Computer Magic
Software Design Just For You
 
 



CASPOL is your friend – do you trust me?

Here is a nice tid bit of information. A feature added to the .NET framework called CAS (Code Access Security) was designed to allow you to run .NET code in a sandboxed environment (much like running Java applications in the Virtual Machine). Java applets (Java programs embedded into a web page) by default can not do things like read files on your hard drive. The .NET framework has similar security features.

By default, applications run from your own computer (off your own hard drive) have Full Trust. This means that it can pretty much do anything to your computer that you as a user have access to do. The CAS system uses the same zones that internet explorer uses (IE -> Tools -> Internet Options -> Security Tab). When you try to run a .NET application from a network share or mapped drive, that application falls under the Local Intranet Zone. This zone is more restrictive and keeps applications from behaving badly and deleting all your files (unless you copy it to your local drive).

There are a few solutions to this problem. One is to trust the application. This requires that you sign the application with a strong name. I am not going to go into much detail on this except to say that you would have to do this for each application (and possibly it’s DLL files).

This particular article is not about deployment (there are many good articles on that topic). This article is more specifically for development. The presence of the CAS system makes it difficult to keep your project files on a file server. You get a message similar to this:



The project location is not trusted.

Running the application may result in security exceptions when it attempts to perform actions which require full trust.

The problem isn’t generally that the code won’t open, it is that when you hit that play button to run your program, it may not be able to run then. When you are writing the software, you want the program to run as if it is on your box.

Signing each component could become quite a burden if the resulting application does not require signing when you release it. If you are like me, you have many projects on your file server and signing each one would just take more time out of your busy day. Since you have control over your file server, you can generally trust the information on it. Here I will show you a technique that will allow you to give Full Trust to a mapped network drive. This could be a security hole, so make sure you really do trust the server that is storing your project.

The nice thing about trusting a mapped drive is that you can trust all projects on that drive. Just run the command once and forget about it.

First, change to the directory where the caspol.exe file is located. You can change the version directory (the last one) to suit your installation, but any of the three should work (.NET 1.0, 1.1, or 2.0). We are using the directory for version 1.1. Open a command prompt (Start -> Run -> cmd -> Enter) and type the following.



CD C:\Windows\Microsoft.NET\Framework\v1.1.4322

Before we show you the actual command, lets demonstrate something. You can see a list of items already in place. The following is the command to show the list (in bold) followed by its output.



caspol -ld
Microsoft (R) .NET Framework CasPol 2.0.50727.42 Copyright (c) Microsoft Corporation. All rights reserved.

Security is ON
Execution checking is ON
Policy change prompt is ON

Level = Machine

Code Groups:

1. All code: Nothing
1.1. Zone - MyComputer: FullTrust
1.1.1. StrongName - 00240000048000009400000006020000002400005253413100040 0000100010007D1FA57C4AED9F0A32E84AA0FAEFD0DE9E8FD6AEC8F87FB03766C834C99921EB23BE
79AD9D5DCC1DD9AD236132102900B723CF980957FC4E177108FC607774F29E8320E92EA05ECE4E82
1C0A5EFE8F1645C4C0C93C1AB99285D622CAA652C1DFAD63D745D6F2DE5F17E5EAF0FC4963D261C8
A12436518206DC093344D5AD293: FullTrust
1.1.2. StrongName - 00000000000000000400000000000000: FullTrust
1.2. Zone - Intranet: LocalIntranet
1.2.1. All code: Same site Web
1.2.2. All code: Same directory FileIO - 'Read, PathDiscovery'
1.3. Zone - Internet: Internet
1.3.1. All code: Same site Web
1.4. Zone - Untrusted: Nothing
1.5. Zone - Trusted: Internet
1.5.1. All code: Same site Web
Success

Notice the numbers (1.2, 1.2.1). This will be needed when we show you the command. Notice that it is a hierachal layout. We will put our item under the Local Intranet section as a mapped drive exists on the local intranet.

The next thing you will need is a mapped drive. I mapped a Z drive to my network share. If you don’t use the drive letter Z, replace that with your own. Ready for the command? Here it is.



caspol -q -machine -addgroup 1.2 -url file://z:/* FullTrust -name "Z Drive" -d "Trusted network drive"

Lets break it down now. The -q option just means quite. The -machine option causes the change to happen at the machine level, meaning it will modify your machines configuration. The -addgroup option says put the new item under the 1.2 group (see the previous list, it puts it in the Local Intranet section).

The -url option is the one that says what path to trust. You could probly use a UNC (Universal Naming Convention) path instead of a mapped drive. You could also use an HTTP address here (it is expecting a URL after all). The key thing to remember is that it expects a URL, so any file paths (UNC or mapped drive) will require the file:// item at the beginning.

By having the * symbol after the drive letter, we are saying trust ALL folders in this path. If we left it off, we would only be trusting that directory and not all subdirectories.

Next, we fill in the trust we want to grant (Full Trust). We could deny running code here if we put in Nothing, but instead we want code to run from this mapped drive as if it were on this computer. Here is a list of possible options we could put in there.



Nothing - No access at all
Full Trust - Runs as if it resides on the current box
Local Intranet - Gets the same rights as any other Local Intranet application (limited)
Internet - Gets very few rights, treats it as if it has cooties
Skip Verification -
Execution - Can execute, but not a lot else
Everything - Um, don't use this one, its like full trust except it gives away the farm.

The last two options allow you to specify a name and a description. You need this to be able to identify your group later if you need to remove or modify it.

Once you have granted trust rights to your application path, you can see it in the list. Run the same command again and look at your new item.



caspol -ld
Microsoft (R) .NET Framework CasPol 2.0.50727.42 Copyright (c) Microsoft Corporation. All rights reserved.

Security is ON
Execution checking is ON
Policy change prompt is ON

Level = Machine

Code Groups:

1. All code: Nothing
1.1. Zone - MyComputer: FullTrust
1.1.1. StrongName - 00240000048000009400000006020000002400005253413100040 0000100010007D1FA57C4AED9F0A32E84AA0FAEFD0DE9E8FD6AEC8F87FB03766C834C99921EB23BE
79AD9D5DCC1DD9AD236132102900B723CF980957FC4E177108FC607774F29E8320E92EA05ECE4E82
1C0A5EFE8F1645C4C0C93C1AB99285D622CAA652C1DFAD63D745D6F2DE5F17E5EAF0FC4963D261C8
A12436518206DC093344D5AD293: FullTrust
1.1.2. StrongName - 00000000000000000400000000000000: FullTrust
1.2. Zone - Intranet: LocalIntranet
1.2.1. All code: Same site Web
1.2.2. All code: Same directory FileIO - 'Read, PathDiscovery'
1.2.3. Url - file://z:/*: FullTrust
1.3. Zone - Internet: Internet
1.3.1. All code: Same site Web
1.4. Zone - Untrusted: Nothing
1.5. Zone - Trusted: Internet
1.5.1. All code: Same site Web
Success

Notice your new item. From here on, you should be able to open up your Visual Studio projects and run .NET applications from a shared drive without the trust warnings or errors (you might need to close Visual Studio completely before it will work).

Before we go, I want to leave you with the command to remove a group once you have added it.



caspol -rg 1.2.3

Notice that the label is the numeric value in front of your item when you use the -lg option to list the groups. Be careful not to remove one of the system groups or you will give yourselfe a very big headache. Use the FULL label for your item (not 1.2, but 1.2.3!).

Hope this helps!

Ray Pulsipher

Owner

Computer Magic And Software Design

Comments are closed.


Home | My Blog | Products | Edumed | About Us | Portfolio | Services | Location | Contact Us | Embedded Python | College Courses | Quick Scan | Web Spy | EZ Auction | Web Hosting
This page has been viewed 860182 times.

Copyright © 2005 Computer Magic And Software Design
(360) 417-6844
computermagic@hotmail.com
computer magic