> I'm not quite getting the security of .NET. Maybe someone can give the
> basic issue here so I can see the patten and better understand it with
>  the written docs.
>
> For now, until I understand what is going on I would like to remove it
> to get full control of my RPC client/server framework which is already
> secured in its own rights and installed by corporate operators in
> secured computer rooms environments.  I need to get the package running
> as always.
>
> In short, the clients, are .NET applications using our new .NET SDK
> class library DLL.   The package can be installed on local machines,
> computer rooms on networks so I really need to get control of this.
>
> What I have is an exe and dll
>
>     Wildcat.net.server.dll  <-- our .NET SDK API DLL
>     BSMiniRPT.exe           <-- SDK example
>
> I copied these from  my local D: drive to my network shared G: drive and
> tried to run it. I get the report below.  I also tried to do what I
> though would remove the security from the compiled EXE and I still get
> the report below.
>
> What is it exactly do I need to look for to begin testing the .net work
> with field testers who have no restrictions where they install our
> server and/or run the client applications?
>
> ************** Exception Text **************
> System.Security.SecurityException: Request for the permission of type
> 'System.Security.Permissions.EnvironmentPermission, mscorlib,
> Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.
>    at System.Security.CodeAccessSecurityEngine.Check(Object demand,
> StackCrawlMark& stackMark, Boolean isPermSet)
>    at System.Security.CodeAccessPermission.Demand()
>    at System.Environment.GetCommandLineArgs()
>    at BSMiniRPT.frmMain.frmMain_Load(Object eventSender, EventArgs
> eventArgs)
>    at System.EventHandler.Invoke(Object sender, EventArgs e)
>    at System.Windows.Forms.Form.OnLoad(EventArgs e)
>    at System.Windows.Forms.Form.OnCreateControl()
>    at System.Windows.Forms.Control.CreateControl(Boolean fIgnoreVisible)
>    at System.Windows.Forms.Control.CreateControl()
>    at System.Windows.Forms.Control.WmShowWindow(Message& m)
>    at System.Windows.Forms.Control.WndProc(Message& m)
>    at System.Windows.Forms.ScrollableControl.WndProc(Message& m)
>    at System.Windows.Forms.ContainerControl.WndProc(Message& m)
>    at System.Windows.Forms.Form.WmShowWindow(Message& m)
>    at System.Windows.Forms.Form.WndProc(Message& m)
>    at
> System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message& m)
>    at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
>    at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg,
> IntPtr wparam, IntPtr lparam)
> The action that failed was:
> Demand
> The type of the first permission that failed was:
> System.Security.Permissions.EnvironmentPermission
> The Zone of the assembly that failed was:
> Intranet
>
>
> ************** Loaded Assemblies **************
> mscorlib
>     Assembly Version: 2.0.0.0
>     Win32 Version: 2.0.50727.832 (QFE.050727-8300)
>     CodeBase:
> file:///F:/WINDOWS/Microsoft.NET/Framework/v2.0.50727/mscorlib.dll
> ----------------------------------------
> BSMiniRPT
>     Assembly Version: 1.0.1.0
>     Win32 Version: 1.0.1.0
>     CodeBase: file:///G:/wc7beta/BSMiniRPT.exe
> ----------------------------------------
> Microsoft.VisualBasic
>     Assembly Version: 8.0.0.0
>     Win32 Version: 8.0.50727.42 (RTM.050727-4200)
>     CodeBase:
> file:///F:/WINDOWS/assembly/GAC_MSIL/Microsoft.VisualBasic/8.0.0.0__b03f5f7f11d50a3a/Microsoft.VisualBasic.dll
>
> ----------------------------------------
> System
>     Assembly Version: 2.0.0.0
>     Win32 Version: 2.0.50727.832 (QFE.050727-8300)
>     CodeBase:
> file:///F:/WINDOWS/assembly/GAC_MSIL/System/2.0.0.0__b77a5c561934e089/System.dll
>
> ----------------------------------------
> System.Windows.Forms
>     Assembly Version: 2.0.0.0
>     Win32 Version: 2.0.50727.832 (QFE.050727-8300)
>     CodeBase:
> file:///F:/WINDOWS/assembly/GAC_MSIL/System.Windows.Forms/2.0.0.0__b77a5c561934e089/System.Windows.Forms.dll
>
> ----------------------------------------
> System.Drawing
>     Assembly Version: 2.0.0.0
>     Win32 Version: 2.0.50727.832 (QFE.050727-8300)
>     CodeBase:
