Administrative Tactics: Scenarios, Solutions, Hints, and Tricks

Previous page
Table of content
Next page
for RuBoard

Administrative Tactics: Scenarios, Solutions, Hints, and Tricks

This section will pull together the various tool features introduced thus far and combine them to show how various administrative scenarios might be solved . You can use this section as inspiration and starting point for tackling your own administration tasks .

NOTE

The individual steps in solving specific scenarios are not covered in detail here. For a precise explanation, please refer to the respective sections in this chapter that cover the various tool features.

Also, you may want to check http://msdn.microsoft.com/net/security for papers on the security model and its administration. You can find further administrative recipes and important background information there.


The following are a few sample scenarios and concise solutions to common administrative scenarios. Feel free to use these as template solutions to your own tasks. All solutions presume the default security policy as their starting point.

Granting Enterprise-Wide Full Trust to an Assembly

Scenario: An assembly installed at a location not receiving full trust by default (such as any intranet location in default policy) must receive full trust to run properly. You want to guarantee that this assembly gets full trust access and protected resources across the whole enterprise network, irrespective of local machine or user policy settings.

Solution:

  1. Open your current enterprise policy level (or create a new one if you want to model this policy change without directly affecting your machine's policy settings).

  2. Choose the New option on the root code group .

  3. On the New Group Code Wizard, choose a new name for the group code.

  4. In the New Code Group Wizard, choose the strong name or hash membership condition (depending on whether the assembly you want to give full trust is strong name signed).

  5. In the New Code Group Wizard, browse to and select the assembly you want to trust and select the FullTrust permission set for this code group.

  6. Right-click the newly created code group and bring up its Properties page, check the Level Final flag (Policy Levels Below This Will Not Be Evaluated).

  7. Bring up the Deployment Package Wizard (right-click the Runtime Security Policy node) and create a deployment package for the enterprise policy level.

  8. Open the Group Policy editor and drop the newly created deployment package onto the Intranet node corresponding to your deployment target scope.

TIP

If you have a multiassembly application, you may need to repeat steps 1 through 5 for all the assemblies on which the application depends.


Granting Full Trust to All Assemblies of a Software Publisher Across an Enterprise

Scenario: All assemblies from a specific software publisher, irrespective of the location from which they are run, should receive full trust to access all protected resources.

Solution:

  1. Open your current enterprise policy level (or create a new one if you want to model this policy change without directly affecting your machine's policy settings).

  2. Choose the New option on the root code group.

  3. On the New Group Code Wizard, choose a new name for the group code.

  4. In the New Code Group Wizard, choose the strong name membership condition (you can also use the Publisher membership condition if you want to trust a publisher by its authenticode signature instead).

  5. Browse to an assembly from this publisher and uncheck the name and version check boxes of the strong name. Select the FullTrust permission set and finish the Wizard.

  6. Right-click the newly created code group and bring up its Properties page, check the Level Final flag (Policy Levels Below This Will Not Be Evaluated).

  7. Bring up the Deployment Package Wizard (right-click the Runtime Security Policy Node) and create a deployment package for the enterprise policy level.

  8. Open the Group Policy editor and drop the newly created deployment package onto the Intranet node corresponding to your deployment target scope.

Preventing an Assembly from Running Across an Enterprise

Scenario: A specific assembly should not be run anywhere on the enterprise network's client machines.

Solution:

  1. Open your current enterprise policy level (or create a new one if you want to model this policy change without directly affecting your machine's policy settings).

  2. Choose the New option on the root code group.

  3. On the New Group Code Wizard, choose a new name for the group code.

  4. In the New Code Group Wizard, choose the strong name or hash membership condition (depending on whether the assembly in question is strong name signed).

  5. Browse to the assembly and, if the strong name membership condition has been chosen , uncheck the Version check box if you want to disallow all different versions of the assembly to run. Choose the Nothing permission set for this code group and exit the Wizard.

  6. Right-click the newly created code group and bring up its Properties page, check the exclusive flag (This Policy Level Will Only).

  7. Bring up the Deployment Package Wizard (right-click the Runtime Security Policy Node) and create a deployment package for the enterprise policy level.

  8. Open the Group Policy editor and drop the newly created deployment package onto the Intranet node corresponding to your deployment target scope.

NOTE

Microsoft Group policy will install the policy update only upon new login or reboot on client machines. If a client machine is never rebooted or logged out of, the policy change will not take effect on that machine.

For more information on enterprise administration and deployment, see http://msdn.micrososft.com/net/security.


Preventing All Assemblies of a Specific Software Publisher from Running Across an Enterprise

Scenario: All assemblies from a specific software publisher should not be run anywhere on the enterprise network's client machines.

Solution:

  1. Open your current enterprise policy level (or create a new one if you want to model this policy change without directly affecting your machine's policy settings).

  2. Choose the New option on the root code group.

  3. On the New Group Code Wizard, choose a new name for the group code.

  4. In the New Code Group Wizard, choose the strong name or publisher membership condition.

  5. Browse to the assembly and, if the strong name membership condition has been chosen, uncheck the Version and Name check box. Choose the Nothing permission set for this code group and exit the Wizard.

