-2c78acb4018c:9634519Stephen Cleary<p>Thank you!</p> <p>I'm glad to hear that this long-standing pain point has finally been resolved.</p>http://blogs.msdn.com/shawnfa/archive/2009/05/21/security-policy-in-the-v4-clr.aspx#9634796Fri, 22 May 2009 10:00:07 GMT91d46819-8472-40ad-a661-2c78acb4018c:9634796Tom<p>Hi Shawn,</p> <p>picking up Dominick's idea I totally agree with him that it'd be a great idea to convince you to write a book on .NET 4.0 Security. Please think about starting that book project.</p> <p>In the meantime: Thanks for starting this very useful series of articles!</p> <p>-- Tom</p>http://blogs.msdn.com/shawnfa/archive/2009/05/21/security-policy-in-the-v4-clr.aspx#9635062Fri, 22 May 2009 14:33:40 GMT91d46819-8472-40ad-a661-2c78acb4018c:9635062Smith Daves<p>What means &quot;unhosted applications&quot;?</p>http://blogs.msdn.com/shawnfa/archive/2009/05/21/security-policy-in-the-v4-clr.aspx#9635065Fri, 22 May 2009 14:40:23 GMT91d46819-8472-40ad-a661-2c78acb4018c:9635065Andy Mackie<p>Are there any changes in how CAS applies to XBAP and ClickOnce apps ? I'm thinking specifically of clickonce &amp; xbap apps with Intranet permissions, rather than Internet.</p> <p>When things work ClickOnce deployment is great, but when the dreaded &quot;Trust not granted&quot; pops up, it's a right pain to sort! Admittedly, some of it is a developer education issue re. CAS/caspol.</p>http://blogs.msdn.com/shawnfa/archive/2009/05/21/security-policy-in-the-v4-clr.aspx#9635374Fri, 22 May 2009 19:17:17 GMT91d46819-8472-40ad-a661-2c78acb4018c:9635374shawnfa<p>Hi Smith,</p> <p>An unhosted application is basically just a managed .exe that you run directly. &nbsp;That is, it's not run within a larger host (think ASP.NET, SQL Server, or as an addin in another application for instance).</p> <p>-Shawn</p> http://blogs.msdn.com/shawnfa/archive/2009/05/21/security-policy-in-the-v4-clr.aspx#9635378Fri, 22 May 2009 19:18:25 GMT91d46819-8472-40ad-a661-2c78acb4018c:9635378shawnfa<p>Hi Andy,</p> <p>ClickOnce will still evaluate what permissions it thinks is safe for an application to request based upon where the application is coming from. &nbsp;If the app is requesting more than that safe set, it will continue with its v3.5 behavior of prompting the user to allow the elevation.</p> <p>-Shawn</p> http://blogs.msdn.com/shawnfa/archive/2009/05/21/security-policy-in-the-v4-clr.aspx#9635606Fri, 22 May 2009 20:54:24 GMT91d46819-8472-40ad-a661-2c78acb4018c:9635606.NET Security Blog<p>Yesterday I talked about the changes in security policy for managed applications , namely that managed</p> http://blogs.msdn.com/shawnfa/archive/2009/05/21/security-policy-in-the-v4-clr.aspx#9717569Tue, 09 Jun 2009 22:15:02 GMT91d46819-8472-40ad-a661-2c78acb4018c:9717569.NET Security Blog<p>Over the last few posts, I’ve been looking at how the update to the CLR v4 security policy interacts</p> http://blogs.msdn.com/shawnfa/archive/2009/05/21/security-policy-in-the-v4-clr.aspx#9737039Fri, 12 Jun 2009 21:27:13 GMT91d46819-8472-40ad-a661-2c78acb4018c:9737039.NET Security Blog<p>Over the last few weeks we’ve been looking at the changes to security policy in .NET 4, namely that security</p> http://blogs.msdn.com/shawnfa/archive/2009/05/21/security-policy-in-the-v4-clr.aspx#9737129Fri, 12 Jun 2009 21:33:40 GMT91d46819-8472-40ad-a661-2c78acb4018c:9737129.NET Security Blog<p>Over the last few weeks we’ve been taking a look at the updates to the CLR security policy system in</p>