> file:///F:/WINDOWS/assembly/GAC_MSIL/System.Drawing/2.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
>
> ----------------------------------------
> System.Configuration
>     Assembly Version: 2.0.0.0
>     Win32 Version: 2.0.50727.832 (QFE.050727-8300)
>     CodeBase:
> file:///F:/WINDOWS/assembly/GAC_MSIL/System.Configuration/2.0.0.0__b03f5f7f11d50a3a/System.Configuration.dll
>
> ----------------------------------------
> System.Xml
>     Assembly Version: 2.0.0.0
>     Win32 Version: 2.0.50727.832 (QFE.050727-8300)
>     CodeBase:
> file:///F:/WINDOWS/assembly/GAC_MSIL/System.Xml/2.0.0.0__b77a5c561934e089/System.Xml.dll
>
> ----------------------------------------
> System.Runtime.Remoting
>     Assembly Version: 2.0.0.0
>     Win32 Version: 2.0.50727.832 (QFE.050727-8300)
>     CodeBase:
> file:///F:/WINDOWS/assembly/GAC_MSIL/System.Runtime.Remoting/2.0.0.0__b77a5c561934e089/System.Runtime.Remoting.dll
>
> ----------------------------------------
>
> ---

>I could really use some .NET real world insight here from experienced
>VB.NET people here.
>
>I found the utility CASPOL.EXE and noticed if I do:
>
>     start caspol -s off
>
>then I can run the EXE/DLL without the security from a remove drive.
>
>Off hand, I would ask:
>
>     How do I do this programmatically?
>
>but even if possible (allowed), that is probably not a good idea
>without fully understanding the logic.
>
>Is this where I need to "create a manifest" or something that bundles
>my security exclusions with the DLL or EXE?
>
>Do I need to sign the DLL and will that cover the sub-assemblies it
>references? e.g.; mscorlib.dll?

> Jack Jackson wrote:
>
>> As far as I know your two choices are:
>> 1. Run caspol on each workstation, which changes the security for
>> everything on the share, not just your program.  I do not know other
>> implications of this.
>  >
>> 2. Install .NET 3.5 SP1.  Your app does not have to target 3.5, this
>> service pack changes the security rules for all 2.0 and higher apps to
>> allow them to run from network shares.
>
> Does it relax it?  I might have heard wrong, but for VS 2010, Microsoft
> has reverted or done something so that this isn't so unpredictable or
> the developer has more precise control. Not sure since I am catching up
> to all this.  I'll read up more on the security rules patch.  This
> comment in MSDN was very puzzling and concerning:
>
>   Partial Trust
>
>   ...
>
>   What is not allowed in partial trust? That is not easy to
>   determine. Each class and each method of each class in the .NET
>   Framework has a security attribute that defines the level of
>   trust needed to run that method, and that attribute may not be
>   accessible at run time because of just these security features.
>
> I hope MS makes this a non-issue to help minimize any exploitation
> caused by the frustrations of developers and users lowering their guards
> because they can't get anything done or isn't straight forward - my
> security hat opinion.
>
> What I did just now was to use MSCORCFG.MSC to alter the local intranet
> setting.    This change will be great for internal development and
> testing but of course, I can't tell customers to do this. So I would
> like to be able to sandbox our own customer trusted apps.
>
> The problem seems to be that while I can change the permission for the
> EXE and our DLL, I haven't figure out how to change all the dependencies
> (the partial trust issue above).
>
> I did see I can create my own Code Group but have not seen yet how to
> apply it to the applications and dll, i.e, how do you assign it  to the
> application or assembly?  This appears as the sandbox solution I need to
> figure out.
>
> This MSDN C# example on how to System.Security.Permissions
> programmatically did not work for me:
>
> http://msdn.microsoft.com/en-us/library/aa288469(VS.71).aspx#vcwlksecuritytutorialsuppressingsecurity
>
>
> until I added full trust to the Local Intranet setting via MSCORCFG.MSC
> which of course, made those commands useless.
>
> It seems to be a chicken and egg thing.  You need to start an
> application on a local drive, then change the permission and change
> directory to a shared drive and continue the process.  :-)
>
> Thanks for your input.
