ASP.NET Policy Files | Improving Web Application Security: Threats and Countermeasures

Each trust level is mapped to an individual XML policy file and the policy file lists the set of permissions granted by each trust level. Policy files are located in the following directory:

 %windir%\Microsoft.NET\Framework\{version}\CONFIG

Trust levels are mapped to policy files by the <trustLevel> elements in Machine.config, which are located just above the <trust> element, as shown in the following example.

 <location allowOverride="true">   <system.web>     <securityPolicy>       <trustLevel name="Full" policyFile="internal"/>       <trustLevel name="High" policyFile="web_hightrust.config"/>       <trustLevel name="Medium" policyFile="web_mediumtrust.config"/>       <trustLevel name="Low" policyFile="web_lowtrust.config"/>       <trustLevel name="Minimal" policyFile="web_minimaltrust.config"/>     </securityPolicy>     <!--  level="[FullHighMediumLowMinimal]" -->     <trust level="Full" originUrl=""/>   </system.web> </location>

Note	No policy file exists for the full-trust level. This is a special case that simply indicates the unrestricted set of all permissions.

ASP.NET policy is fully configurable. In addition to the default policy levels, administrators can create custom permission files and configure them using the < trust > element, which is described later in this chapter. The policy file associated with the custom level must also be defined by a < trustLevel > element in Machine.config.