.NET security question

  • Thread starter Thread starter Adam J. Rosen
  • Start date Start date
A

Adam J. Rosen

A coworker is trying to run a .Net winforms application from a network share
(shared from my computer). When he tries to execute it, he gets a "Request
Failed" message - a bit of poking reveals that this is a security issue,
presumably from running on a network share (and accessing a DB on the
network share) without any permissions set on the app. Setting the trust
level to full access fixes the problem, but when I recompile an put a new
copy there, he has to go through that process again.

Is there a way that I can release new builds without him having to
're-trust'? Does signing assemblies help in here? Also, is there anything an
app can do, aside from detect and degrade/exit gracefully when network
access is denied? I assume a program can't request higher access, as that
would defeat the purpose of having to trust code manually.

Any info greatly appreciated!

Adam
 
Adam said:
A coworker is trying to run a .Net winforms application from a network share
(shared from my computer). When he tries to execute it, he gets a "Request
Failed" message - a bit of poking reveals that this is a security issue,
presumably from running on a network share (and accessing a DB on the
network share) without any permissions set on the app. Setting the trust
level to full access fixes the problem, but when I recompile an put a new
copy there, he has to go through that process again.

Is there a way that I can release new builds without him having to
're-trust'? Does signing assemblies help in here? Also, is there anything an
app can do, aside from detect and degrade/exit gracefully when network
access is denied? I assume a program can't request higher access, as that
would defeat the purpose of having to trust code manually.

Any info greatly appreciated!
Click to expand...

Signing assemblies would possibly help, as he can create a security
policy that grants increased (or full) trust to assemblies signed with
your key pair.

This can be done by having him set up a security code group based on
'Publisher'.

Note that if you sign assemblies to get increased permissions, you will
probably need to mark the assemblies with the
AllowPartiallyTrustedCallers attribute - see the articles referenced at
the end of this post for details.

You can also use the Runtime Security Policy tool to add what ever
permissions are required to the 'LocalIntranet_Zone' code group, and
code that runs from a network share will gain those permissions. If the
intranet is secure and trusted, you could probably simply assign 'Full
Trust' to that zone.

It's also possible for him to assign a security policy code group based on:

'Site', which means that it's associated with a particular DNS
machine name/port combination

'URL'


Chris Sells has written some good articles that detail running WinForms
from URLs and/or network shares:

http://msdn.microsoft.com/msdnmag/issues/02/07/NetSmartClients/


http://msdn.microsoft.com/library/en-us/dnforms/html/winforms11122002.asp

As for an application detecting and handling lowered trust gracefully,
the app can make security 'demands' that enable it to determine whether
a particular security permission is granted or not at run-time. See the
SDK for details on how that works.
 
Back
Top