 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Security / November 2006Locking down CAS policy
I'm trying to lock down our company's CAS policy by using only Strong Name membership conditions. I've copied over our intranet to a development server and removed all code groups except for one. It is all code using the nothing permission set. I have three child code groups, the two default (ECMA_Strong_Name and Microsoft_Strong_Name) and a group for our strong name key. All of the child groups are set for FullTrust. I've used the Evaluate Assembly utility to check the assemblies in the application's bin directory and all report "unrestricted". However, when i try to run the application i get "Server Application Unavailable". I check the application event logs on the server and it reports "Request for the permission of type 'System.Web.AspNetHostingPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed." suggesting that there is still an assembly that hasn't been granted FullTrust. Is there maybe another assembly that is getting generated at runtime that doesn't fit into one of the three code groups i have set up? Is there a way to find out which assembly is failing? Hello, You may first try to turn off Code Access Security using the Caspol.exe utility: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322> caspol -s off Can this temporarily fix the issue? This can help make sure is a CAS issue. And then, you may perform following test: 1. Create a new code group based on the URL of your application, and grant it full permission. Restart IIS, and test if this will help. This help us make if the permission set is configured for the ASP.NET 2. Create a very simple ASP.NET, don't reference any other assembly. StrongName it and test again. This help us determine if there is other assembly affect the issue. For more inforamtion about ASP.NET CAS, you may refer to: ASP.NET Code Access Security http://msdn2.microsoft.com/en-us/library/87x8e4d1.aspx Sincerely, Luke Zhang Microsoft Online Community Support ================================================== Get notification to my posts through email? Please refer to http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif ications. Note: The MSDN Managed Newsgroup support offering is for non-urgent issues where an initial response from the community or a Microsoft Support Engineer within 1 business day is acceptable. Please note that each follow up response may take approximately 2 business days as the support professional working with you may need further investigation to reach the most efficient resolution. The offering is not appropriate for situations that require urgent, real-time or phone-based interactions or complex project analysis and dump analysis issues. Issues of this nature are best handled working with a dedicated Microsoft Support Engineer by contacting Microsoft Customer Support Services (CSS) at http://msdn.microsoft.com/subscriptions/support/default.aspx. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights. Ok, turning off CAS didn't fix the issue. Still got the "Service Unavailable" message. And using a URL membership condition also didn't fix the issue, but setting it to All Code and FullTrust did fix it. So one peice makes it look like it's not a CAS issue and the other does. Correct? Also using Zone->MyComputer with FullTrust also works. I created a simple "Hello World" asp.net app and put it as the root site on that server. We're running v2.0 so the application doesn't generate any assemblies for the code behind, but i did set a SN Key File in the "MSBuild Options" on the application properties page. This is the most basic app i can set up. One aspx file with no code-behind and no web.config. Sent this app to the Dev server and same issues. "Server Unavailable" again with the same error event in the Event Logs and setting the root Code Group to All Code -> FullTrust again fixes it. It really looks like an unknown assembly, whose SN evidence doesn't fit into one of the code groups, is being accessed at runtime. > Hello, > [quoted text clipped - 45 lines] > > Hello, By default, MyComputer should be with FullTrust. As you discussed with Dominick, there will some temporary files when running an ASP.NET application in \windows\microsoft .net\framework\version\temp asp.net. Sincerely, Luke Zhang Microsoft Online Community Support This posting is provided "AS IS" with no warranties, and confers no rights. Hello, How is it going now, any progress? If you need more assistance or information on this issue, please feel free to let us know. Sincerely, Luke Zhang Microsoft Online Community Support This posting is provided "AS IS" with no warranties, and confers no rights. Hi, you shouldn't mock with the existing code groups - they grant the "ASP.Net" permission set to code running in you app dir and the temp assembly directory. Without them your app won't be able to run... thats the error you are seeing. --- Dominick Baier, DevelopMentor http://www.leastprivilege.com > I'm trying to lock down our company's CAS policy by using only Strong > Name membership conditions. [quoted text clipped - 17 lines] > that doesn't fit into one of the three code groups i have set up? Is > there a way to find out which assembly is failing? But how do they do this? Isn't