I think that I start to understand this .NET security.
Basically it comes to this:
* You use strong names in the dll and exe, so the application user must
configure this application with key one time that it can be trusted.
Similar like ActiveX but no dialog box is shown.
* The program tells the JIT compiler what rights it need.
For example, a clock would not need file access, so it could tell the JIT
that it does not use the FileIOPermission for file access.
This way, a hacker cannot misuse this clock program to write a file to
the windows folder.
And I must add these hints too
* You need a .config file at the same location of the exe file and the used
dll's to
make .NET be able to find the newly provided dll's.
I have been fighting some problems with the JIT compiler incorrectly
claming that
he did not find the correct dll, while they were just right there.
* If one of these dll's uses the dynamic MFC dll's then add these to the
folder too.
(mfc70.dll, msvcp70.dll and msvcr70.dll for VC++ 2002)
Do not expect that MFC is installed on that machine.
(The odd thing is that .NET 1.0 have these dll's in it's folder, but
apparently does
not put this in a search path.
* Put something like this to your main() in order to see why the pogram
crashes.
try {
Application.Run(new Form1());
} catch (SecurityException e) {
MessageBox.Show("Not enough security rights to run this
program!\r\r"+e.ToString()+"\r\rThis program will now terminate!",
"ctRepair: Security
error",MessageBoxButtons.OK,MessageBoxIcon.Error);
} catch (Exception e) {
MessageBox.Show("This program caused an unknown
exception!\r\r"+e.ToString()+"\r\rThis program will now terminate!",
"ctRepair: Unknown
exception",MessageBoxButtons.OK,MessageBoxIcon.Error);
}
* Use Microsoft FxCop to inspect your .NET created DLL's if they are
reusable for other languages.
This program helped me a lot to help port my code.
* Add this to your assembly file (C# example) if you are porting existing
unmanaged C++ code to managed code.
It gives too much security rights but at least the code runs like an
older .exe program, and can be started from a
network driver, open network folder, read/write the registery and access
any folder on your local machine....
In a next stage you can start revoking these righst step by step.
using System;
using System.Security;
using System.Security.Permissions;
[assembly:SecurityPermission(SecurityAction.RequestMinimum,
UnmanagedCode=true)]
[assembly:FileIOPermission(SecurityAction.RequestMinimum,
Unrestricted=true)]
[assembly:RegistryPermission(SecurityAction.RequestMinimum, All="*")]
[assembly:ZoneIdentityPermission(SecurityAction.RequestMinimum,Zone=Security
Zone.NoZone)]
[assembly:ComVisible(true)]
[assembly:CLSCompliant(true)]
Well, I hope that this overview avoids other people becoming depressed when
all seems to fail when they start using .NET for the first time. ;-)