|< Day Day Up >|
The usual tool for viewing security policy is in the .NET configuration tool, mscorcfg .mmc . This tool is a Microsoft Management Console (MMC) snap-in that you can normally find in the Control Panel, under Administrative Tools. When you launch the configuration tool, you see a series of nodes in the MMC treeview. Click on the runtime security policy node, and you have the choice to view security policy at the enterprise, machine, or user level, as shown in Figure 21.1.
Figure 21.1. The .NET configuration tool.
The .NET Framework lets you set security policy for a Windows domain (Enterprise), for an individual computer (Machine), or for an individual user, with the principle that an action will not be permitted if any one of the security policies does not permit the action. However, when .NET ships out of the box, only the machine level has a substantial security policy set up by default. The other levels are available if you want to use them to add or customize security policy.
Viewing security policy is simply a question of navigating through the treeview in mscorcfg to identify the particular aspects of policy you want to examine. For example, Figure 21.2 shows the configuration tool displaying the permissions set for the LocalIntranet .
Figure 21.2. Viewing the permissions of a permission set.
Continuing this example, you can double-click on one of the permissions in the listview to examine the details of what actions covered by this permission have been granted or denied . Figure 21.3 shows the dialog box that opens if you examine the security permission for the LocalIntranet .
Figure 21.3. The security permission for the LocalIntranet permissionset.
The .NET configuration tool is designed to allow you to manage security policy, which means that you can use it to edit the settings as well as to view them. If your intention is merely to view the current policy, then you should take care not to change anything. In Figure 21.3, the security permission is listed as read only because the LocalIntranet permission set is a system-defined set, which you cannot modify. However, in general you can edit permissions.
You can use the .NET configuration tool to view most aspects of security policy using a friendly dialog-based user interface. However, its user interface very much focuses on drilling down into the details of security policy, which means it is not so good at presenting a broad overview of policy. However, two other options give you this overview. You can use a command-line security tool called caspol , or you can view the Extensible Markup Language (XML) files that define the security policy directly. However, both of these options mean you see the policy written out in plaintext format, which might make it harder to understand.
To use caspol , simply type caspol at the VS.NET command-line prompt. Typing caspol without supplying any options lists all the possible options. As far as viewing policy is concerned , the most useful flags are “lg (which lists code groups) and “lp (which lists permission sets ”and generates a lot of output). Listing 21.2 shows typical caspol output for listing code groups.
Listing 21.2 caspol Output
C:\>caspol -lg Microsoft (R) .NET Framework CasPol 1.1.4322.573 Copyright (C) Microsoft Corporation 1998-2002. All rights reserved. Security is ON Execution checking is ON Policy change prompt is ON Level = Machine Code Groups: 1. All code: Nothing 1.1. Zone - MyComputer: FullTrust 1.1.1. StrongName - 00240000048000009400000006020000002400005253413100040 0000100010007D1FA57C4AED9F0A32E84AA0FAEFD0DE9E8FD6AEC8F87FB03766C834C99921EB23BE 79AD9D5DCC1DD9AD236132102900B723CF980957FC4E177108FC607774F29E8320E92EA05ECE4E82 1C0A5EFE8F1645C4C0C93C1AB99285D622CAA652C1DFAD63D745D6F2DE5F17E5EAF0FC4963D261C8 A12436518206DC093344D5AD293: FullTrust 1.1.2. StrongName - 00000000000000000400000000000000: FullTrust 1.2. Zone - Intranet: LocalIntranet 1.2.1. All code: Same site Web. 1.2.2. All code: Same directory FileIO - Read, PathDiscovery 1.3. Zone - Internet: Internet 1.3.1. All code: Same site Web. 1.4. Zone - Untrusted: Nothing 1.5. Zone - Trusted: Internet 1.5.1. All code: Same site Web. Success
Each line of output in Listing 21.2 indicates the name of a code group and names the permission set assigned to that group. For example, the Intranet code group is assigned the LocalIntranet permission set.You can also use caspol to modify policy if you supply the appropriate flags.
The final option, that of directly viewing the configuration files, is the most advanced. It is the only way of viewing the security policy in its entirety, but it isn't for the faint-hearted. The policy files are XML files. The user-level file is located in a user-specific folder, and the machine- and enterprise-level files are named security.config and enterprisesec.config and are located in the folder %WINDIR%\Microsoft.NET\Framework\v1.1.4322\CONFIG .
Note that you must take special care not to modify these files unless you know what you are doing, because if you introduce a syntax error, for example, you could break the CLR's security policy altogether.
If you have more than one version of the .NET Framework installed, each version independently maintains its own security policy, so you need to take care that you are viewing the correct policy. The Control Panel, Administrative Tools dialog shows separate .NET configuration tools for each version of the CLR. If using caspol , then you need to run caspol from the version of the VS.NET command prompt corresponding to the CLR version whose policy you want to view. These same considerations apply when using these tools to modify security policy, as described in the next two recipes.
|< Day Day Up >|