In this section, you learn how to set different security policies for your ASP.NET applications. If you look in the same directory as your Machine.Config file (\WINNT\Microsoft.NET\Framework\[ version ]\CONFIG ), you see a number of other files that end with the extension .config . These configuration files define different security policies. For example, the web_lowtrust.config file defines the security policy for an ASP.NET application that is provided with a low-trust security policy. You can open any of these human-readable XML files in Notepad.
A security policy file contains three main sections: a list of security classes, a list of named permission sets, and a list of code groups.
A security policy is built from one or more code groups. Code groups specify membership conditions for code. If the code contained in an assembly matches the membership conditions of a code group, the security policy of the code group applies to the code contained in the assembly. You can find the classes that define code groups in the System.Security.Policy namespace.
Each code group is associated with a named permission set , which contains a set of permissions and a name and description of the permission set. You can create custom permission sets or use the built-in permission sets.
The permissions that you can use with permission sets are located in the System.Security.Permissions namespace. An example of a permission is the FileIOPermission class, which controls how you access files and directories on the hard drive. For example, you can use this permission to grant Read and Write permissions on files. There are also permissions for controlling access to environmental and registry variables .
You can apply a security policy to an ASP.NET application by modifying the trust level of the application in either the Machine.Config file or the root Web.Config file for the application. For example, if you want to apply a low-trust security policy, you can configure the trust section like this:
<trust level="Low" originUrl="" /> <securityPolicy> <trustLevel name="Full" policyFile="internal" /> <trustLevel name="High" policyFile="webhightrust.config" /> <trustLevel name="Low" policyFile="weblowtrust.config" /> <trustLevel name="None" policyFile="webnotrust.config" /> </securityPolicy>