>
> --

> Jack, these links are proving to be useful:
>
> The Simple Sandboxing API
> http://blogs.msdn.com/shawnfa/archive/2005/08/08/449050.aspx
>
> And I haven't read it all yet, but 4.0 supposedly makes all is work
> like  native code one again with the EXE controlling what security is used.
>
> So it seems like we are coming to a full circle. :-)
>
> --
>
> Mike wrote:
>> Jack Jackson wrote:
>>
>>> As far as I know your two choices are:
>>> 1. Run caspol on each workstation, which changes the security for
>>> everything on the share, not just your program.  I do not know other
>>> implications of this.
>>  >
>>> 2. Install .NET 3.5 SP1.  Your app does not have to target 3.5, this
>>> service pack changes the security rules for all 2.0 and higher apps to
>>> allow them to run from network shares.
>>
>> Does it relax it?  I might have heard wrong, but for VS 2010,
>> Microsoft has reverted or done something so that this isn't so
>> unpredictable or the developer has more precise control. Not sure
>> since I am catching up to all this.  I'll read up more on the security
>> rules patch.  This comment in MSDN was very puzzling and concerning:
>>
>>   Partial Trust
>>
>>   ...
>>
>>   What is not allowed in partial trust? That is not easy to
>>   determine. Each class and each method of each class in the .NET
>>   Framework has a security attribute that defines the level of
>>   trust needed to run that method, and that attribute may not be
>>   accessible at run time because of just these security features.
>>
>> I hope MS makes this a non-issue to help minimize any exploitation
>> caused by the frustrations of developers and users lowering their
>> guards because they can't get anything done or isn't straight forward
>> - my security hat opinion.
>>
>> What I did just now was to use MSCORCFG.MSC to alter the local
>> intranet setting.    This change will be great for internal
>> development and testing but of course, I can't tell customers to do
>> this. So I would like to be able to sandbox our own customer trusted
>> apps.
>>
>> The problem seems to be that while I can change the permission for the
>> EXE and our DLL, I haven't figure out how to change all the
>> dependencies (the partial trust issue above).
>>
>> I did see I can create my own Code Group but have not seen yet how to
>> apply it to the applications and dll, i.e, how do you assign it  to
>> the application or assembly?  This appears as the sandbox solution I
>> need to figure out.
>>
>> This MSDN C# example on how to System.Security.Permissions
>> programmatically did not work for me:
>>
>> http://msdn.microsoft.com/en-us/library/aa288469(VS.71).aspx#vcwlksecuritytutorialsuppressingsecurity
>>
>>
>> until I added full trust to the Local Intranet setting via
>> MSCORCFG.MSC which of course, made those commands useless.
>>
>> It seems to be a chicken and egg thing.  You need to start an
>> application on a local drive, then change the permission and change
>> directory to a shared drive and continue the process.  :-)
>>
>> Thanks for your input.
>>
>> --

"Mike" <unkn***@unknown.tv> wrote in message
news:uAHdx9u4JHA.1712@TK2MSFTNGP03.phx.gbl...
> I'm not quite getting the security of .NET. Maybe someone can give the
> basic issue here so I can see the patten and better understand it with the
> written docs.
>
> For now, until I understand what is going on I would like to remove it to
> get full control of my RPC client/server framework which is already
> secured in its own rights and installed by corporate operators in secured
> computer rooms environments.  I need to get the package running as always.
>
> In short, the clients, are .NET applications using our new .NET SDK class
> library DLL.   The package can be installed on local machines, computer
> rooms on networks so I really need to get control of this.
>
> What I have is an exe and dll
>
>     Wildcat.net.server.dll  <-- our .NET SDK API DLL
>     BSMiniRPT.exe           <-- SDK example
>
> I copied these from  my local D: drive to my network shared G: drive and
> tried to run it. I get the report below.  I also tried to do what I though
> would remove the security from the compiled EXE and I still get the report
> below.
>
> What is it exactly do I need to look for to begin testing the .net work
> with field testers who have no restrictions where they install our server
> and/or run the client applications?
>
> ************** Exception Text **************
> System.Security.SecurityException: Request for the permission of type
> 'System.Security.Permissions.EnvironmentPermission, mscorlib,
> Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.
