One more detail that you may find interesting has nothing to do with code, but with the .NET security settings for NTD applications and WinForms controls downloaded over the Web. In .NET v1.0, assemblies from both the Intranet and the Internet zones were allowed to run, but the Internet permissions were considerably reduced from the Intranet permissions. As of version 1.0 SP1, Microsoft decided that .NET wasn't quite cooked enough to support the rough-and-tumble of the Internet, so it changed the settings to disable code from the Internet altogether (although you could always turn it back on). Now, in version 1.1, Microsoft is confident that it's got a secure platform, and it has turned execution of code from the Internet back on by default, and the Internet permissions themselves have not been reduced. But that's not all. .NET v1.1 also brings the Authenticode model back from COM. The COM Authenticode model was "punitive." If users OK'd a hunk of code to run, it could do absolutely anything it wanted, subject to the permissions of the users (most of whom, let's face it, run as Administrator). If the code did something bad, a team of experts could track it down, find the certificate, and bring the bad people who wrote the code to hard justice (my understanding is that the A-Team was brought out of retirement at least once to help with this effort). The .NET CAS model, on the other hand, is "preventive," in that the user is never asked, but the code has only a limited set of permissions if it's from a source other than the local hard drive. In practice, it turns out that both models have their uses. CAS is great, of course, for keeping bad things from happening. Authenticode, on the other hand, is good at letting users know that code from outside their machine is about to execute and asking them if that's OK. Whether or not to ask is determined by the same Internet security settings that determine whether or not to ask for a COM control. Figure 15.13 shows the default settings for code from the Internet zone in .NET 1.1. Figure 15.13. NET 1.1 NTD Security Settings
You'll notice that when code from the Internet zone is executed, by default there are no user prompts. The same is true of the Intranet zone. This is more permission than the default settings for ActiveX/COM controls, which default to Prompt (for signed controls) and Disable (for unsigned controls). Of course, for COM controls, Authenticode is all the security there is, whereas in .NET, there's all of CAS to continue to protect the user. Authenticode doesn't affect which permissions an NTD application has. Instead, Authenticode is a gate that effects execution permissions based on user settings before anything else happens, as well as providing an optional prompt. However, the permission set is still awarded based on other evidence. Authenticode behavior is as follows :
So, under .NET 1.1, if an NTD application is allowed to run at all (either it's silently enabled or the user says yes to the prompt), it gets whatever permissions it would get in .NET 1.0, where everything was configured like the ".NET Code Enabled" setting. |