|
How Do I...Script Security Policy Changes?The common language runtime ships with an advanced security policy system. An assembly receives permissions to access protected resources based on evidence about the code (such as its URL of origin or its publisher certificate). The set of granted permissions is a function of what various policy levels grant to the assembly based on its evidence. There are three policy levels that can be administered: the enterprise policy, machine policy, and user policy level. Each policy level consists of a tree of code groups. Each code group consists of a membership condition and an associated permission set. Code is granted the permission set associated with a code group if it meets the respective membership condition. Changing code groups in the user, machine, or enterprise policy allows administrators to determine what permissions are granted to assemblies. It might become necessary to script policy changes. In these cases, the Code Access Security Policy (Caspol.exe) command line tool can be used to create batch files containing policy change commands. Note: For all standard administrative tasks, it is highly recommended you use the common language runtime configuration (Mscorcfg.msc) tool. Note: For more information regarding the policy system please see the security documentation in the Framkeworks SDK. The Code Access Security Policy (Caspol.exe) command line toolThe SDK ships the caspol command line policy administration tool. This tool can be used to create batch files for scripting security policy changes. Typing caspol -? at the command line will show you the available options of the tool. Scripting Against Named Code GroupsIn the default policy shipping with the common language runtime, all code groups have a unique name. If code groups have not been deleted or renamed it is possible to uniquely script changes against these code groups. The most common code group names that will be used for scripting are:
caspol PolicyLevel -chggroup Name of code group PermissionSetName caspol PolicyLevel -addgroup Name of Parent code group MembershipCondition PermissionSetName CodeGroupFlags caspol PolicyLevel -reset Sample ScriptsThe following caspol batch script resets policy to the default on all policy levels and grants full trust to intranet applications. Note, since the granted permissions to code are calculated as the intersection between policy levels and since (in default policy) both enterprise and user policy level are set to full trust, you only need to change the machine policy level in order to guarantee that intranet applications receive full trust. In other words, the script below guarantees that intranet applications will run with full trust (while code from other places of origin will run with the permissions given it in default policy)
The following script of caspol commands shows how to set policy so code from the internet will not receive any permissions from machine policy (first line). The second command shows how to add a code group for granting full trust to code signed by the publisher that signed Myexe.exe. Note that the new code group is hung off the root of the machine policy.
|