Chapter 19. Administering .NET Framework Security Policy Using Scripts and Security APIs

for RuBoard

By Sebastian Lange

IN THIS CHAPTER

  • Using Batch Scripts for Security Policy Administration

  • Changing Security Policy by Programming Directly to the Security APIs

The .NET Framework Configuration tool introduced in Chapter 18, "Administering Security Policy Using the .NET Framework Configuration Tool," allows for easy administrative changes through the onscreen manipulation of a graphical representation of the security model. However, the .NET Framework Configuration tool does not support changing security policy programmatically. Changing security policy state on a machine programmatically may be required in the following scenarios:

  • You want to test an application in a variety of security contexts.

  • Security policy changes are time dependent, and writing a scheduled security policy batch script may be easier than writing a custom code group .

  • You want to deploy an application across the network and want to run a batch script doing security policy changes as part of the application's installation process.

  • You want to develop your own security policy administration or analysis tools.

The .NET Framework provides two methods for you to change security policy programmatically. You either use the Caspol command-line tool to create batch scripts for security policy changes, or you can develop directly against the security policy APIs.

Some of the key points covered in this chapter are

  • How to find and start the Caspol tool

  • Examples of the various options of the Caspol tool

  • A set of sample Caspol batch scripts showing the batch script solutions to various administrative problems

  • An overview of the security policy object model and APIs

  • Examples of how to use the APIs for common security policy administration tasks

  • Hints and tricks on how to use the security APIs to write security policy administration or analysis tools

NOTE

This chapter presumes that you have a good understanding of the security policy model. You may want to review Chapter 6, "Permissions: The Workhorse of Code Access Security," Chapter 7, "Walking the Stack," or Chapter 8, "Membership Conditions, Code Groups, and Policy Levels: The Brick and Mortar of Security Policy," in case some of the security model concepts in this chapter seem unfamiliar.

Also, most of the security policy change options and techniques introduced in the following sections map directly to the graphical security policy tree manipulation techniques that the .NET Framework Configuration tool offers. Please refer to Chapter 18's section "Manipulating the Policy Tree Directly ”Basic Techniques" for more information on the risks and side effects of various security policy change options. Unless they are particular to the use of the Caspol tool or the security APIs, they will not be repeated here.


If you have a good understanding of the security policy model, you will find the use of Caspol and the security APIs quite intuitive. Both are just another way of providing easy access to modifying the three administrable policy levels. Because both methods of accessing a machine's policy state lack some of the safeguards and intuitive interface of the GUI tool, you should be doubly careful in considering all the effects of your policy manipulations.

for RuBoard


. NET Framework Security
.NET Framework Security
ISBN: 067232184X
EAN: 2147483647
Year: 2000
Pages: 235

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net