473,695 Members | 2,178 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Article : Code Access Security Part - 1 (.Net FrameWork Tools Series)

Hey Guys,

Today we are going to look at Code Access Security.

Code access security is a feature of .NET that manages code depending on its
trust level. If the CLS trusts the code enough to allow it ro run then it
will execute, the code execution depends on the permission provided to the
assembly. If the code is not trusted wnough to run or it attempts to perform
an action which doe not have the required permissions then its execution is
stop and the application exits.

Code access security is primarily about protecting resources like your
local disk,netwoek, user interface from malicious code and not a tool for
protecting software from users which is a general misbelief.

Code access security is based upon Code Groups and Permissions.

Code Groups :- In windows we have user groups and every user belongs to a
group. We do not give permissions to users on indiviual basis but rather it
is more convient to create a group and give permissions to this group. In
the same way we have code groups bring code that has similar characteristics
and execution permissions togather.

E.g. One of the predefined code groups is Internet. If we say that this code
belongs to Internet code group this code has only those permissions which
are defined by this group. Like the Internet code group does not have access
to your local access hence all the applications executing under this code
group will not have permissions to access the local hard disk.
Permissions :- They are actions that each code group is allowed to perform
e.g. Permissions to access the user interface. This permission management
can be done at 3 levels Enterprise,Mach ine and User level.

"All Code" code group is the root group. All the code groups is under this
code group. If an assembly does not match a code group in the hierarchy code
groups below it are not searched.

For an assembly to be a member of any code group it need to fulfill its
membership condition.Each code group has one and only one membership
condition. This is the list of membership conditions in which "All code"
membership condition is at the root.

Let us view all the available code group membership conditions :

1) Go to Visual Studio Command promt and type caspol /help
2) Scroll at the bottom and you will see the following membership or "mship"

where "<mship>" can be:

-allcode All code
-appdir Application directory
-custom <xml_file> Custom membership condition
-hash <hashAlg> {-hex <hashValue>|-file <assembly_name> } Assembly hash
-pub {-cert <cert_file_name > | -file <signed_file_na me> | -hex
<hex_string>} Software publisher
-site <website> Site
-strong -file <assemblyfile_n ame> {<name> | -noname}{<versio n>
| -noversion} Strong name
-url <url> URL
-zone <zone_name> Zone, where zone can be: (MyComputer,
Intranet,Truste d,Internet,Untr usted)

Zone is the most commonly used membersip condition.These zones are managed
from IE using the security options

3) Go to IE. ... Tools ... Options ... Security Tab ... And you will see all
these options.

Note :- These options are set from IE they apply to the whole machine.

4) Type caspol.exe - lg. This command will list all the code groups without
the descriptions. If you want to see the desriptions
Type caspol.exe -ld.

5) To view the code groups of an assembly e.g. Type caspol -resolvegroups
<DLLName>.dll . It will show a similar output

Level = Enterprise
Code Groups:
1. All code: FullTrust

Level = Machine
Code Groups:
1. All code: Nothing
1.1. Zone - MyComputer: FullTrust

Level = User
Code Groups:
1. All code: FullTrust


6) In order to understand code access security completely we need to
understand Permission sets very well.

Type caspol -lp | more.

You will see an entire list of permissions in the form of xml tags.

We will look a few most frequently used permission sets :

SQLCLientPermis sion :-- Permission to access SQL Database.
UIPermission :- Permission to access user interface.
FileIOPermissio n : - Permission to read,writing or append to file as well as
creating folders.
Printing Permission :- Permission to print
WebPermission :- Prmission to make or accept connetions to/from the web.

..Net has provided us with predefined permission sets a.k.a. named permssion
sets. They are :-


Note : Only the last 3 can be modified the first three cannot altered.

You can also view assembly premissions with caspol :-

caspil.exe -rp <Your Assembly>.dll

Note :- In one of my previous articles we had seen hoow to view assembly
permissions with permview.exe.

Now lets view the current permission sets for each code groups at various
policy levels.
CAS policy levels exists either at enterprise, user or machine level.

By deffault when you listgroups using caspol machine level policy details
are displayed to you. If you want to see user and enterprise policy details
type -u or -en as follows :-

caspol -u -lg // for user

caspol -en -lg // for enterprise

By Default .Net gives FullTrust permissions to "ALL Code " Code group at
enterprise and user level.

The question now is ow we determine which policy level will be used. Well
CAS takes an intersection of all the 3 policy levels i.e. user enterprise
and machine. Hence if you have made any changes on your machine's policy you
administrator can easily override it by changing the user or enterprise

Today we have seen the code access groups, permission sets and the
different policy levels. In my tommorrow's article we will create a sample
app and see how we can manage security policy.

-- Please post your queries and comments for my articles in the usergroup
for the benefit of all. I hope this step from my end is helpful to all of


Namratha (Nasha)

Nov 17 '05 #1
0 2089

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

by: John Smith | last post by:
I don't think I have understood the concept of Code Access Security in Dotnet fully. 1) I simply can't appreciate the method - *Permission.Assert that asserts the 'right' and bypasses the security policy !! Wouldn't this make the security policy redundant? (as any untrusted code can simply assert the right and continue!!) 2) I have tried to change the Permission Set for All_Code code group to use
by: Brian Loesgen | last post by:
The next San Diego .Net User Group meeting is Tuesday, November 25, 2003 at the Scripps Ranch Library. Scripps Ranch Library 10301 Scripps Lake Drive San Diego, CA 92131-1026 Please join us at 6:00 pm for pizza and networking. The meeting starts at 6:30 pm.
by: Namratha Shah \(Nasha\) | last post by:
Hey Guys, Before we start with our sample app we need to view the security configuration files on the machine. You will find them under <drive>\WInNT\Microsoft.NET\FrameWork\<version>\Config Enterprise Level Security configuration file is :- enterprise.config Machine Level Security configuration file is :- security.config
by: Ramzey | last post by:
I've looked through the MSDN documentation on code access security and can not seem to find an answer to my question. I have a class XYZCorpWebPage that uses System.Web.UI.Page as it's base class. I want to make it so that the web server will throw an exception/deny runtime rights to any WebForm derived from System.Web.UI.Page, but I want to allow runtime rights on XYZCorpWebPage (I want to force our developers to use XYZCorpWebPage as...
by: JDeats | last post by:
Does anyone know if it's possible to programmatically modify .NET 1.1 Configuration Code Access security? Our ideal is to have a MSI installer package that the user can run that will adjust the Local Intranet security zone to be Full Trust so .NET WinForm applications can be launched though http (SmartClients) without each computer on the network having to be manually configured to permit this.
by: Namratha Shah \(Nasha\) | last post by:
Hey Guys, Today we are going to look at Code Access Security. Code access security is a feature of .NET that manages code depending on its trust level. If the CLS trusts the code enough to allow it ro run then it will execute, the code execution depends on the permission provided to the assembly. If the code is not trusted wnough to run or it attempts to perform an action which doe not have the required permissions then its execution...
by: Jeremy S. | last post by:
..NET's code Access Security enables administrators to restrict the types of things that a .NET application can do on a local computer. For example, a ..NET Windows Forms application can be prevented from writing to the Registry or writing a file to the local disk. My question: Is this feature unique to .NET? Or is it just as easy for enterprise network administrators to prevent COM applications from writing to the Registry and doing...
by: Vedo | last post by:
Hi, Is there a way to assign permissions to native applications in Windows? Like app x can only access this and this directories, app y cannot impersonate the remote users, etc. Something similar to the .NET Framework code access security mechanism. Regards...
by: =?Utf-8?B?TWlrZSBNY0FsbGlzdGVy?= | last post by:
First, I'm not an AD Administrator. However, I have an important business need to be able to learn and pass along information about configuring .NET Code Access Security from Active Directory. We want to be able to run a .NET application from a share (Intranet Zone) and most importantly to administer the CAS security for this from the central location of Active Directory instead of running caspol.exe on each individual machine. How...
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.