. NET Framework Security
Authors: LaMacchia B. A., Lange S., Lyons M.
Published year: 2000
The Trust Assembly Wizard is a feature of the tool that allows the quick, easy, and safe change of policy to increase the level of trust for a specific assembly or even all assemblies of a specific software publisher or strong name signer.
This wizard is not designed to lower the level of trust for an assembly or set of assemblies. If you need to decrease the level of permissions that an assembly or set of assemblies receives, you will need to make that policy update directly in the policy tree.
If you want to decrease the level of permissions given to all assemblies from a particular zone, you can use the Adjust Security Wizard to do so (see the "Changing Trust for a Zone Using the Adjust Security Wizard" section later in this chapter).
The following are a few sample scenarios demonstrating the use of this wizard. These scenarios may also be used as recipes for similar policy change situations you need to solve. Each of the wizard options mentioned is explained in more detail later:
Scenario An assembly is installed on a shared intranet site or an intranet share. The assembly requires access to the local file system and registry, permissions that are not granted by default security policy to managed code from the intranet zone. This is evident when the assembly is run and returns security exceptions.
Wizard action A user or administrator can use the Trust Assembly Wizard to give full trust to access all resources on his or her machine to the assembly in question. To do so, the following wizard steps are used:
Start the wizard by right-clicking the Runtime Security Policy node and selecting the Trust Assembly Wizard option.
Accept Make changes to this Computer.
Browse to the assembly in question and keep the This One Assembly default.
Select the Full Trust option.
Accept changes and finish the Wizard.
If many or all machines on an intranet need to get policy changes to trust a specific assembly or set of assemblies, it may be more efficient to develop enterprise policy and deploy it to all machines that need that policy update. See the "Deploying Security Policy" section later in this chapter.
Scenario There is a software publisher, say a contractor company supplying in-house software for your enterprise, whose assemblies you want to run without any security restrictions, independent of the location from which that publisher's assemblies are being run.
Wizard action The Wizard allows you to give full trust to access all protected resources based on a strong name key or a X.509v3 publisher certificate, thus uniquely identifying a specific software publisher.
Start the Wizard by right-clicking the Runtime Security Policy node and select the Trust Assembly Wizard option and accept the Make Changes to This Computer option.
Browse to an assembly signed by the software publisher you want to trust.
On the Trust This or All Assemblies from This Publisher page, check the All Assemblies with This Public Key option, and uncheck the Version option (if the strong name is unavailable for that assembly but a publisher certificate is present, choose the All Assemblies from the Same Publisher option).
Select the Full Trust option.
Accept the changes and select Finish.
Scenario Assemblies on the Internet by the same software publisher should get run with the level of trust that default policy grants assemblies from the intranet.
Wizard action The Wizard steps are identical to the previous scenario with the exception of choosing the slider position just below the Full Trust option on the Choose Minimum Level of Trust for the Trust Assembly Wizard page.
The trust slider may not appear if security policy has changed significantly from default policy.
Generally , the Trust Assembly Wizard is an excellent tool to increase the level of trust an assembly or set of assemblies receives without causing significant side effects to other assemblies. It allows you to make very pointed trust increases without opening up the security policy unduly to other assemblies.
If you use the Trust Assembly Wizard to increase trust for an application on the intranet or Internet, you will need to give trust to all dependent assemblies of that assembly as well. So if giving trust to a specific assembly does not seem to work, it is often the case that there are other assemblies at that location that need to be loaded and run as part of the application. You will need to run the Wizard over those assemblies as well.
Following is an explanation of all the options this Wizard has to offer on its various pages. This is the place where you should first turn if the Wizard does not seem to be operating the way you intended.
After starting the Wizard, either by right-clicking the Runtime Security Policy node and choosing the Increase Assembly Trust task on the task pad, the Wizard start page shown in Figure 18.5 will appear.
This page allows you to choose whether the policy changes you are about to make should affect user policy only or whether it should be made to all code running on the computer, by modifying machine policy. Let us now delve deeper into what these two options mean.
This is the default option if available. If this option is chosen , the policy change will affect all users on the machine. For most scenarios, this is exactly what you should choose. Increasing trust for a specific application will more commonly be a setting that is independent of the user context executing the managed code.
Security policy is stored in various configuration filesone for each administrable policy level. Both the machine and enterprise security policy files are stored under the Windows subdirectory, therefore, not allowing write access by default unless the current user has machine administrator or power user rights. If the operating system does not allow access to the machine level policy file because the admin tool is run under a user context that does not have machine administrator or power user rights, the option to make changes to the machine policy will not be available in the tool.
This option is the only one available if the tool is not run under a user context that has write access to the machine security policy file (see the previous Note). If this option is chosen, the Wizard will modify user security policy to increase the trust for an assembly in accordance with the trust level chosen in the Wizard.
However, because the user policy is already set to an unrestricted state by default, executing this Wizard over user policy will not change the trust level any assembly receives unless user policy had been modified from its default state to something more restrictive . Always remember that this Wizard is designed to increase the level of trust a certain assembly receives, so running this Wizard over security policy that already grants unrestricted permissions to assemblies will yield no tangible results.
After you have chosen to make a change either to user or machine-wide security policy by choosing the This Computer option, the Wizard will prompt you to select an assembly that the Wizard will base its security policy change on (see Figure 18.6).
You can either type in a valid URL to an assembly or use the Browse button to find one. The tool will test any selected file to be a valid assembly prior to making any policy change, so accidentally pointing at a native executable will not cause invalid security policy modifications. An assembly on the local machine, intranet, or even the Internet can be selected this way.