  6. Right-click the newly created code group and bring up its Properties page, check the exclusive flag (This Policy Level Will Only).

  7. Bring up the Deployment Package Wizard (right-click the Runtime Security Policy Node) and create a deployment package for the enterprise policy level.

  8. Open the Group Policy editor and drop the newly created deployment package onto the Intranet node corresponding to your deployment target scope.

Reducing the Level of Trust for All Assemblies from the Intranet for a Specific Machine

Scenario: A machine administrator wants to reduce the level of trust given to all assemblies running from the intranet to the same level default policy grants to the Internet.

Solution:

Use the Adjust Security Wizard, select the LocalIntranet zone, and reduce the permission level to the second-to-last position.

Granting All Assemblies from a Specific Intranet Share or Mounted Drive Full Trust on a Machine

Scenario: All assemblies from a specific intranet share or mounted drive should run with full access to all protected resources. This setting should apply machine wide.

Solution:

  1. Expand the machine policy code group hierarchy and choose to add a new code group under the root machine level code group.

  2. On the New Group Code Wizard, choose a new name for the group code.

  3. In the New Code Group Wizard, select the URL membership condition and type in the URL of the share name or mounted drive followed by \* . The latter is necessary and will cause all subdirectories and files at the share or drive to match the URL membership condition.

  4. Choose the FullTrust membership condition and exit the Wizard.

Disallowing All Assemblies from a Specific Internet Site to Run on a Machine

Scenario: All assemblies from an Internet site should be blocked from running on a machine.

Solution:

  1. Expand the machine policy node and then expand the root node of the code group hierarchy. On the LocalIntranet_Zone code group, choose the New option.

  2. On the New Group Code Wizard, choose a new name for the group code.

  3. In the New Code Group Wizard, select the site membership condition and type in the site whose assemblies you want to block.

  4. Choose the Nothing permission set for this code group and exit the Wizard.

  5. Bring up the Properties page of the newly created code group and set the exclusive flag (This Policy Level Will Only).

"Sandboxing" a Directory on the Local Hard Drive

Scenario: For testing purposes, all assemblies from a specific subdirectory on the local hard drive should receive the same permissions that the default policy gives to assemblies from the Internet.

Solution:

  1. Expand the machine policy level node. On the root code group of the machine policy code group hierarchy, select the New option.

  2. On the New Group Code Wizard, choose a new name for the group code.

  3. In the New Code Group Wizard, select the URL membership condition and type in file:// \\\ [ path ]\* , where [path] stands for the path of the directory (and all its subdirectories) for which you want to reduce the granted permissions.

  4. Select the Internet permission set for this code group and exit the code group Wizard.

  5. Bring up the Properties page for the newly created code group and set the exclusive flag (This Policy Level Will Only).

Giving All Assemblies of a Specific Software Publisher Running from the Internet File Read Rights to a Specific Directory

Scenario: All assemblies of a specific software publisher that run from the intranet need file read permission to a specific directory on top of permissions that the default policy already grants them.

Solution:

  1. Expand the Machine-level policy node, and then select New on the permission set node.

  2. On the New Permission Set Wizard, choose a new name for the permission set, add the FileIO permission, check the read flag, type in the file path, and exit the New Permission Set Wizard.

  3. Expand the machine level code group hierarchy and select New on the LocalIntranet_Zone code group.

  4. In the New Code Group Wizard, select the strong name membership condition, browse to an assembly with the respective strong name, and uncheck both the Name and Version flags.

  5. Select your newly created permission set as the permission set granted by this code group, and then exit the Wizard.

Changing One's User Level Policy to Disallow Intranet Assemblies to Do Anything But Execute

Scenario: No assemblies originating from the local intranet run in your user context should be allowed to do more than simply execute.

Solution:

  1. Expand the User policy node, and select the New option on the root code group.

  2. On the New Group Code Wizard, choose a new name for the group code.

  3. In the New Code Group Wizard, select the zone membership condition, set to Intranet.

  4. Select the Execution permission set for this code group and finish the Wizard.

  5. Bring up the Properties page for the newly created code group and set the execution flag (This Policy Level Will Only).

for RuBoard

Previous page
Table of content
Next page
. NET Framework Security
.NET Framework Security
ISBN: 067232184X
EAN: 2147483647
Year: 2000
Pages: 235
Authors: Brian A. LaMacchia, Sebastian Lange, Matthew Lyons, Rudi Martin, Kevin T. Price
BUY ON AMAZON
Professional Java Native Interfaces with SWT/JFace (Programmer to Programmer)
Cisco IP Communications Express: CallManager Express with Cisco Unity Express
Google Maps Hacks: Tips & Tools for Geographic Searching and Remixing
802.11 Wireless Networks: The Definitive Guide, Second Edition
Special Edition Using FileMaker 8
User Interfaces in C#: Windows Forms and Custom Controls
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy