Best practice for creating new Code Groups for CAS

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Roy Chastain (roy_at_roychastain.orgnospam)
Date: 03/11/04 

Date: Thu, 11 Mar 2004 13:56:53 -0500

My company is an ISV and we will be distributing assemblies that will
need full trust or close to full trust even when they are loaded from
a remote location.

I have started down the path that a new code group based on Strong
Names would be the correct way to protect and provide the extra
privileges.

Questions are two fold
1) - Is this a reasonable plan. I ask this from a user/administrator
point view. (I am trying to put myself in the position of the network
security administrator at the customer site.) Any comments and
discussion would be welcome.

2) - Assuming that it is a good (or at least reasonable) plan, then my
second question has to do with the code groups themselves. My
thoughts are that my company would use more than one key pair. We
have common code that is shared among products. I thought that it
could have on key pair and each product would have its own key pair.
(Of course, the install process will handle getting all this created
for the user.)

My thoughts were that by using separate keys, different systems within
a customer site could 'trust' our different applications without
having to trust them all.

Now, again assuming that this is all reasonable, the organization of
the code groups comes into question. Given that these assemblies are
part of administration utilities for our applications, I am thinking
to put them under the machine policy so that anyone that can sign on
to the system will have access (at least at this level). The next
question is where in the hierarchy should my new groups go.
Directly under Code Groups or as a member of All_Code. Exactly what
if any difference does it make.

Thanks for comments and insights.

-------------------------------------------
Roy Chastain

Relevant Pages

  • Best practice for managing CAS permissions?
    ... I work for an ISV and that will be distributing assemblies that will ... need full trust or close to full trust even when they are loaded from ... second question has to do with the code groups themselves. ... could have one key pair and each product would have its own key pair. ...
    (microsoft.public.dotnet.security)
  • Best practices for managing CAS permissions?
    ... I work for an ISV and that will be distributing assemblies that will ... need full trust or close to full trust even when they are loaded from ... second question has to do with the code groups themselves. ... could have on key pair and each product would have its own key pair. ...
    (microsoft.public.dotnet.framework.setup)
  • Re: Code Acceess Security question
    ... Some of the Microsoft code must have full trust to execute, ... With the default settings for My_Computer_Zone the child code groups ... and both have the FullTrust permission ...
    (microsoft.public.dotnet.security)
  • Re: run app from network drive
    ... Probably the best answer is to sign your assembly with a key pair, ... assign full trust to all apps with that key pair in the wizard. ... On each client we used the .net framework wizard to trust ...
    (microsoft.public.dotnet.security)
  • Re: Code Acceess Security question
    ... >Some of the Microsoft code must have full trust to ... >than full trust, the child code groups will still give ...
    (microsoft.public.dotnet.security)