The Wizard will not use any assembly location information in policy changes, but only cryptographically strong evidence, such as a strong name (if present), publisher certificate (if present) or an assembly's hash. Consequently, it does not matter where you locate the assembly for which (or for whose publisher) you want to increase security trust. For example, even though you know that most assemblies of a certain software publisher will run off the Internet and need an elevated level of trust because of that fact (see default policy restrictions on the Internet zone), you can point the Wizard to an assembly of that publisher located on your local hard disk.
In V1.0 of the .NET Framework, there is no easy programmatic way of determining all the assemblies belonging to a managed application consisting of and being dependent on numerous assemblies. The Trust Assembly Wizard always only works on one assembly at a time (or one publisher at a time), and you may need to run it multiple times to increase trust to all assemblies of an application that needs to run with elevated trust.
After you have selected an assembly, you are then prompted to decide whether you want to increase trust just for that assembly or the publisher of that assembly (see Figure 18.7).
The Trust Assembly Wizard uses one of three types of assembly evidence to make policy changes:
An assembly's strong name (default)
An assembly's X509 publisher certificate
An assembly's hash value
When assemblies have neither a strong name nor a publisher certificate, the option to determine whether to trust just the selected assembly or the publisher of the assembly will not appear, because assembly hash codes are always assembly specific. Therefore, when you have selected an assembly for which the tool can only use the hash code to update policy, the Wizard page in Figure 18.7 will not appear, and you will know that the selected assembly neither had a strong name nor publisher certificate.
If an assembly is signed with a strong name, the tool will use that strong name to update policy by default. If no strong name is present but the assembly has been signed with a publisher certificate, the tool will use that information to change policy. Only when assemblies are signed neither with a strong name nor a publisher certificate will the tool use an assembly's hash code to update security policy.
Hash codes result from mathematical one-way functions that have a high likelihood of mapping similar input to vastly different, far shorter values. Typical hash functions are MD5 and SHA1, which are included in the System.Security.Cryptography namespace. For more detail, you may want to read the relevant sections in Chapter 30, "Using Cryptography with the .NET Framework: The Basics," and Chapter 31, "Using Cryptography with the .NET Framework: Advanced Topics."
If the selected assembly is signed with a strong name and/or a publisher certificate, you have the option to trust not just the selected assembly but all assemblies of the signer. If you want to increase trust for a particular strong name, you have the option of another level of partitioningyou either trust all assemblies signed with the respective strong name (you must uncheck the Version check box to do so) or all assemblies signed with the same strong name having identical version numbers . Depending on the versioning process of an application, the latter option may help you elevate trust just for a specific application version or specific application.
Generally, you should attempt to keep the breadth of your policy changes as small as is commensurate with the administrative goals you have in mind. Thus, you should first consider whether just trusting the selected assembly is sufficient and whether just a specific version needs to be trusted, and only then open an increase of trust to all assemblies of a given publisher. If you undertake the latter, be sure you are confident that truly all assemblies from that publisher are likely to deserve the heightened trust you are about to give them.
After you have chosen whether to increase trust for just one assembly or the publisher of the assembly, you can finally select a level of trust you want the assembly or set of assemblies to be minimally receiving.
In most cases, you will be presented with the Wizard page shown in Figure 18.8.
Each slider setting corresponds to one particular permission set that ships with the .NET Framework. The highest slider setting corresponds to the FullTrust permission set. In that setting, the assembly would not have any resource access restrictions placed on it by the .NET Framework security system at all. The slider setting just below this corresponds to the permission set given by default policy to all code executing from the intranet. Assemblies receiving that level of permission execute in a safe security context and are, among other things, prevented from accessing the file system and registry on your machine. The slider setting above the bottommost notch corresponds to the permission level generally adequate for assemblies running from the Internet. This means that any code running with this permission level has even fewer rights to access protected resources than code receiving intranet level permissionsfor example, code receiving the Internet level of permissions can only do some basic user interface interaction and has no read or write access to any environment variables , in addition to the restrictions that exist for intranet code. Finally, the lowest slider setting does not allow any permissions to code.
The evidence about the assembly used by the Wizard (either the assembly's string name, publisher certificate, or hash code) is tested against current security policy. If the Wizard cannot map the result to one of the previously mentioned permission sets, the Wizard tests if it can successfully change policy to give full trust based on the chosen evidence. If that is possible, you will at least be presented with the option to grant full trust to the chosen assembly or set of assemblies. If policy has changed so much from default policy state that the Wizard also cannot easily change policy to add a code group granting full trust for the chosen evidence, the Wizard will refuse to make any policy change. If that occurs, you can either manipulate the policy tree directly, as will be explained later in this chapter, or consider resetting the security policy to the default settings.
This Wizard is designed to allow you to state the least possible level of permissions that an assembly or publisher receives. Other parts of security policy may grant this assembly even more permissions. Consequently, choosing a specific permission level with the Wizard will not prevent an assembly from receiving more permissions than you have selected; rather, the Wizard will guarantee that it will not receive less than what you have chosen for it.
When selecting the Full Trust notch setting for an assembly or all assemblies of a given publisher, no security checks of the .NET Framework security system will be enforced on it. Please be sure that you want to grant that assembly or publisher that level of confidence. Always keep the minimum level of trust as low as is possible.
Finally, you must commit the policy change the Wizard is about to make. After you press the Finish button, the policy change has been persisted into policy and will be active for assemblies loaded after the policy change was made.
To see the exact nature of the change to the policy tree done by the Wizard, under the Runtime Security Policy node, open the machine policy level (or user policy level, if you chose to make a change for the user at the beginning of the Wizard), open the code group tree, and look for the most highly numbered code group starting with a Wizard prefix in its name.
. NET Framework Security
Authors: LaMacchia B. A., Lange S., Lyons M.
Published year: 2000