Re: CasPol security

From: Chris Rolon (crolon_at_hotmail.com)
Date: 05/25/04 

Date: Tue, 25 May 2004 14:33:25 -0700

You need to figure out the minimum permissions required. This is something
that you should have somewhat of a handle on.

For example, any I/O will require access to the file system. But, are do you
really need access to the file system or just Isolated Storage. these are
different. The application will normally already have access to Isolated
Storage.

Do you require access to the registry, environment variables, printing,
UI...?

These are all questions that must be answered and trust can be applied
accordingly.

If the assembly uses declarative security, use PermView to give you a list
of the required permissions. Otherwise, test the application with an account
that has no additional priviliges.

Chris Rolon

"Steve" <sbianco1@yahoo.com> wrote in message
news:11fad01c44265$33e60820$a601280a@phx.gbl...
> Chris.
>
> I agree with your comments and thus is my concern.
> However, while knowing nothing about security, it seems
> running the Framework wizard "trust assembly" requires
> that application be given full trust.
>
> How can I [begin] to lower the trust level of the
> application?
>
> Steve
> >-----Original Message-----
> >The danger is that the application is being granted more
> rights than
> >necessary. If, somehow, the application were compromised
> through a stack
> >overrun or some other as yet undiscovered vulnerability,
> a hacker could do
> >damage to your system.
> >
> >As a matter of policy applications should not run with
> privileges greater
> >than absolutely necessary. That is why the security model
> has changed and is
> >based on where the code came from rather than on who is
> logged in.
> >
> >--
> >
> >Chris Rolon
> >
> >This posting is provided "AS IS" with no warranties, and
> confers no rights.
> >
> ><anonymous@discussions.microsoft.com> wrote in message
> >news:11dba01c44251$77d1aa30$a301280a@phx.gbl...
> >> Whats the danger in doing:
> >>
> >> C:\...\caspol -enterprise -addfulltrust L:\foo.exe
> >>
> >> foo is a local network (non-web based) application that
> >> references internal databases and general web based
> >> information sites.
> >>
> >> Steve
> >
> >
> >.
> >

Relevant Pages

  • Re: folder & file permissions isue
    ... Then went into security and took away everything but read for everyone ... Quite a bit different than Novell rights... ... > File System Rights ... > but Read rights at the file system level, ...
    (microsoft.public.windows.server.networking)
  • Re: Default rights when creating a site
    ... I don't think security can be added as part of the site definition files. ... These are the files that are created in the file system for the choice of ... CREATE SITES in the SITES AREA), only the creator has all rights on ...
    (microsoft.public.sharepoint.portalserver)
  • Secure shared web hosting using MAC Framework
    ... To make things clear I will call the hosted users "web users". ... Those rights should have priority on any traditional unix file system rights. ... For the user's own security, prevent them from writing to /tmp ...
    (FreeBSD-Security)
  • [UNIX] Buffer Overflow in ISO9660 File System Component of Linux Kernel
    ... Get your security news from a reliable source. ... The Linux kernel performs no length checking on ... symbolic links stored on an ISO9660 file system, ... In order to exploit this vulnerability, an attacker must be able to mount ...
    (Securiteam)
  • Re: FSI Indices with translates the answer
    ... directory of the file system that one is within, ... there are other MV dbms products that have virtually no security ... MV vendors should provide that functionality required by "ALL" users. ... when you fire anyone who points out problems ...
    (comp.databases.pick)