Determining Security Policy
Security policy is defined on four levels: enterprise, machine, user, and application domain. The most restrictive level determines the policy. For example, if reading a certain file is allowed on the enterprise level but denied on a particular machine, reading the file is not allowed for assemblies on that particular machine. On the other hand, if reading a particular file is denied on the enterprise level, no computer in that enterprise could read that file.
Application domain security policy is defined by the host of the application domain and is not discussed in this article. Security policy on the other three levels is determined by administrator-defined code groups and their associated permission sets.
Security policy is stored in several XML-based configuration files. Instead of editing these configuration files directly, the .NET Configuration Tool is used. This tool is used for several other tasks in addition to security. It's an MMC snap (mscorcfg.msc) found in the Windows directory under Microsoft.NET\Framework\vx.x.xxxx, where x.x.xxxx represents the current version of the .NET Framework. Figure 1 shows how the predefined code groups and permission sets are displayed in the Configuration Tool. Double-click the mscorcfg.msc file to bring up the tool.
Figure 1 Default security configuration settings.
Each level is an independent hierarchy of code groups. The root note under each level is referred to as All_Code. Below each level is a set of child nodes, and each of these children can have children. If an assembly belongs to a code group, it might be a member of one of its children. If the assembly doesn't belong to a code group, it cannot belong to any of the node's children. Since an assembly can have more than one piece of evidence associated with it, an assembly can belong to more than one code group on a given level. Hence, the set of permissions that can be granted to an assembly is the union of all the permission sets to which the assembly belongs. Effectively, each level is treated as one permission set.
For example, in the hierarchy presented in Figure 1, there is only one code group on the Enterprise level. The permission set associated with the All_Code code group defines the permissions that the Enterprise security policy allows. The machine level has several code groups below the All_Code level. An assembly that's downloaded from the Internet would have the permissions resulting from the union of the permission sets associated with the All_Code and the Internet_Zone code groups.
Code groups can also have two attributes. One group can be given the exclusive attribute that declares that that code will never have more permissions than those associated with this group. The level final attribute indicates that no level below the current one is considered when determining permissions.
Figure 2 shows the permissions associated with the Machine Level Internet_Zone code group. Select that code group in the left pane of the Configuration Tool. Right-click and select Properties; then select the Permission Set tab. The named permission set Internet has been associated with this code group. If you select any of the listed permissions and then click the View Permissions button, the associated values for that permission are displayed. For the Internet permission set, code can copy and cut data to the Clipboard, but only intrinsic controls can have data pasted. You cannot read programmatically from the Clipboard. Windows are restricted to prevent spoofing attacks such as imitating system dialog boxes. If you look at the Security permission, you'll see that only the right to execute has been granted; all other security permissions (such as the ability to skip verification or call unmanaged code) have been denied.
Figure 2 Internet permission set
Let's assume that we have the default security settings. At the Enterprise and User levels only the All_Code group is associated with the FullTrust permission set. Since the permissions associated with the assembly are the union of the permissions from each level, any restrictions would have to come from the Machine policy level. On the Machine level the All_Code group is associated with the Nothing permission set, an assembly would only have rights if it matched some child code group. Code downloaded from the Internet would have only the permissions of the Internet_Zone code group.