Thursday, April 19, 2007

Deploying .NET 2.0 security settings without SDK or caspol

This article applies to Microsoft .NET Framework 2.0 Security
keywords: CAS, full, trust, assembly, security, policy, mscorcfg.msc caspol.exe

When you want to adjust the security settings in .NET 2.0 you use the mscorcfg.msc tool (Control Panel/Administrative Tools/Microsoft .NET Framework 2.0 Configuration)

However sometimes in a production environment you might need to do the same thing in a bunch of machines, and the problem is that the mscorcfg.msc tool is only included in the SDK which is over 300 MB, another option is to use the caspol command line, but that will scare most people away, there are a lot of people having this problem, so I thought I would post an easier solution here.

I lied on the title of the article, you do need to the SDK, but only in one machine, since you are a developer (right?) I suppose you have Visual Studio, and that includes the SDK, if you don't have the SDK installed on any machine, then you need to download it and install it at least on one machine.

Once you have that you can use the mscorcfg tool, setup the machine with the permissions that you want, trust assemblies, adjust zone security settings, etc, then when you are done, use this option

Configure Code Access Security Policy

Create Deployment Package

you will see a new dialog, which doesn't have many options

this dialog is a bit weird and buggy, but all you have to specify is a file name in some valid folder, for example c:\SecuritySettings

the other thing you might want to change is the security policy level to deploy, if you are deploying to production machines you might need Machine or User
click Next, then finish.

What this little wizard does, it creates a package with all the security settings on that machine, and puts it in a simple small executable program that you can run in any machine to adjust the security settings to match that machine.

now all you need to do, is take that file to the machines where you want to deploy your new security settings, run it and you're done

When you run the file you are naturally tempted to wait for a dialog to come up and ask you to click next, next, next, finish, but no dialog will pop up, you'll see it flash for a second and then it will dissapear, that's all it does (you might need privileged rights to run that file), if you were able to run that file, the security settings have been changed.

now if "it works on my machine!", you can make it work in other machines too =o)

1 comment:

«/\/\Ø|ö±ò\/»®© said...

That will work in many cases, but it can be destructive. What if there have been modifications to the Code Access Security policy configured on the target system? Running the generated MSI package will overwrite the modifications unless they have been taken into consideration and incorporated into the policy on the system where the MSI was generated. This may or may not be an issue, depending on the target environment.

I've seen the following approaches to manipulating the Code Access Security policy on a machine:
1) The method you describe, which has the issue that I previously mentioned
2) Direct manipulation of the .config file in %windir%\Microsoft.NET\Framework\vx.y.z\CONFIG (!!!)
5) Code that is marked with the RunInstaller attribute set to true and derives from System.Configuration.Install.Installer, and is invoked by InstallUtil to programmatically manipulate CAS

Considering that MSCORCFG.MSC shipped with the .NET Framework 1.1, and the other issues that might arise, I've done a bit of work to determine what precisely is necessary to get MSCORCFG.MSC to run on a system that doesn't have the .NET Framework 2.0 SDK installed. Like your method, access to a system with the .NET Framework 2.0 SDK is required.

If you're interested, details are at:
.NET Framework 2.0 Configuration Tool (Part 1) @

.NET Framework 2.0 Configuration Tool, Part 2 @

.NET Framework 2.0 Configuration Tool, Part 3 @
(this is where the information about what is necessary to get MSCORCFG.MSC to run without installing the SDK is presented)