Re: Security problem.

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Peter Torr \(MS\) (ptorr_at_microsoft.com)
Date: 07/21/04 

Date: Wed, 21 Jul 2004 01:50:20 -0700

"Rick" <noodle@noodle.com> wrote in message
news:uH2mNOZbEHA.808@tk2msftngp13.phx.gbl...
> Hi Peter,
>
> Thanks for the links, I had seen those and read the previously, but I gave
> them another read to see if I was missing something.

You should try out the code to display all the loaded assemblies, too.

> Level = User
>
> Code Groups:
>
> 1. All code: FullTrust
> 1.1. All code: Nothing
> 1.1.1. Url - file://C:/*: Execution

Herein lies the problem - you are only granted Execution permission
(remember that permissions granted by "All Code" or "Zone" membership
conditions are ignored by VSTO). If this is your main VSTO assembly, it
needs to have FullTrust. If it is the web service assembly, it will need at
least WebPermission to the URL of the web service.

> I have read your Blog before. The interesting thing, is that where you say
> the IDE has set up all the security for me, it really hasn't, or something
> is out of line as a result of something else.

VSTO only really sets up permissions for the main assembly; any assemblies
that you reference need to be trusted manually.

> 1.6. StrongName -
> 00240000048000009400000006020000002400005253413100040000010001002DB7FDCC2B91
> B48A42A425406DC6B594D2BAEF4CE5C6B2D50A915D2F073292CC458BE778BA552F09F82AF41C
> 1CA8505FA79CDA8721A7AB92805580E6EE7B4D5BF5BBCF875EC99B5D283269B0CC69408A170F
> 2CBCF7AB8E160904F459A6E004AAE05A77FD651379FFF865DDAFDB0F4DB3206AF07C1EC9E931
> B372374F7A0886A2: FullTrust

You should not add keys to the root of policy; you should add them under 'My
Computer" or the Trusted / LocalIntranet zones. Otherwise, if a bad guy ever
gets hold of some old signed-but-buggy code, it's game over. Even more so if
you skip verification, waiting for IT to real-sign stuff for you.

Peter 

-- 
Peter Torr - http://weblogs.asp.net/ptorr/
This posting is provided "AS IS" with no warranties, and confers no rights
Samples are subject to the terms specified at 
http://www.microsoft.com/info/cpyright.htm

Relevant Pages

  • Re: Cant reference Interop Excel CommandBars collection
    ... using VSTO without any success. ... permissions, and searched the web for answers. ... SetSecurity project that comes with the VSTO install doesn't support ... permissions to multiple assemblies. ...
    (microsoft.public.office.developer.com.add_ins)
  • Re: Reason behind implicit FullTrust LinkDemand?
    ... The removal of permissions from the Internet Zone or the ... time to protect the System* assemblies from this attack. ... the security holes are patched. ... The knew the LinkDemand would be a fix. ...
    (microsoft.public.dotnet.security)
  • Reason behind implicit FullTrust LinkDemand?
    ... The .NET Framework assemblies ... One may counter argue that the implicit FullTrust ... LinkDemand just forces users to grant full trust to code that doesn't really ... permissions describing custom actions allowed or not in the system. ...
    (microsoft.public.dotnet.security)
  • Re: security/strong name/zones clarification needed
    ... Was this also true in the Intranet Zone? ... >child code-group with full permissions granted to any ... >> needs to host the CLR, it creates an AppDomain, but due ... All my assemblies are strong named. ...
    (microsoft.public.dotnet.security)
  • Re: security/strong name/zones clarification needed
    ... several but not publicly documented) about child code-group permissions ... a strong-name, or Authenticode signature evidence. ... This problem would also crop up in the AppDomain case also. ... All my assemblies are strong named. ...
    (microsoft.public.dotnet.security)