Changing Trust for a Zone Using the Adjust Security Wizard

If an increase of trust to a specific assembly or publisher is not sufficient for the policy change scenario you have in mind, the Adjust Security Wizard offers a quick and easy way to make very wide reaching security policy changes. With this Wizard, you can change the level of trust all assemblies from a whole zone, such as the Internet, receive.

The following are typical scenarios in which this Wizard is used.

• Scenario You or your corporation decides not to allow assemblies from the intranet zone to run.

  Wizard action:

  1. Start the Adjust Security Wizard by either right-clicking the Runtime Security Policy node or selecting the Adjust Zone Security task.

  2. Select Make Changes to This Computer (default).

  3. Select the intranet zone and reduce the slider to the Nothing position.

  4. Finish and commit the changes.

• Scenario There is tight control over all code that gets installed on your intranet. You are confident that it needs more access to protected resources than what the default policy grants and, furthermore, that all installed intranet code can be trusted.

  Wizard action:

  1. Start the Wizard and select Make Changes to This Computer.

  2. Select the Intranet zone and increase the slider setting to the Full Trust position.

  3. Finish and accept the policy changes.

• Scenario You decide to lower the level of trust given to all code running from the intranet just for your user context; you do not want to interfere with the settings other users have for their user security policy.

  Wizard action:

  1. Start the Wizard and select Make Changes for the Current User Only.

  2. Select the intranet zone and decrease the slider setting to the Nothing position.

  3. Finish and accept the policy change.

• Scenario You decide to change default policy and enable code running from the Internet. You want this code to run within tight security constraints.

  Wizard action:

  1. Start the Wizard and select Make Changes to This Computer.

  2. Select the Internet zone and increase the slider setting to the Internet position.

  3. Finish and accept the policy changes.

The individual Wizard options are now explained in more detail.

Choosing to Make Changes to the Machine or User Policy

The first Wizard page that you will see is identical to, and serves the same purpose as, the start page on the Trust Assembly Wizard (as shown in Figure 18.5). Here, you can choose whether the Wizard should be applied to machine-wide security policy or just the user-level security policy. For most policy changes, you will want to abide by the default (by choosing Make Changes to This Computer). That option will imply a change of zone security settings for all users on that machine. However, if you choose to make user policy level changes, the zone security changes will only be applied against user security policy.

Choosing a Level of Trust for a Zone

After selecting the scope of policy change, you will be presented with the page shown in Figure 18.9. To adjust the level of trust for a given zone, simply click the zone name and then adjust the slider.

Comparable to the slider settings for the Trust Assembly Wizard, each slider setting corresponds to the amount of trust the default policy gives to assemblies from MyComputer zone, LocalIntranet zone, and Restricted site zone. The Internet slider setting is the odd one out here. It corresponds to the suggested permission level for assemblies from the Internet. However, you need to explicitly enable assemblies from the Internet; default security policy does not grant any permissions to assemblies from the Internet.

• FullTrust slider setting All code running with this level of trust will not be subject to security checks of the .NET Framework security system. The only security settings that act on code with this level of trust are the operating system's security settings for the user under whose context the code is running. The corresponding permission set expressing this level of trust is the FullTrust permission set.

• 2 ^nd slider position (just under FullTrust) This slider position corresponds to the level of trust that the default policy grants to all assemblies from the intranet zone. This setting will not allow assemblies to access the file system or registry directly, among other things, but will still enable full user interface interaction, as well as the capability to connect back to the site of origin of the assembly. Assemblies executing at this level of trust are still strongly checked and prevented from doing substantial harm.

• 3 ^rd slider position (just above Nothing) This slider setting represents the level of trust given by the default policy to all assemblies from the Internet zone. In addition to the restrictions already active in the previous slider setting, assemblies will also not be able to have full user interface access, nor will they be able to have read access to select environment variables . However, they can still connect back to their site of origin. This level of trust represents a safe security context for any assembly to run it. Access to protected resources is minimized.

• 4 ^th slider position (Nothing setting) This slider setting represents the level of trust (or rather lack of) given to the restricted site zone in default policy. Assemblies will not receive any permission to access protected resources (such as the file system or registry), nor will they receive the permission to even execute. This slider position should be used if you want to exclude assemblies from a certain zone to run on your machine.

The Wizard will match the currently set level of trust for a given zone to a slider setting. If you want to return to the default policy setting for that zone, simply click the Default button.

After you have adjusted the trust for a zone or zones, all that remains to do is to accept these changes and finish the Wizard. Security policy is changed, persisted , and effective immediately for all assemblies loaded after the change has been made.