it done through a Zone membership condition? I can get the app to work if I implement that, but the idea is to not use Zone or any other "blanket" condition. They want every assembly accounted for and granted permission based on where it came from, not where it resides. > Hi, > [quoted text clipped - 30 lines] > > that doesn't fit into one of the three code groups i have set up? Is > > there a way to find out which assembly is failing? they use the $AppDirUrl$ and $CodeGen$ url membership condition - if you want to base everything on strong name (which i haven't tried yet) - you have to strong name all your pages, code behinds and App_Code files....this can be accomplished by modifying the <compilation> element to specify a keyfile (or during pre-compilation)... I have a whole chapter devoted a whole chapter on partial trust and policy in my book - maybe it helps to get the bigger picture... http://www.microsoft.com/mspress/books/9989.asp --- Dominick Baier, DevelopMentor http://www.leastprivilege.com > But how do they do this? Isn't it done through a Zone membership > condition? I can get the app to work if I implement that, but the idea [quoted text clipped - 37 lines] >>> that doesn't fit into one of the three code groups i have set up? Is >>> there a way to find out which assembly is failing? I can't find references to these in the default policy. Since the code is running from the server itself and not through a webservice or anything doesn't the "My_Computer_Zone" code group become the applicable group? and the FullTrust that it grants be the reason why the code runs? The fact that there are two child groups in there for the Microsoft and ECMA strong names really means nothing since they would have been granted FullTrust from the parent. Correct? So, with that assumption, if unknown malicious code were able to be put on the server that the app runs from, it wouldn't be limited by the CAS policy and would be granted unrestricted rights? I realize that all security is a layered approach and that the server's own security policy should be in place to prevent that from happening. So is that the answer? That, by design, all code that is run from the server is supposed to be assumed to have FullTrust? Thanks in advance. Jason > they use the $AppDirUrl$ and $CodeGen$ url membership condition - if you > want to base everything on strong name (which i haven't tried yet) - you [quoted text clipped - 52 lines] > >>> that doesn't fit into one of the three code groups i have set up? Is > >>> there a way to find out which assembly is failing? have a look at the default web_mediumtrust.policy file in the framework configuration folder. CAS policy has 3 levels - you are right that My_Computer in machine policy grants full trust - but there is another policy level called the appdomain level that is applied programmatically. Policy levels are intersected. That means the asp.net app gets the permissions specified in the policy file. You application doesn't even have enough permissions to read files (including assemblies) outside of the application directory (besides GACed assemblies) --- Dominick Baier, DevelopMentor http://www.leastprivilege.com > I can't find references to these in the default policy. Since the code > is running from the server itself and not through a webservice or [quoted text clipped - 72 lines] >>>>> runtime that doesn't fit into one of the three code groups i have >>>>> set up? Is there a way to find out which assembly is failing? Just making changes to the machine policy would have affected this? > have a look at the default web_mediumtrust.policy file in the framework configuration > folder. [quoted text clipped - 87 lines] > >>>>> runtime that doesn't fit into one of the three code groups i have > >>>>> set up? Is there a way to find out which assembly is failing? sure. but the recommended way is the asp.net policy file. --- Dominick Baier, DevelopMentor http://www.leastprivilege.com > Just making changes to the machine policy would have affected this? > [quoted text clipped - 92 lines] >>>>>>> have set up? Is there a way to find out which assembly is >>>>>>> failing? No, by changing only the machine policy, you think i messed up the asp.net policy file? Everything on the system is default except for the Machine Policy. And the only thing i did to that was remove the code groups other than the my_computer_zone and changed that code group to nothing instead of fulltrust. I know i'm new to CAS policy but if it's that touchy wouldn't more people have this problem? > sure. > [quoted text clipped - 100 lines] > >>>>>>> have set up? Is there a way to find out which assembly is > >>>>>>> failing? well - by re-reading your original post - yes you may be missing some files - have a look at the \windows\microsoft .net\framework\version\temp asp.net assemblies there are the assemblies located that get dynamically generated by asp.net --- Dominick Baier, DevelopMentor http://www.leastprivilege.com > No, by changing only the machine policy, you think i messed up the > asp.net policy file? Everything on the system is default except for [quoted text clipped - 111 lines] >>>>>>>>> have set up? Is there a way to find out which assembly is >>>>>>>>> failing? Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.