>    at System.Security.CodeAccessSecurityEngine.Check(Object demand,
> StackCrawlMark& stackMark, Boolean isPermSet)
>    at System.Security.CodeAccessPermission.Demand()
>    at System.Environment.GetCommandLineArgs()
>    at BSMiniRPT.frmMain.frmMain_Load(Object eventSender, EventArgs
> eventArgs)
>    at System.EventHandler.Invoke(Object sender, EventArgs e)
>    at System.Windows.Forms.Form.OnLoad(EventArgs e)
>    at System.Windows.Forms.Form.OnCreateControl()
>    at System.Windows.Forms.Control.CreateControl(Boolean fIgnoreVisible)
>    at System.Windows.Forms.Control.CreateControl()
>    at System.Windows.Forms.Control.WmShowWindow(Message& m)
>    at System.Windows.Forms.Control.WndProc(Message& m)
>    at System.Windows.Forms.ScrollableControl.WndProc(Message& m)
>    at System.Windows.Forms.ContainerControl.WndProc(Message& m)
>    at System.Windows.Forms.Form.WmShowWindow(Message& m)
>    at System.Windows.Forms.Form.WndProc(Message& m)
>    at System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message&
> m)
>    at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
>    at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg,
> IntPtr wparam, IntPtr lparam)
> The action that failed was:
> Demand
> The type of the first permission that failed was:
> System.Security.Permissions.EnvironmentPermission
> The Zone of the assembly that failed was:
> Intranet
>
>
> ************** Loaded Assemblies **************
> mscorlib
>     Assembly Version: 2.0.0.0
>     Win32 Version: 2.0.50727.832 (QFE.050727-8300)
>     CodeBase:
> file:///F:/WINDOWS/Microsoft.NET/Framework/v2.0.50727/mscorlib.dll
> ----------------------------------------
> BSMiniRPT
>     Assembly Version: 1.0.1.0
>     Win32 Version: 1.0.1.0
>     CodeBase: file:///G:/wc7beta/BSMiniRPT.exe
> ----------------------------------------
> Microsoft.VisualBasic
>     Assembly Version: 8.0.0.0
>     Win32 Version: 8.0.50727.42 (RTM.050727-4200)
>     CodeBase:
> file:///F:/WINDOWS/assembly/GAC_MSIL/Microsoft.VisualBasic/8.0.0.0__b03f5f7f11d50a3a/Microsoft.VisualBasic.dll
> ----------------------------------------
> System
>     Assembly Version: 2.0.0.0
>     Win32 Version: 2.0.50727.832 (QFE.050727-8300)
>     CodeBase:
> file:///F:/WINDOWS/assembly/GAC_MSIL/System/2.0.0.0__b77a5c561934e089/System.dll
> ----------------------------------------
> System.Windows.Forms
>     Assembly Version: 2.0.0.0
>     Win32 Version: 2.0.50727.832 (QFE.050727-8300)
>     CodeBase:
> file:///F:/WINDOWS/assembly/GAC_MSIL/System.Windows.Forms/2.0.0.0__b77a5c561934e089/System.Windows.Forms.dll
> ----------------------------------------
> System.Drawing
>     Assembly Version: 2.0.0.0
>     Win32 Version: 2.0.50727.832 (QFE.050727-8300)
>     CodeBase:
> file:///F:/WINDOWS/assembly/GAC_MSIL/System.Drawing/2.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
> ----------------------------------------
> System.Configuration
>     Assembly Version: 2.0.0.0
>     Win32 Version: 2.0.50727.832 (QFE.050727-8300)
>     CodeBase:
> file:///F:/WINDOWS/assembly/GAC_MSIL/System.Configuration/2.0.0.0__b03f5f7f11d50a3a/System.Configuration.dll
> ----------------------------------------
> System.Xml
>     Assembly Version: 2.0.0.0
>     Win32 Version: 2.0.50727.832 (QFE.050727-8300)
>     CodeBase:
> file:///F:/WINDOWS/assembly/GAC_MSIL/System.Xml/2.0.0.0__b77a5c561934e089/System.Xml.dll
> ----------------------------------------
> System.Runtime.Remoting
>     Assembly Version: 2.0.0.0
>     Win32 Version: 2.0.50727.832 (QFE.050727-8300)
>     CodeBase:
> file:///F:/WINDOWS/assembly/GAC_MSIL/System.Runtime.Remoting/2.0.0.0__b77a5c561934e089/System.Runtime.Remoting.dll
> ----------------------------------------
>
> ---