7. Code Access Security 7.1 What is Code Access Security (CAS)? CAS is part of the .NET security model, which determines if a code is allowed to be run, and what resources can be used when it runs. For example, CAS can prevent a .NET's web applet to format your hard drive. 7.2 How does Cas work? CAS Security Policy Design Two Key Concepts - Code Groups and Permissions. Each .NET component is a member of a particular code group, and each code group is granted by the permissions specified by the listing set. For example, when using the default security policy, a control downloaded from the Web site belongs to the "Zone - Internet" code group that keeps the permissions defined by the "Internet" by the Amissive Right Set Set. (Nature, the name "Internet" indicates a group of privileges that are strictly limited.) 7.3 Who defines the CAS code group? Microsoft defines some default code groups, but you can change these even created your own code group. To see the code group defined in your system, you can run the "Caspol -l" command from the command. I look like these in my system: level = Machine
Code Groups:
1. All code: Nothing 1.1 Zone - MyComputer:.. FullTrust 1.1.1 Honor SkipVerification requests: SkipVerification 1.2 Zone - Intranet:. LocalIntranet 1.3 Zone - Internet:. Internet 1.4 Zone - Untrusted:.. Nothing 1.5 Zone - Trusted: Internet . 1.6 StrongName - 0024000004800000940000000602000000240000525341310004000003000000CFCB3291AA715FE99D40D49040336F9056D7886FED46775BC7BB5430BA4444FEF8348EBD06F962F39776AE4DC3B7B04A7FE6F49F25F740423EBF2C0B89698D8D08AC48D69CED0FC8F83B465E0807AC11EC1DCC7D054E807A43336DDE408A5393A48556123272CEEEE72F1660B71927D38561AABF5CAC1DF1734633C602F8F2D5: Everything
Attention to the level of the code group
-
Top
('All code')
It is most common, which is then divided into several groups, each of which can also be divided. At the same time, the subgroups can be given a wider permission set than its superiors.
7.4
How to define your own code group?
use
Caspol
. For example, suppose you trust from
Www.mydomain.com
The code, and I hope it has a complete access to your system, but I hope to others.
Internet
Site maintains the default limit. To achieve these, you can
Zone - Internet
Increase a subgroup in the group, just like the following:
Caspol -AG 1.3 -site www.mydomain.com FullTrust
Now if you run
Caspol -lg
You can see that the new code group is added to
1.3.1
group:
... 1.3. ZONE - Internet: Internet 1.3.1. Site - www.mydomain.com: FullTrust ...
Note numeric label
(1.3.1)
just
Caspol
Early in order to easily manipulate the code group from the command line. The bottom of the running library will never see it. 7.5
How to change the authority set of code group?
use
Caspol
. If you are an administrator of the machine, you can
'Machine'
Level
-
This not only means that what you do will become the default setting of the machine, but the user cannot reform more widely. If you are an ordinary user
(
Not an administrator
)
You can still modify the permissions, but you can only make them more stringent. For example, in order
intranet
The code can do what they want, you may need this:
Caspol -cg 1.2 FullTrust
Pay attention because
(
In standard system
)
This is greater than the default security policy permissions, you should
Machine
Hierarchical
-
in
User
This does not work in this level.
7.6
Can you create your own authority set?
Yes it is. use
CASPOL -AP
Specify all permissions including permissions set
Xml
file. Here
Is a designation
'Everything'
Sample file of the authority set
-
Modify it to accommodate your needs, so you can save some time. After the modification is complete, use the following method to add it to the available permissions:
Caspol -ap SamplepermSet.xml
Then, use the following method to apply this permission set to a code group:
Caspol -cg 1.3 SamplepermSet
by default,
1.3
Yes
'Internet'
Code group
7.7 CAS
How to diagnose your own procedure when there is a problem?
Caspol
There is a group of possible options. First, use
Caspol -RSG
You can let
Caspol
Tell you which code group belongs to a component. Similarly, use
Caspol -RSP
You can ask what permissions apply on specific components.
7.8
I can't stand it.
CAS
Can you turn off it?
Yes, as long as you are a system administrator. Just run:
Caspol -s off