Re: FxCop App Security

Thanks for your response Velvet,

yes, the FxCop is surely applying to all .net code, not specify to ASP.NET,
so it'll apparently display all the warnings or errors if you includes that
certain rules.....

And if you're focus on ASP.NET specific .NET CODE Access security, you may
have a look at the ASP.NET Trust Level setting which control the ASP.NET
application's .net code access security:

#trustLevel Element for securityPolicy (ASP.NET Settings Schema)
http://msdn2.microsoft.com/en-us/library/as399f0x.aspx

Here are some further reference on ASP.NET CAS:

#Chapter 9 ¨C Using Code Access Security with ASP.NET
http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh09.asp?frame=tru
e

#How To: Use Code Access Security in ASP.NET 2.0
http://msdn.microsoft.com/library/en-us/dnpag2/html/paght000017.asp?frame=tr
ue

Hope helps. Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)



--------------------
| From: "Velvet" <velvet@xxxxxxxxxxxxxxxxx>
| References: <evfIYZiEGHA.716@xxxxxxxxxxxxxxxxxxxx>
<s#wz3QnEGHA.1240@xxxxxxxxxxxxxxxxxxxxx>
| Subject: Re: FxCop App Security
| Date: Wed, 18 Jan 2006 13:57:36 -0800
| Lines: 107
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
| Message-ID: <#87h0oHHGHA.1332@xxxxxxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| NNTP-Posting-Host: c-67-182-150-8.hsd1.wa.comcast.net 67.182.150.8
| Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
| Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.dotnet.framework.aspnet:371900
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| The problem is, this applies to normal .NET apps and not ASP.NET apps. I
| need ASP specific information as this need to be executed on the web
server.
|
| I have run some searches on the subject but haven't found any useful
| information on what security settings should be used when running the app
on
| the web server.
|
| Velvet
|
| "Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
| news:s%23wz3QnEGHA.1240@xxxxxxxxxxxxxxxxxxxxxxxx
| > Hi velvet,
| >
| > Welcome to MSDN newsgroup.
| > As for the security related warning you get when using fxcop to validate
| > your assembly, they're just some best practice for develping .net
| > application. .NET use Code Access Security to restrict and validate our
| > code's permission. For the two attributres you mentioend:
| >
| > [assembly: SecurityPermission(SecurityAction.RequestMinimum, Execution =
| > true)]
| > =====================
| > This is used to indicate the minimum permissions your assembly
require...
| > This can help the end user or administrator to get how much permission
| > they
| > need to grant to your assembly.... through .NET CAS policy
| >
| >
| > [assembly: PermissionSet(SecurityAction.RequestOptional, Name =
| > "Nothing")]
| > ========================
| > The SecurityAction.RequestOptional flag allows you to request a set of
| > permissions while refusing all other permissions the runtime otherwise
| > might have been willing to give. By contrast, the RequestRefuse flag
| > allows
| > you to refuse permissions by explicitly specifying which ones your code
| > should not be granted.
| >
| > And here are some other msdn reference discussing on .net CAS:
| >
| > #An Overview of Security in the .NET Framework
| >
http://msdn.microsoft.com/library/en-us/dnnetsec/html/netframesecover.asp?fr
| > ame=true
| >
| > #Programming .NET Code Access Security
| >
http://msdn.microsoft.com/library/en-us/dnhcvs03/html/hcvs03a11.asp?frame=tr
| > ue
| >
| >
http://msdn.microsoft.com/msdnmag/issues/05/11/CodeAccessSecurity/default.as
| > px?side=true#a
| >
| > Hope helps. Thanks,
| >
| > Steven Cheng
| > Microsoft Online Support
| >
| > Get Secure! www.microsoft.com/security
| > (This posting is provided "AS IS", with no warranties, and confers no
| > rights.)
| >
| > --------------------
| > | From: "Velvet" <velvet@xxxxxxxxxxxxxxxxx>
| > | Subject: FxCop App Security
| > | Date: Thu, 5 Jan 2006 10:31:57 -0800
| > | Lines: 19
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
| > | X-RFC2646: Format=Flowed; Original
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
| > | Message-ID: <evfIYZiEGHA.716@xxxxxxxxxxxxxxxxxxxx>
| > | Newsgroups: microsoft.public.dotnet.framework.aspnet
| > | NNTP-Posting-Host: c-67-182-150-8.hsd1.wa.comcast.net 67.182.150.8
| > | Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
| > | Xref: TK2MSFTNGXA02.phx.gbl
| > microsoft.public.dotnet.framework.aspnet:368825
| > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
| > |
| > | I ran FxCop on one of the components for my web site and the security
| > rules
| > | what me to add "[assembly: Security Permission()] tags like the ones
| > listed
| > | below:
| > |
| > | [assembly: SecurityPermission(SecurityAction.RequestMinimum,
Execution =
| > | true)]
| > |
| > | [assembly: PermissionSet(SecurityAction.RequestOptional, Name =
| > "Nothing")]
| > |
| > |
| > | This breaks my ASP.NET application. So my question is, what should
| > these
| > | tags be when used in a .NET application? I haven't found much
| > information
| > | on this so if I could get more info on it in relation to ASP.NET that
| > would
| > | be great.
| > |
| > | thanks,
| > | Velvet
| > |
| > |
| > |
| >
|
|
|

.

Relevant Pages

  • Re: Permissions granted based on assembly and user
    ... setting the Policy for specific assemblies through the ... > You can set impersonation ON and use NTFS permissions on the files. ... > should also use Code Access Security to specify what folders the plugin ...
    (microsoft.public.dotnet.security)
  • Re: project security issue
    ... This is because of .NET's Code Access Security which is configured to ... share and assign appropiate permissions. ... > The project location is not fully trusted by the .NET runtime. ... This is> usually because it is either a network share or mapped to a network> share not on the local machine. ...
    (microsoft.public.dotnet.framework)
  • Re: Safely Running a Web Application that works with WSS Objects
    ... This sounds as though it could be a Code Access Security problem. ... The application makes one query into the SQL database. ... > information is pulled from Sharepoint objects. ... > query which was fixed by giving authenticated users select permissions on ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: Authentication problem
    ... It appears that you are accessing the Object Model with having permissions ... the SPS SDK under "Code Access Security". ... changing it for just this web part, and using impersonation within the web ...
    (microsoft.public.sharepoint.portalserver.development)
  • Re: Terminal services-give a program admin rights
    ... not the .Net framework's code access security model. ... Access to the Access app is controlled by the permissions of the ... >Terminal Server sessions which require administrative rights. ... >give Access admin rights without giving each user local admin priviledges? ...
    (microsoft.public.windows.server.security)